Facebook Google Plus Twitter LinkedIn YouTube RSS Menu Search Resource - BlogResource - WebinarResource - ReportResource - Eventicons_066 icons_067icons_068icons_069icons_070

Tenable 博客

订阅

網路安全快照: NIST’s Cybersecurity Framework Gets Major Update, as Advisories on APT29 and ALPHV Blackcat Get Rolled Out

NIST’s Cybersecurity Framework Gets Major Update, as Advisories on APT29 and ALPHV Blackcat Get Rolled Out

Check out what’s new in NIST’s makeover of its Cybersecurity Framework. Plus, the latest guidance on cyberattack groups APT29 and ALPHV Blackcat. Also, how to assess the cybersecurity capabilities of a generative AI LLM. And the most prevalent malware in Q4. 更多内容不一一列举!

Dive into six things that are top of mind for the week ending March 1.

1 - NIST’s Cybersecurity Framework 2.0 places stronger emphasis on governance, features broader scope

The much awaited revamping of the National Institute of Standards and Technology’s (NIST) Cybersecurity Framework (CSF) is finally here. 

After a years-long revision process, NIST this week rolled out version 2.0 of the CSF, which is broadly used by organizations to assess, manage and reduce their cybersecurity risks. It’s the first major update to the CSF since version 1.0 came out in 2014.

Key changes from CSF 1.1, released in 2018, include an expanded scope beyond critical infrastructure; stronger emphasis on governance; and more guidance, tools and resources to facilitate its implementation.

Regarding its scope, CSF 2.0 has been crafted to have broad relevance and usefulness for all organizations globally – regardless of size, type, industry sector and cybersecurity sophistication. Initially, the CSF specifically focused on helping critical infrastructure organizations.

“CSF 2.0, which builds on previous versions, is not just about one document. It is about a suite of resources that can be customized and used individually or in combination over time as an organization’s cybersecurity needs change and its capabilities evolve,” NIST Director Laurie E. Locascio said in a statement about CSF 2.0.

Meanwhile, CSF 2.0’s new “Govern” function addresses areas such as risk management strategy; organizational context; supply chain risk; and policies, processes and procedures. 

“The CSF’s governance component emphasizes that cybersecurity is a major source of enterprise risk that senior leaders should consider alongside others such as finance and reputation,” reads NIST’s statement.

CSF 2.0’s five other functions are: 

  • Identify, focused on assessing an organization’s cyber risk
  • Protect, about adopting measures to prevent and reduce cyber risk 
  • Detect, centered on discovering and analyzing cyberattacks and breaches 
  • Respond, devoted to taking action after a cyber incident
  • Recover, focused on the restoration of impacted assets and operations
NIST’s Cybersecurity Framework 2.0 places stronger emphasis on governance, features broader scope

To make it easier for a wide variety of organizations to adopt CSF 2.0, NIST has created quick-start guides tailored for specific audiences; case studies about successful implementations; and a searchable catalog of references.

To get more details, check out commentary and analysis about CSF 2.0 from CSO Magazine, The Register, SC Magazine and Help Net Security, as well as the videos below.

The Cybersecurity Framework at 10...and Beyond (The Aspen Institute)

NIST Cybersecurity Framework 2.0 - What Changed? (Optic Cyber)

2 - Study: How to evaluate a GenAI LLM’s cyber capabilities

From the moment OpenAI’s ChatGPT became a global sensation, cybersecurity pros have explored whether and how generative AI tools based on large language models (LLMs) can be used for cyber defense.

All along, a core question has been: How do you test and evaluate an LLM’s cybersecurity capabilities and risks? Well, researchers from OpenAI and Carnegie Mellon University (CMU) tackled this question and just published a study outlining specific assessment criteria.

In their paper “Considerations for Evaluating Large Language Models for Cybersecurity Tasks,” the authors state that current assessment methods fall short, because they focus on evaluating LLMs’ factual knowledge by, for example, having them take a cybersecurity certification exam.

How to evaluate a GenAI LLM’s cyber capabilities

“Fundamentally, we argue that practical, real-world evaluations are necessary to understand the cyber capabilities of LLMs; fact-based examinations are insufficient,” they wrote.

The paper covers the following areas:

  • The nature of cybersecurity tasks and the pros and cons in using LLMs to perform them
  • The way LLMs capture and apply cybersecurity knowledge
  • How specific cybersecurity tasks can be supported by LLMs
  • Recommendations to help cybersecurity pros evaluate LLMs’ cyber capabilities

Some of the recommendations include:

  • Define the real-world task that the evaluation should capture by considering, for example, how humans do it and listing the steps involved
  • Represent tasks in a way that captures their real-world nuance and complexity by, for example, defining their scope appropriately
  • Design and perform rigorous assessments by, for example, modifying and varying input queries by changing words, altering phrases and introducing misspellings 

“Understanding how an LLM performs on real cybersecurity tasks will provide policy and decision makers with a clearer sense of capabilities and the risks of using these technologies in such a sensitive context,” the authors wrote.

To get more details, check out:

For more information about the use of generative AI LLMs for cybersecurity:

VIDEO

Practical Applications for Generative AI in Cybersecurity (OWASP)

3 - CISA, NCSC issue cloud security advisory on Russia-backed APT29

Cloud security teams, listen up: APT29, the notorious cybercrime group sponsored by the Russian Foreign Intelligence Service (SVR), is shifting its attention to cloud computing environments.

So said cyber agencies from Australia, Canada, New Zealand, the U.K. and the U.S. this week in the joint advisory “SVR Cyber Actors Adapt Tactics for Initial Cloud Access.” The advisory details tactics, techniques and procedures (TTPs) observed over the past 12 months, along with detection and mitigation recommendations.

“As organizations continue to modernize their systems and move to cloud-based infrastructure, the SVR has adapted to these changes in the operating environment,” reads the 8-page document.

APT29, also known as the Dukes, CozyBear and Nobelium/Midnight Blizzard, was responsible for the SolarWinds supply chain attack and other high-profile hacks against targets including Microsoft and Hewlett-Packard Enterprise.

These are some of the TTPs used by APT29:

  • Using brute forcing and password spraying to access service accounts, which are used to run and manage applications and services
  • Compromising dormant accounts that haven’t been deactivated although they belong to users who no longer work at the targeted organization
  • Using valid, unexpired tokens to access accounts

Recommended mitigations include:

  • Use multi-factor authentication and require strong, unique passwords
  • Have a process in place for identifying and disabling accounts from users who are no longer with the organization
  • Apply the principle of least privilege to service accounts, so that their scope of access to resources is limited
  • Keep user sessions as short as is practical, so that attackers have less of a chance of using stolen session tokens

To get more details about APT29:

4 - A Tenable poll on identity security challenges and strategies

During our recent webinar “Securing Identities Across Your Entire Attack Surface,” we polled attendees about various aspects of their identity security strategy. Check out what they said about their biggest challenges, their approach and more.

A Tenable poll on identity security challenges and strategies

(64 respondents polled by Tenable, February 2024)

Tenable poll on identity security challenges and strategies

(67 respondents polled by Tenable, February 2024)

Tenable's poll on identity security challenges and strategies

(76 respondents polled by Tenable, February 2024)

Want to learn about the nuances of identity risk management across multi-cloud and on-prem environments? Watch the on-demand webinar “Securing Identities Across Your Entire Attack Surface.”

5 - U.S. updates guidance on ALPHV Blackcat, warns healthcare orgs

The U.S. government is alerting healthcare companies in particular about the threat from the ALPHV Blackcat ransomware-as-a-service (RaaS) group, which this week claimed responsibility for an attack against Change Healthcare.

In an updated joint advisory, CISA, the FBI and the Department of Health and Human Services (HHS) released new indicators of compromise (IOCs), as well as tactics, techniques, and procedures (TTPs) associated with ALPHV Blackcat. The advisory also includes recommendations for mitigation and incident response.

About two months ago, the FBI announced it had disrupted ALPHV Blackcat’s operations, but the ransomware gang has regrouped and has been causing mayhem recently.

To gain initial access, cybercriminals associated with ALPHV Blackcat employ advanced social engineering techniques and publicly-available information about a company.

“Actors pose as company IT and/or helpdesk staff and use phone calls or SMS messages to obtain credentials from employees to access the target network,” the advisory reads.

Mitigation advice includes:

  • Maintain a regularly updated inventory of IT assets and data to identify authorized and unauthorized devices and software
  • Prioritize remediating known exploited vulnerabilities
  • Secure remote access tools by implementing application controls, such as allowlisting remote access programs
  • Adopt phishing-resistant multi-factor authentication 
  • Train staff on social engineering attacks, such as how to identify suspicious emails

To get more details, read the updated advisory “#StopRansomware: ALPHV Blackcat.

For more information about ALPHV Blackcat:

6 - SocGholish tops list of Q4 malware incidents

SocGholish, a malware variant used in fake browser attacks, accounted for most malware incidents in the fourth quarter.

In these attacks, users are tricked into installing what they think is a legitimate browser update that in reality is malware that infects their computers.

SocGholish accounted for 60% of all malware incidents observed by the Center for Internet Security (CIS), which this week released its “Top 10 Malware Q4 2023” list.

It’s been a meteoric rise for SocGholish, which first cracked the CIS list in the third quarter, with a 31% share of malware incidents.

Fake browser update attacks also propelled the RogueRaticate malware variant into the CIS list for the first time in the third quarter. It again ranked in the top 10 in the fourth quarter.

SocGholish tops list of Q4 malware incidents

(Source: Center for Internet Security, February 2024)

Here’s the full list, in descending order:

  • SocGholish, a downloader distributed through malicious websites that tricks users into downloading it by offering fake software updates 
  • Arechclient2, also known as SectopRAT, is a .NET remote access trojan (RAT) whose capabilities include multiple stealth functions
  • Agent Tesla, a RAT that captures credentials, keystrokes and screenshots
  • CoinMiner, a cryptocurrency miner that spreads using Windows Management Instrumentation (WMI)
  • NanoCore, a RAT that spreads via malspam as a malicious Excel spreadsheet
  • RogueRaticate, a downloader distributed through malicious or compromised websites using fake browser updates. 
  • ViperSoftX, a multi-stage crypto stealer that's spread within torrents and file sharing sites
  • ReverseRAT, a RAT that lets hackers breach a compromised system and that’s often used to steal information and to spy on victims
  • Gh0st, a RAT designed to control infected endpoint devices
  • Pegasus, spyware that steals data from iOS and Android devices

To get more information, check out the CIS blog report, which offers details, context and indicators of compromise for each malware strain.

For details on fake browser update attacks:

VIDEOS

Fake Chrome Update Malware (The PC Security Channel)

Apple Mac OS users falling for fake browser update that installs malware (Windows, Computers and Technology)

 

相关文章

您可加以利用的网络安全新闻

输入您的电子邮件,绝不要错过 Tenable 专家的及时提醒和安全指导。

Tenable Vulnerability Management

可全面访问基于云的现代化漏洞管理平台,从而以无可比拟的精确度发现并追踪所有资产。

Tenable Vulnerability Management 试用版还包含 Tenable Lumin 和 Tenable Web App Scanning。

Tenable Vulnerability Management

可全面访问基于云的现代化漏洞管理平台,从而以无可比拟的精确度发现并追踪所有资产。 立即购买年度订阅。

100 项资产

选择您的订阅选项:

立即购买

Tenable Vulnerability Management

可全面访问基于云的现代化漏洞管理平台,从而以无可比拟的精确度发现并追踪所有资产。

Tenable Vulnerability Management 试用版还包含 Tenable Lumin 和 Tenable Web App Scanning。

Tenable Vulnerability Management

可全面访问基于云的现代化漏洞管理平台,从而以无可比拟的精确度发现并追踪所有资产。 立即购买年度订阅。

100 项资产

选择您的订阅选项:

立即购买

Tenable Vulnerability Management

可全面访问基于云的现代化漏洞管理平台,从而以无可比拟的精确度发现并追踪所有资产。

Tenable Vulnerability Management 试用版还包含 Tenable Lumin 和 Tenable Web App Scanning。

Tenable Vulnerability Management

可全面访问基于云的现代化漏洞管理平台,从而以无可比拟的精确度发现并追踪所有资产。 立即购买年度订阅。

100 项资产

选择您的订阅选项:

立即购买

试用 Tenable Web App Scanning

您可以通过 Tenable One 风险暴露管理平台完全访问我们专为现代应用程序量身打造的最新 Web 应用程序扫描产品。可安全扫描全部在线资产组合的漏洞,具有高度准确性,而且无需繁重的手动操作或中断关键的 Web 应用程序。立即注册。

Tenable Web App Scanning 试用版还包含 Tenable Vulnerability Management 和 Tenable Lumin。

购买 Tenable Web App Scanning

可全面访问基于云的现代化漏洞管理平台,从而以无可比拟的精确度发现并追踪所有资产。 立即购买年度订阅。

5 个 FQDN

$3,578

立即购买

试用 Tenable Lumin

使用 Tenable Lumin 直观呈现及探索您的风险暴露管理,长期追踪风险降低状况,并比照同行业者进行基准衡量。

Tenable Lumin 试用版还包括 Tenable Vulnerability Management 和 Tenable Web App Scanning。

购买 Tenable Lumin

联系销售代表,了解 Tenable Lumin 如何帮助您获取整个企业的洞见并管理网络安全风险。

免费试用 Tenable Nessus Professional

免费试用 7 天

Tenable Nessus 是当今市场上功能最全面的漏洞扫描器。

新 - Tenable Nessus Expert
不可用

Nessus Expert 添加了更多功能,包括外部攻击面扫描,以及添加域和扫描云基础设施的功能。单击此处试用 Nessus Expert。

填写下面的表格可继续试用 Nessus Pro。

购买 Tenable Nessus Professional

Tenable Nessus 是当今市场上功能最全面的漏洞扫描器。Tenable Nessus Professional 可帮助自动化漏洞扫描流程、节省合规周期的时间,并调动起 IT 团队的积极性。

购买多年期许可,即享优惠价格添加高级支持功能,获取一年 365 天、一天 24 小时的电话、社区和聊天支持。

选择您的许可证

购买多年期许可,即享优惠价格

添加支持和培训

免费试用 Tenable Nessus Expert

免费试用 7 天

Nessus Expert 针对现代攻击面而量身打造,可以查看更多信息,保护企业免遭从 IT 到云中漏洞的攻击。

已经有 Tenable Nessus Professional?
升级到 Nessus Expert,免费试用 7 天。

购买 Tenable Nessus Expert

Nessus Expert 针对现代攻击面而量身打造,可以查看更多信息,保护企业免遭从 IT 到云中漏洞的攻击。

选择您的许可证

购买多年许可证,节省幅度更大。

添加支持和培训