Starting today, the Pentagon’s main network defense command, Joint Force Headquarters-Department of Defense Information Network (JFHQ-DODIN), will launch the Cyber Operational Readiness Assessment (CORA) program, a new model for measuring the readiness of the network shifting from compliance to operational preparedness.
CORA is intended to be risk-informed for defensive cyber operations internal defense measures, for specific actions taken on the network in response to either intelligence, a threat or an incident. Officials explained it as a “living inspection” that can flex to operational, emerging needs given the unpredictability of future vulnerabilities.
“[CORA] enables commanders and directors to make the right decision when applying resources to increase the security posture of their network. It allows us to iterate and change on a dime to figure out what is important now. As everyone understands, technology changes so frequently, so fast, it’s hard for everyone else to keep up. […] With the flexibility of CORA, we’re able to shift and adapt and overcome to start focusing on those unknown or newly discovered vulnerabilities for what is important to JFHQ-DODIN because of intel and threat reporting,” Nicholas DePatto, inspections branch chief said.
Officials began the shift by developing key indicators of risk to assure alignment with JFHQ-DODIN’s cybersecurity priorities and to direct focus onto the most critical areas of remediation. In turn, this will allow organizations to focus their mitigation efforts on risk and exposure to common adversaries’ TTPs allowing the DOD to concentrate resources and staffing on high-risk areas.
Troy Batterberry, CEO and Founder, EchoMark had this comment:
“Shifting to a threat-informed approach, the CORA program aligns closely with our ethos of operational readiness and agile responsiveness, focusing on risk-informed defenses and ability to address emerging threats quickly. This aspirational standard underscores the importance of evolving security measures to outpace rapid technological changes and often unpredictable and sophisticated threats. It’s not just about being prepared; it’s about staying ahead.
“This initiative and directed focus on risk indicators prioritizes adaptability and informed decision-making in security practices which will bring companies closer to where our security is as dynamic and resilient as the threats we face.”
Stephen Gates, Principal Security SME, Horizon3.ai follows with this:
“To gain the highest level of consistent mission readiness, organizations must view their cyber infrastructures through the eyes of their adversaries. Therefore, it makes complete sense to establish the Cyber Operation Readiness Assessment (CORA) program and shift from mere compliance to actual operational readiness. Trying to remain complaint to a host of different regulations and standards does not always mean you are more secure. Continuous assessment of risk has been proven to vastly improve operational effectiveness.
“Today, organizations are equipping their security teams with offensive-based autonomous assessment solutions allowing them to perform adversarial exercises against their internal, external, and cloud infrastructures with nothing more than click. Being able to load, aim, and fire an autonomous assessment solution against yourself tells organizations where their greatest weaknesses are so they can remediate them before adversaries discover them.
“This cyber terrain assessment approach goes way beyond simple network and vulnerability scans since autonomous assessment solutions are using the exact same TTPs that attackers are using – and can be safely launched against any production environment. The advancements of autonomous assessment technologies are increasing the security postures for those that capitalize on this emerging technology and massively reducing risk in the context of the cyber threat landscape.”
This is a good move by the Pentagon as this will make it far easier to defend against cyber threats because this will be far simpler for defenders to navigate. Which means they will be in a better position to defend.
UPDATE: Troy Batterberry, CEO and Founder, EchoMark added an additional comment:
“Given the ever-changing environment, being both risk-informed and agile are paramount to establishing modern security practices. In addition, and akin to good general systemic design, organizations also need to continue to utilize ”defense in depth” through multiple layers of protection and access control governance to help avoid a single point of failure causing a broad breach.”
Github Is Under Attack
Posted in Commentary with tags Apiiro, GitHub on March 1, 2024 by itnerdBad news for developers. Github is being besieged by millions of malicious repositories in an ongoing attack:
Similar to dependency confusion attacks, malicious actors get their target to download their malicious version instead of the real one. But dependency confusion attacks take advantage of how package managers work, while repo confusion attacks simply rely on humans to mistakenly pick the malicious version over the real one, sometimes employing social engineering techniques as well.
In this case, in order to maximize the chances of infection, the malicious actor is flooding GitHub with malicious repos, following these steps:
And:
Once unsuspecting developers use any of the malicious repos, the hidden payload unpacks seven layers of obfuscation, which also involves pulling malicious Python code and later a binary executable. The malicious code (largely a modified version of BlackCap-Grabber) would then collect login credentials from different apps, browser passwords and cookies, and other confidential data. It then sends it back to the malicious actors’ C&C (command-and-control) server and performs a long series of additional malicious activities.
Ken Westin, Field CISO, Panther Labs had this to say:
We at Panther have seen an increase in software supply chain attacks, where developers, code and cloud infrastructure are increasingly becoming a target. We have seen this with APT groups such as Lazarus out of North Korea, as well as financially motivated cybercrime groups. The goal of the attacks are often to infect code upstream to then target customers downstream, or in this case to steal credentials and authentication cookies with the hopes of gaining privileged access applications, code and secrets. Many organizations do not consider monitoring data sources such as Github in their SIEM and often do not have visibility into potential security compromises of code or developers’ workstations and infrastructure.
The report from Apiiro has a lot of detail in terms of the attack and indicators of compromise, along with steps in terms of protection. Developers should read this and act accordingly .
Leave a comment »