Resilient Cyber Newsletter #5
CISA Red Team Dwells in Federal Agency, Google Potentially Acquiring Wiz, AI Security Breach Insights and BSidesSF 2024 Playlist
Interested in sponsoring an issue of Resilient Cyber?
This includes reaching over 6,000 subscribers, ranging from Developers, Engineers, Architects, CISO’s/Security Leaders and Business Executives
Reach out below!
Cybersecurity Leadership and Market Dynamics
CISA broke into a US Federal agency, and no one noticed for a full 5 months
This article from theRegister discusses how CISA’s Red Team was able to break into an “unnamed” Federal agency and have no one notice for five full months. The activities are part of CISA’s “SILENTSHIELD” assessments as they call them, where their red teams target specific Federal agencies without notice.
The activities used a combination of exploited unpatched vulnerabilities in Oracle Solaris, a CVE that wasn’t on the CISA KEV at the time of exploitation but did end up on it shortly after. The team also utilized phishing, and then the injection of a Remote Access Trojan (RAT) and the discovery of unsecured admin credentials in a password file, which wasn’t encrypted, containing plaintext usernames and passwords.
The compromised account had admin and domain admin privileges for the parent domain. It even had a trust relationship with another Federal agency and the Red Team used it to pivot to a partner organization.
This event highlights how despite the broad push for Zero Trust, modernizing Federal agencies cyber defenses, defense-in-depth, tightening administrative privileges, and implementing robust logging requirements and more, agencies are both falling short of the requirements and susceptible to malicious behavior because of it.
CISA published a robust breakdown of the activity both in a Cybersecurity Advisory and whitepaper, which I definitely recommend checking out.
The U.S. Office of Management and Budget (OMB) Publish FY2026 Cybersecurity Priorities
The U.S. OMB recently published their FY26 Cyber priorities. It is worth noting these most certainly may change, as were in an election cycle, but many of these tie to efforts that have been underway for several years (e.g. zero trust, supply chain security etc.) so I suspect many will still be relevant and are worth discussing.
The priorities are aligned with the most recent U.S. National Cybersecurity Strategy (NCS) and its five pillars. I previously covered the NCS in a comprehensive article, for those interested.
The FY26 budget priorities align with those NCS pillars, and include the following key items:
Modernizing Federal Defenses (e.g. reducing risk by pursuing Zero Trust maturity aligned with the CISA Zero Trust Maturity Model (ZTMM)
Scaling Public-Private Collaboration
Improving Baseline Cybersecurity Requirements
Improving Open Source Software Security and Sustainability
Counter Cybercrime, Defeat Adversaries
Secure Software Development and Leverage Federal Procurement to Improve Accountability
Leverage Federal Grants and Other Incentives to Build in Security
Strengthen the Cyber Workforce
Prepare for Post-Quantum Future
Secure the Technical Foundation of the Internet
While many of these are interesting in their own right, several areas are light on details.
The one that jumped out to me the most was “Improve OSS Security and Sustainability”, as seen below:
We’re seeing the Government actively call for agencies to contribute to maintaining OSS agencies rely on, both by Government employees and contractors. I am interested to see how this one will be met and pursued.
It also calls for the Government to begin to mature its approach about OSS consumption and security. A great place I recommend they start is with the OWASP OSS Top 10 Risk list, which I have covered in several articles, including this article “Top 10 open source software security risks - and how to mitigate them”.
Lastly, it calls for agencies to follow commercial industry examples and begin standing up Open Source Program Offices (OSPO)’s. I suspect we will see agencies begin to really empower specific folks to craft their agency strategies around open source and software supply chains, and stand up OSPO’s to enable contributing to OSS, governing its use, and mitigating OSS risks - which are all LONG overdue for the Federal government, who relies on OSS just as much as others across industry.
If you’re unfamiliar with OSPO’s, I have an article on CSO online titled “The OSPO - the front line for secure open-source software supply chain governance”.
Google to potentially Acquire Wiz for a Whopping $23 billion
Many stories have quickly begun to swirl this week about Google close to finalizing an acquisition of Cloud Security leader Wiz.
There’s a lot to unpack in this one, from the immense value the Wiz team is able to command after just four short years, marking what would be Google’s largest acquisition ever, to potential speculation about antitrust concerns or the government stifling the deal to what the deal would mean for Google to compete with the likes of Microsoft and AWS on the Security front.
This would also be another massive success for the Israeli startup ecosystem, demonstrating yet again why they remain a central hub of innovation and excellence in the cybersecurity landscape.
I’ve had the pleasure of collaborating with the Wiz team quite a bit, from having Principal Cloud Security Researcher, Scott Piper, and Director of Data & Threat Research Alon Schindel at Wiz on my Resilient Cyber show in separate episodes, as well as me being on Wiz’s Crying Out Cloud Podcast, and speaking on a panel at their RSA event with Alon, their CMO and others.
They have also built out an amazing public sector team to serve the U.S.
I’m excited for the Wiz team!
There’s been some great analsysis and perspectives on the deal on LinkedIn from folks such as Snehal Antani, CEO of Horizon3.ai which does autonomous Pen Testing, as well as from VC and Advisor Pramod Gosavi.
Perspectives range from folks discussing how it is a great move, bolsters GCP’s multi-cloud security approach to others questioning the move and what it means for the future of Wiz, and what approach Google will take in integrating Wiz.
Much to be seen here, if the deal truly materializes.
A world after Wiz: Emerging opportunities in cloud security
Amid all the hype about the potential Google <> Wiz deal, Investor Shayan Shafii of Scale Ventures Partners published an amazing piece discussing the potential Wiz deal but also much broader context around tools, categories, cloud migration/evolution and the future of this space.
He covers the rise of both Rubrik and Wiz and their similar impressive revenue performance at different phases of cloud adoption and maturity, as well as emerging new categories and opportunities and remaining questions to be considered.
If you’re following the cloud security space, the vendors, the capabilities and the modern threats and risks organizations face, this is a great article to read.
AI
Securing Your AI: A Step-by-Step Guide for CISO’s
This is a great high-level blow from Chloe Messdaghi, Head of Threat Intelligence at AI Security company Hidden Layer. It lays out a three step process for getting a handle on your organizational use of AI.
They include:
Step 1: Establishing a Security Foundation
Step 2: Discovery and Asset Management
Step 3: Risk Assessment and Threat Modeling
They also published a great AI Threat Landscape report which is a good primer on AI Security and a recommended read.
The Step-by-Step Guide lay out key activities, personas and their respective roles in securing organizational use of AI and how to get started.
DoJ and FBI Takedown Russian GenAI Social Media Bot Farm
This past week the FBI and DOJ announced the takedown of a Russian GenAI-enhanced social media bot farm. They stated it was intended to “be used to disseminate AI-generated foreign disinformation” aimed at undermining U.S. partners in Ukraine and influence geopolitical narrative favorable to the Russian Government.
In the DOJ formal Press Release it cites the seizure of two domain names and the search of 968 social media accounts on the platform X (previously known as Twitter). It cites fake profiles, promoting messages supporting the Russian Government.
This marks a significant takedown and further evidence of how AI will be used to sow disinformation and sow domestic divides in countries such as the U.S. and others.
AI Security Breach Insights
In a post shared by Svetlana Sicular, VP of AI Research at Gartner, its stated that almost 30% of enterprises deploying AI had an AI security breach. This included a combination of data compromise by internal and external parties as well as malicious attacks on AI infrastructure.
This demonstrated that attackers are targeting AI systems and environments, as well as its underlying infrastructure and organizations are still learning to govern and secure those environments and services as the business is quickly adopting them.
Navigating AI: A Blueprint for Leadership
Rob van der Veer gave an excellent concise talk for leaders looking to help get some governance on their organizations AI Development efforts.
He lays out practical recommendations, including leveraging longstanding software security best practices (e.g. inventory, version control, testing etc.)
Avoiding recreating the wheel and leading to siloing AI security efforts
Leaning into existing guidance such as recent ISO standards as well as the OWASP AI Exchange OWASP® Foundation
Accounting for some of the new and novel attack vectors and threats associated with AI
Rob continues to be a valuable asset for the community - if you have a chance to give the talk a watch you should. It’s a great primer for organizational security leaders.
Rob helps lead the OWASP AI Exchange, which I covered in this article, and I have also interviewed him on the Resilient Cyber show in the past here.
AppSec, Vulnerability Management and Software Supply Chain Security
Is ASPM the Future of Application Security?
James Berthoty recently published a blog discussing if ASPM is the future of AppSec.
It discusses the Problems in AppSec, which he listed as:
Too many scanners
Too many false positives
Fixing things is really hard
Too much code, too fast
Environments are too diverse
This is a great high-level concise blog discussing some of the major problems in AppSec and why we’re seeing the rise of ASPM solutions from vendors.
I agree with James’ assessment and I would add another major AppSec problem being that organizations lack context. As I have discussed many times in blogs and my books, organizations are drowning in vulnerability backlogs in the hundreds of thousands to millions.
They lack context around what vulnerabilities are known to be exploited, likely to be exploitable, reachable/exploitable, asset/business criticality and much more.
For those unfamiliar with ASPM and who want a deeper dive on the problems James list and more, I published a very comprehensive article titled “The Rise of Application Security Posture Management (ASPM) Platforms” with my friend and fellow writer/analyst Francis Odum, who runs an excellent blog you should subscribe to called “The Software Analyst” where he breaks down market trends and product categories.
Hackers uses Proof-of-Concept (PoC) exploits 22 minutes after release
In the discussion around vulnerability management, metrics often looked at include how quickly organizations are able to remediate known vulnerabilities vs. how quickly malicious actors can exploit them.
In this report from Cloudflare, who processes an average of 57 million HTTP requests per second showing just how quickly attackers are looking to exploit vulnerabilities when PoC’s become available.
For example, CVE-2024-27198, which applied to JetBrains team city was observed as being attempted to be exploited in a mere 22 minutes after the PoC for the exploit was published.
Knowing that organizations have vulnerability backlogs in the hundreds of thousands to millions, it is simply impractical to think that nearly any organization has a remediation capability to address vulnerabilities at this speed, especially across their entire enterprise of diverse products and software.
Cloudflare recommended organizations leverage AI to try and keep pace with this level of exploitation, helping to quickly develop effective detection rules to identify malicious behavior or attempts.
The article discusses some of the factors contributing to exploitation speed being that some attackers have specialized in specific CVE categories and products, enabling them to move rapidly when a new vulnerability and its associated PoC emerge.
The full PDF report from Cloudflare is located here
BSidesSF 2024 Playlist
BSides San Francisco recently released their 2024 playlist from their event that coincided with RSA, and it is full of amazing talks and speakers.
The topics range from VulnMgt, Cloud Security, AI and much more.
While I haven’t had a chance to watch all of them, I have had a chance to check out several, and some of the ones I found most interesting are below:
Navigating the AI Frontier: Investing in AI in the Evolving Cyber Landscape by Chenxi Wang
Above is a great talk on AI and its implication for software engineering and cybersecurity. It is by Chenxi Wang, who I have followed for quite a while and who has an amazing background as a cybersecurity and technology leader, Board Member, investor and more.
In the talk, Chenxi covers a lot of topics, including making a prediction that AI could potentially automate a massive majority (80-90%) of the cybersecurity services market, which is about $100 billion, accounting for nearly half of cyber spend.
As I said on LinkedIn, I'm as excited about AI as everyone else, but this metric seems incredible.
After several decades of cybersecurity experience in large complex environments, I know that despite all the VC focus, buzz, and marketing being around tools - they generally require human involvement.
Deploying, tuning, configuring, optimizing, monitoring and using them to drive down organizational risk - all in a coherent and orchestrated manner coupled with policy, process and leadership.
Furthermore, organizations are complex, full of humans, requiring expertise in communication, empathy, story telling, building buy-in and relationships and countless other non "cyber" skills when it comes to building and leading effective cybersecurity programs.
The idea that any technology, even AI, can automate 80-90% of cybersecurity professional services is really tough to grasp, even for an AI optimist like myself.
TL;DR Applying AI to Cybersecurity
Another excellent talk on AI and Cyber is from tl;dr sec’s Clint Gibler, who uses his amazing content coverage from his newsletter to dive deep into the implications of AI on Cyber.
There's been a ton of attention on two aspects of AI, which are Securing AI, and Leveraging AI for Security. While the first topic brings a lot of FUD, the second brings a lot of excitement.
One major benefit of content creation is coverage. When you're constantly curating content, you're able to aggregate resources, insights and data on topics. Few do it better in our industry than Clint Gibler of tl;dr sec
That's why his talk "TL;DR: Applying AI to Security" from BSidesSF is really awesome. He covers a TON of content and insights from the industry when it comes to applying AI to security. His talk focuses on a big picture understanding of applying AI to security, as well as tactical examples.
The talk covers:
- Use cases, such as AppSec/SAST, Code Review, Pen Testing, Threat Modeling, Secure Design Reviews and much more
- Resources and Reflections, leveraging Clint's incredible coverage of the AI content landscape, citing reports, talks, blogs and many other examples from some of the industry's best who are sharing their learnings.
If you're interested in how AI is and can potentially be applied to security, this is definitely one to check out!
And, if you aren't already subscribed to tl;dr sec you're doing yourself a disservice.
Closing Thoughts
We’ve seen some pretty big headlines this week. From CISA’s Red Team’s ability to penetrate and dwell in Federal agencies for months undetected, to the potential acquisition of one of the hottest cloud security companies in the industry.
There are also so many great talks underway, with folks exploring the potential of AI, dissecting new and emerging security categories and vendors as well as insights into the U.S. Federal Government’s budget priorities for FY26, which include an emphasis on securing open source as well as making further progress on ZT.
I hope you all enjoy!