Web, API and AI Threat Modeling

In an era of rapid technological advancement, safeguarding against cyber threats requires a vigilant approach that adapts to emerging trends. As we navigate the evolving landscape of cybersecurity, it's imperative to stay informed about the latest developments. Let's explore some of the cutting-edge trends, including the heightened emphasis on application and API security, as well as the integration of artificial intelligence (AI) for robust protection.

Defense in Application and API Security

Application Security Fortification

With the proliferation of online applications, securing them against potential threats has become paramount. Modern cyber defenses are increasingly focusing on fortifying applications right from their design and development stages. This includes implementing secure coding practices, conducting regular security audits, and utilizing advanced tools to identify and patch vulnerabilities promptly.

API Security Imperatives

As organizations leverage Application Programming Interfaces (APIs) to enhance connectivity and functionality, securing these interfaces is of utmost importance. Cybersecurity strategies now include comprehensive API security measures to prevent unauthorized access, data breaches, and other potential exploits. This involves robust authentication mechanisms, encryption protocols, and continuous monitoring to detect and mitigate emerging threats in real-time.

AI Security Considerations

Integrating AI for Enhanced Protection

Artificial Intelligence is revolutionizing cybersecurity by providing advanced threat detection and response capabilities. AI-driven systems can analyze vast amounts of data, identify patterns, and detect anomalies that may signal a potential security breach. This proactive approach enables organizations to respond swiftly to emerging threats, minimizing the impact of cyber incidents.

Adversarial AI: A New Challenge

While AI enhances cybersecurity, it also introduces new challenges, particularly in the form of adversarial AI. Malicious actors may exploit vulnerabilities in AI systems, manipulating algorithms to evade detection. Cybersecurity strategies are now evolving to address these concerns, implementing techniques such as adversarial training to fortify AI systems against manipulation attempts.

The recent cloud security issues underpin the broadened attack surface, and why "assume breached" or paranoid security architecture for access control & monitoring, configuration controls are now common for many tech firms who have adopted beyondcorp or zero trust model of security.

As a CISO, how do you know if your IT team has configured the infrastructure to protect your data against cyber security threats? The Solarwinds story is remarkable in demonstrating what's wrong with the current state of Cyber Security.

Many organizations go on spending spree with security tools, and they complain that they can't find the right talents to run them, but when they do find the right talent, they are marginalized and often told to focus on needless bureaucratic processes rather than true innovative security methods. Without top executive support, cybersecurity engineers are not respected by other IT teams, as typically security teams report to CIO organization, which has the focus on getting things done "apparently" right, fast and at minimum cost.

Do you know enough about the business to create a risk register and develop a security program based on the best practices on budgets and risk reduction methods that will result in the most cost-effective, sustainable, resilient cyber defense?

If the affected organizations followed this simple checklist, they would not be in a position where they are currently.

Follow this Checklist for effective cyber security:

Step #1: Know your business well. Talk to C-level executives to get an understanding of new projects, priorities and changes in processes that may change the threat landscape, and you may need to tweak your tactical tools accordingly. Understand the people involved, what they do for the organization and where the weakest links are.

Step #2: Start a Red Team to assess cyber risk (using safe breach or Atomic eye RQ ), and identify the vulnerabilities across the enterprise. Pentesting is not enough, as external consultants often do not test internal processes, and audit teams do not go deep enough about technical measures.

Step #3: Trust but verify. Reduce attack surface and monitor both critical assets, vendors and employees. Use VDIs and isolation/micro segmentation tools such as VLANs and Illumio to logically segment assets with critical data. Use Bitsight, Securityscorecard or riskrecon for insights on vendor risk. Block or redirect unknown sites to content isolation tools such as Fireglass or Bromium. For privileged users, that means using an AI tool such as Polarity (www.polarity.io) to get the context of what they are doing throughout the day, and then finding deviance from normal behavior, such as off hours malware activities. Critical Production changes must be documented, recorded and tested with verification/orchestration and computer vision or contextualization. Same goes for critical incident investigation. Detect lateral movements using deception sensors, Vectra AI or Cyphort and investigate issues using EDR such as CB Response.

Step #4. Cut down on internal friction and politics so security is not seen as blockers but enablers. To get the CIO to focus on the high risk items, you have to cut down on the number of processes that block innovation. Embrace the cloud, and anything else business wants. There is no other option when Microsoft changed its licensing model to give out "free" email and cloud storage. If the business has made this decision without a data classification and information rights management programs (most companies don't have them), you have to adapt to the change and propose budget items to "embrace" these directives with more security tools like CASB, but you have to sell this. How? Use business sense and talk to senior management using tips from Step #5.

Step #5. Get business buy-in and leadership support. Work with Chief Risk Officer or CFO to calculate organization's Annual Expected Loss do to cyber events. Use any of the analytical models in the "economics of cyber/information security" field to come up with a number "recommended" by expects to spend on security. Typically it's 1/3rd of the Expected Annual Loss. Most companies are doing 1/10th of the expected loss, so it's an easy sell. Now use OCTAVE or Gartner's CARTA strategic approach to develop your program to address the risks identified in step #1. Establish metrics that are easy to collect and shows the progress you are making.

Assume network is compromised and web servers will eventually be compromised: use technology to throttle down web-based attacks and lateral movements especially after hours when top engineers are not working. Use Deception Technology such as Illusive or TrapX to redirect hackers in a virtual puzzle, while using RASP (Contrast Security, Vericode) to create detailed audit trails, and WAF to block against published vulnerabilities and zero-day exploits. Use endpoints HIDS for virtual patching.

Collect these metrics: Top email senders (exchange/MTA and gateway level), Top Internet Browsing endpoints, Top endpoints with errors in system logs and detected malware and unmatched vulnerabilities, suspicious activities such as promiscuous network card activations and software installs (sysmon can help). Also, top website hits, especially after hours. Why? You will baseline expected activities in your environment.

Do not have metrics that set you up for failure, simply have the broader mindset of dealing with risk, and go back to the board if you think additional money spent will reduce substantial risks. At the end of the day, you have to show progress through risk reductions, not amount of work being done (such as # of projects completed or hours spent on those). Again, focus on risk reductions on the riskiest items.

Learn how the organization plays out politics, if you can't beat them, consider joining them as long as the politics is not dirty and does not undermine your desired level of integrity. I say this because over the years I have learned that having a strong integrity mindset is often due to self-righteousness and it affects not only your progress, but also the organization's. Train yourself 1-2 weeks every year on emerging topics, and send your team to at least two security conferences a year, and ask them to get at least one certification related to this area. If they fail the certification exam, that's fine, review their scores and identify the areas where they need to improve. This is the cheapest way to determine if your team is keeping themselves up-to-date with skills.

Additional recommendation:

Use smart tools, not Gartner or expensive tools: Measure your vulnerability management program using CVSS v3 calculator, Kenna Security or SkyBox and Security tool effectiveness using NSS Labs CAWS and Verodin. Do a process inventory and use mind map tools to identify highest risks/threats and the existing tools that mitigate those. Use ReadSeal to have a map of the entire network and then use Maltego or Palantir for threat intelligence.

Many cloud-based vulnerability management tools will allow you to scan your perimeter from the Internet (Rapid7 Sonar is an example). You can also get that through DHS/CERT NCATS (sign up at your own risk), or through Shadowserver (non-profit).

Goal # 1 Web Threat Protection: Most companies have web filtering product, but many of them are not configured to vendor's best practices, such as blocking uncategorized sites, which is the only category you must block after malware and hacking sites, because all dark web, C&C and emerging threats are delivered on web sites that are not yet categorized by major vendors. In my experience, this is the #1 reason why attack vectors such as phishing is so successful. The way this attack works, is that using ad-network beacons to "uncategorized" sites, an attacker (often someone with $100 Adwords coupon, or even a nation state) comes up a list of organizations that do not filter this specific category. They get more details of your network mapping through free websites such as Alexa top sites and Netcraft.

Next, they host malware on the uncategorized sites, and simply launch a regular or targeted phishing (spear-phishing) attack. Only one of your privileged users need to click the link for them to successfully penetrate your organizations layered defenses.

In my view, organizations that have uncategorized sites allowed, experience unnecessary volume of cyber events. If you are a #CISO concerned about network team's ability to control these settings, please post your questions in the comments section.

In cases where blocking of unknown sites are not allowed because user complaints to help desk, top 100 uncategorized sites can be exported from the logs, and can be categorized manually. Other alternative is to provide guest wireless access and a cheap second computer or tablet, such as chromebook to the users, so that they do not use their work computer to do extensive personal browsing. I have a number of patents in automating this function, and helped mid-size to large organizations facing this challenge.

Frequently, administrators do not install the free client-proxy tool available for laptops, so that corporate policies can be extended to corporate assets when connected to home networks or open wifi.

Until the oligopoly of web filtering technologies shifts, and disruptive innovation is made in this space, such as implementation of k-nearest neighbor (k-NN) approach for dynamic data classification (which I worked on in early 2000s), we are at the mercy of ransom ware, advanced malware and constant C&C beacons, because even security awareness can't help users from inadvertently accessing a bad site because of ad-nework malware and other threat actors. Solutions that partially resolve this issue include openDNS and browser plugins that protect against ad network malware. I also like quad9, Menlo Security and Zscaler.

Designate a separate VLAN for wifi for web browsing. Allow only intranet access on ethernet/LAN. Encourage use of secondary device such as iPads for non-work related web browsing activities. Use a URL filtering tool to block uncategorized (unknown) sites, malware/botnet/spam and pornographic/illegal categories.

Cost: $0 (browser plugin) to $3+/user (openDNS).

Recommendation: Use Proofpoint URLDefense with Cisco OpenDNS and Palo Alto Wildfire/ Bluecoat Categorization database to eliminate over 99% of these threats.

2. Data Loss Prevention (DLP): Solutions include openDLP (open-source, free), Code Green DLP for midsize businesses, and Symantec or Mcafee DLP products for enterprises. If your company needs webex, gotomeeting, or join.me, allow the top three web conferencing software by usage, and block the rest. Periodically, ask for documentation or reason for web conference use, to prevent data loss.

Cost: Free (openDLP) to $1M+ (Symantec)

Recommendation: DLP is old tech but important for HIPAA regulations, use Deceptive technologies in conjunction with advanced capabilities of Office365 or Proofpoint/websense to block or encrypt those data transfers.

3. Network access control: Solutions include the use of Microsoft Network Access Protection (NAP), network appliances such as Forescout, or host-based solutions such as Symantec NAC. Use Host IPS for virtual patching.

Cost: Free (MS-NAP) to $100K+ (Symantec)

Recommendation: #Forescout is the market leader. Forget MS-NAP.

4. Encryption: Full-disk, File, Email and web encryption should be considered. Microsoft Bitlocker provides full-disk protection; Symantec PGP and open source product Truecrypt provides industry standard file encryption. OpenPGP and SSL are excellent choices for email and web encryption. There is also an option of using Transport Layer Security (TLS) for email gateways for automatic encryption of content.

Cost: Free (Bitlocker) to $100K+ (Symantec PGP)

Recommendation: Use #Bitlocker. Vormetric (Thales) offers excellent choices for data at rest and transmission.

Goal #2 Prevent attacks:

A firewall is a system designed to prevent unauthorized access to or from a private network. Firewalls can be implemented in both hardware and software, or a combination of both. Firewalls are frequently used to prevent unauthorized Internet users from accessing private networks connected to the Internet, especially intranets. All messages entering or leaving the intranet pass through the firewall, which examines each message and blocks those that do not meet the specified security criteria. Proxy and content-filtering technologies are associate tools that provide additional level of security for Internet browsing.

Use of anti-malware software that use multiple scan databases is essential. I wrote an AV engine based on virustotal in 2010, however they changed their TOS recently. Herdprotect is still available for free, and enterprises can use opswat Metadefender. Antivirus that use one scan databases only provides false sense of security and EMET is prone to crash; replace it with Malwarebytes with anti-exploit kit.

If you can afford a macbook or Mac Mini, they are great alternatives, so is chromebook, if you regularly update them. You do not really need anti-virus for these platforms, simply use ad-blocker software, and disable plugins such as Java, and try not to install freeware unless they are from a reputable vendor and free of adware. Plugin security is robust and enabled by default in Mac OS, and their app store provides additional security and verification through digital signatures. Enterprises should turn on Bitlocker/Whitelisting+Blacklisting software, and digitally sign all internal executables, including macros.

Technologies such as Firewalls (network, application, databases), Web proxy and content filters, Antivirus, Anti-spam, and DDos Prevention tools are excellent examples of tools that can prevent attacks. Solutions available include Linux based firewalls and industry leaders Cisco, Juniper firewalls. Newer vendors such as Palo Alto Networks offer next generation firewalls.

I can't stress enough the need for Secure Coding practices. Your team should know extensively about OWASP top 10 vulnerabilities, and implement ways to mitigate them. Using WAF (or worse WAF in monitor-only mode) will not protect against really bad coding. Use tools such as CheckMarx, IBM Appscan, Veracode to check for vulnerabilities in source codes, use Cigital to train coders and Blackduck to keep on top of open source libraries that may contain vulnerabilities.

Patching/Vulnerability Management: Critical vulnerabilities for OS (server and desktops) must be applied as soon as feasible. Test environment must be available for critical infrastructure, so that patching does not create self-inflicted denial of service. On desktops, adobe products (PDF, flash) and Java must be updated, as they are frequently targeted.

Cost: Free (Linux) to $10K+(Cisco)

Goal #3 Containment/Remedy/Readiness:

• FireEye, Triumfant (now called Atomic Eye), Tripwire are examples of solutions that will allow containment of threats through sandboxing and other next generation technologies. Tools such as Tripwire and Triumfant also detects and prevents changes to systems made by malicious software. Many top tier organizations use Tanium/Ziften for threat detection, virtualized browser such as Bromium for containment, and Triaumfant/ Steady State VMs for remediation. Both Tanium and Cisco AMP allow you to investigate the entire kill chain of a threat.
• You need cybersecurity insurance with regular onsite underwriter evaluations, so you are not surprised when certain items are not covered, such as ransomware attacks. Get additional riders, and create a ransomware readiness plan, including negotiators if needed to negotiate a ransomware payment under legal advice. Because the identity can't be verified for blockchain payments, you want to make sure that a trusted third-party (usually a lawyer from your insurance company) is always involved through the resolution of ransomware incidents.

Cost: These products are usually commercial and runs from $50- $100K+

• Implement a Business Continuity Plan for resilient architecture and continuous operations. Have sufficient backups and offsite data center or location, if the business requires it. Effective use of virtualization technologies may reduce some of the costs associated for redundancy. Cost: Vmware Licensing costs and Network Storage ($10,000 to $1M+)

Goal #4 Continuous monitoring of privileged activities, User awareness:

IDS: An intrusion detection system (IDS) inspects all inbound and outbound network activity and identifies suspicious patterns that may indicate a network or system attack from someone attempting to break into or compromise a system.

SIEM: Short for Security Information and Event Management- SIEM is a set of tools used by IT professionals and system administrators to manage multiple security applications and devices, and to respond automatically to resolve security incidents. Examples include Alienvault OSSIM (open source), RSA Analytics, IBM QRadar etc.

Next Gen: SIEM Helpers, such as siemplify, or ELK/Spark/Hadoop-based analytics clusters can reduce number of alerts, and investigation time. I like Spark more than Hadoop for its speed, and Exabeam/Rapid7 UBA for cross-correlation of user behavior.

Security Awareness: Security awareness programs are the most effective way to secure the weakest link in the security: end-user. Through effective campaigning, the effects of computer security issues and social engineering should be communicated to users of all levels.

Privileged User Monitoring: Use Avecto on endpoints and CyberArk/BeyondTrust for privileged user/identity management.

Cost: Free (Security awareness posters, OSSIM) to 100K+ (Arcsight)

Opinions expressed are personal, and do not reflect employer's endorsement.

Goal #5 Optimize SecOps:

Most MSSPs operate at a loss. Look at the financial reports for Secureworks, Dell spinned off the MSSP likely because they add big losses to the accounting statements. When building your internal SOC, you should also realize that this will likely be a money losing proposition with little or no value added. I recommend that you crowdsource SecOps across the organization to get the most value out of your investment. Gamification, organizational strategy, planning and training can reduce up to 80% of your SOC investments if you hire an experienced CISO consultant.

The best way to achieve Security? Give CISO a personal office, or at least a dedicated big white board! Security professionals do a lot of thinking throughout the day, and they need a quiet space to hunt down those threats that can bring down the enterprise. They also need the visibility within the organization, so they are not perceived as blockers. Encourage innovation and cut the red tapes; let the CISO rewrite all the policies to encourage LEAN principles of getting work done. Offer flexible hours for SecOps team, as they are usually available 24/7, and work with HR to get ergonomic work environment, including standing desks, faster computers/Macbooks and dual-monitors. Give them the right tools to collaborate, if IT is on your way, talk directly to business.

I had wall full of ideas in my long career as acting CISO/ Management Consultant, and my team was always welcome to walk in, and assign me a task on my whiteboard. I got it done using kanban boards/leankit : planning, doing, done.

Invest in your people as much as you invest in the tools with lots of marketing hype. Encourage them to speak up, and even give rewards for finding flaws on your web site, processes, loop holes in policies. I used to have drawer full of $5 Starbucks gift cards for security tips (I would randomly talk to employees about security habits and offer $5 if they say they will update their home anti-virus program, or adopt a new secure habit), and $25 cards for bug bounties. You have to think outside the box, because the hackers are doing that already.

Shore Up Monitoring:

Use Windows Event Collection tool, and analyzers such as Logbinder to focus on log collection:

• This focuses on the Windows Security Log and on the events you should be monitoring specifically for early detection of APT activity and ransomware. Use EDR tools like Carbon Black Response or CrowdStrike and correlate Threat Intel sources.

•RASP: in cases where web access logs are not sufficient, use a RASP such as Contrast Security or Vericode, to create the detailed audit trails. WAF logs are also useful.

• AppLocker: Consider enabling AppLocker in audit mode and getting the actual hashes of unrecognized EXEs and DLLs

• Enabling registry auditing, monitor changes to servers and privileged activities.

Cost: $0 (Syslog-ng) to $100K+ (Crowdstrike)

Security Issues with OpenID, OAuth, and MFA Measures:

OpenID:

1. Phishing Vulnerabilities: OpenID authentication is susceptible to phishing attacks, where malicious entities trick users into disclosing their OpenID credentials on fraudulent websites.
2. Single Point of Compromise: Relying on a single OpenID provider introduces a risk where compromising the provider's security could lead to unauthorized access to multiple accounts associated with that OpenID.
3. Privacy Concerns: Depending on the information shared during OpenID authentication, privacy issues may arise if users are required to disclose more data than necessary.

OAuth:

1. Authorization Code Interception: The transmission of OAuth authorization codes may be vulnerable to interception, enabling attackers to gain unauthorized access. Secure communication channels (HTTPS) help mitigate this risk.
2. Token Security: Protecting access tokens is crucial. Insecure storage or transmission of tokens, or their unauthorized leakage, can lead to unauthorized access.
3. Insufficient Scope Control: Users granting overly broad permissions can expose sensitive information. Proper management of permissions is essential to limit access to only necessary resources.
4. Client Security: The security of OAuth clients, such as applications, is critical. Compromised client credentials can lead to unauthorized access, necessitating secure storage and handling of client secrets.
5. Token Leakage in Browser History: If access tokens are included in URLs during the OAuth process and end up in browser history, it poses a risk as the history might be accessible to attackers.

Multi-Factor Authentication (MFA):

1. Phishing and Social Engineering: MFA methods like SMS or email codes may be vulnerable to phishing attacks where attackers trick users into revealing secondary authentication factors.
2. Biometric Data Risks: Biometric MFA methods, such as fingerprints or facial recognition, can be susceptible to unauthorized access if biometric data is compromised.
3. Device Security: MFA often relies on a user's device. If the device is lost, stolen, or compromised, it may lead to unauthorized access, emphasizing the need for strong device security.
4. User Experience Challenges: Some MFA methods can be inconvenient for users, potentially leading to resistance or workarounds that reduce security.

To enhance the security of these authentication and authorization mechanisms, it's crucial for developers and organizations to follow best practices, implement secure communication channels, regularly update software, and educate users about potential risks. Additionally, combining OpenID, OAuth, and MFA in a layered approach can provide a more robust security posture. Users should remain vigilant, practicing good security hygiene and reporting suspicious activities promptly.The final tip is regarding how to deal with organizational politics and reluctance. Let's say you are in the following situation:

Every time a security control is mentioned, it is needlessly and fiercely opposed. When I say needlessly, they are basic controls that even people have at home. Simple communications suggesting a different way of doing things are misunderstood as rebellious. And not to mention months of meetings to turn on a setting that takes 5 minutes to implement with no impact. Despite stricter regulations, senior management's involvement with #cyber, there may be reluctance to doing the right thing. Most times it's because managers are out of touch with latest technology.

In the past, I have suggested talking to the #CISO directly, because at the end CISO is ultimately responsible for security team's failure. But these days with the number of increasing #security breaches, our reputation as security professionals is at stake. No matter how resistant the organization is to change, it is your responsibility as a security professional to protect it from #cyber attacks. And it is okay to politely raising the concerns and see that they are resolved. You may feel intimidated, but at least you will have a #purpose in a job where issues are addressed, rather than one where you will face retaliation for doing your job.

Staying Ahead of the Curve

In the ever-evolving landscape of cybersecurity, staying ahead of emerging threats is crucial. Organizations must adopt a multi-faceted approach that incorporates the latest technologies, robust policies, and ongoing education for their teams. By prioritizing defense in application and API security, and addressing the unique considerations of AI, businesses can enhance their resilience against the dynamic and sophisticated threats present in today's digital environment.

In conclusion, as we strive to protect against cyber threats, a forward-thinking cybersecurity strategy is essential. By embracing the latest trends in application and API security, and AI considerations, organizations can fortify their defenses and proactively mitigate the risks associated with an increasingly interconnected digital landscape.

What do you think?

Opinions expressed are personal, and do not reflect employer's endorsement. #Cyber #InformationSecurity #CyberSecurity #SIEM #Proxy #NIST #FFIEC #NYDFS #CISO

Links:

https://bigdatawg.nist.gov/_uploadfiles/M0007_v1_3376532289.pdf

https://www.us-cert.gov/resources/ncats CVSS Calculator