Agregátor RSS

If IT leaders were in a statistical analysis class, many would be in a lot of trouble. If students were given a very low reliability element and told to pair it with another low reliability element, a good student would know that the error rate — the risk of bad data results — would get higher. Quite likely much higher.

And yet, some tech leaders seem fine with the idea of combatting generative AI’s bad data — a.k.a. hallucinations — by marrying different genAI programs. Even worse, they are now embracing the idea of using genAI to monitor/manage other genAI as a way to negate hallucinations. Math doesn’t work that way.

Consider: OpenAI recently launched a genAI program to try and identify errors made by other genAI programs. “We’ve trained a model, based on GPT-4, called CriticGPT to catch errors in ChatGPT’s code output. We found that when people get help from CriticGPT to review ChatGPT code, they outperform those without help 60% of the time,” the company wrote in a post announcing the new app.

OpenAI predicts that hallucinations are likely to become harder for humans to find. The company talks about the limits of its Reinforcement Learning from Human Feedback (RLHF) approach, in which human AI trainers evaluate ChatGPT responses. 

“As we make advances in reasoning and model behavior, ChatGPT becomes more accurate and its mistakes become more subtle. This can make it hard for AI trainers to spot inaccuracies when they do occur, making the comparison task that powers RLHF much harder,” OpenAI wrote. “This is a fundamental limitation of RLHF, and it may make it increasingly difficult to align models as they gradually become more knowledgeable than any person that could provide feedback.”

This is consistent with many other reports on genAI efforts, which suggest that, despite what experienced IT folk have come to expect from software (namely, that software gets generally better as it goes through updates), hallucinations are likely to get worse.

“Worse” in this context is a complex word. The hallucinations may not necessarily become more frequent and/or the lies genAI chatbots tell may not become more outlandish. But “worse” in that they will become more nuanced, making it more likely that humans won’t catch them. That is a legitimate problem.

That said, it’s not at all certain that throwing more genAI at this problem will help as much as it will create more problems.

OpenAI’s argument is not that the software will work on its own, but that this new genAI software will train humans to be better at spotting hallucinations created by a different genAI program. 

“CriticGPT’s suggestions are not always correct, but we find that they can help trainers to catch many more problems with model-written answers than they would without AI help,” the company wrote. “Additionally, when people use CriticGPT, the AI augments their skills, resulting in more comprehensive critiques than when people work alone, and fewer hallucinated bugs than when the model works alone.”

And therein lies the logic problem here. One of the criticisms of generative AI is that it is terrific at mimicking humans but fails to actually understand humans. I’m reminded of a column I wrote more than a decade ago, about engineers creating a product that tests for true love. (It was an actual product: a Bluetooth bra that would unhook only when it detected true love. Really. To be clear, I am not officially suggesting that engineers are as bad at understand human emotions as genAI. Not disputing it, but also not officially saying it.) 

Getting back to genAI logic, the flawed assumption that OpenAI is making is that humans will continue checking their systems for lies. Humans are lazy, and human IT employees are overworked and under-resourced. The far more likely outcome is that humans will trust the AI-watching-AI more and more. That is where the real danger exists.

Another example of this “trust AI to find errors in other AI” comes from Morgan Stanley. In a CIO.com piece looking at Morgan Stanley’s recent genAI rollout, the CEO of another financial company spoke of using multiple genAI models to check on each other. 

Morgan Stanley wants to use genAI to create transcripts and summaries of its client meetings. What Aaron Cirksena, founder and CEO of MDRN Capital, suggested was that Morgan could also run transcripts and summaries from the genAI capabilities within Zoom, Google, Microsoft, or Apple — and then use yet another genAI program to compare the results and flag any informational conflicts. “How likely is it that both AI systems will get the same thing wrong?” Cirksena asked. 

It is a legitimate question. But so is the opposite question: How likely is it that one or more of these genAI programs will introduce more hallucinations into the process? What if the checker program hallucinates that there are no conflicts when there are? 

An even worse problem is if the checker app labels things as disconnects that are actually fine. Why is that worse? This brings us back to the human nature issue. The more hassles that the checker program delivers to humans, the less inclined they will be to use it or believe it. 

Consider mobile voice recognition today. Its accuracy is strong enough (often topping 99% and certainly topping 98%) that people are inclined to dictate a message and then send it. This has caused confusion and embarrassment. 

I recently crafted a reply where I told a colleague, “Fine. You can do that.” But the iPhone’s voice recognition heard the words “fine” and “you” next to each other and decided that the most likely F-word was a very different one. It was fine on the screen, so I hit Send and then it changed it to the “other” word and did indeed send. Apple, can you please block your system from changing a word after the message is proofread?

When voice recognition accuracy percentages were in the low 90s, mistakes were so common that people carefully checked. I fear the same disaster is going to hit with AI checking AI. Wonder what disasters that will deliver?

Russia’s state communications watchdog, Roskomnadzor, has forced Apple to stop offering Virtual Private Network (VPN) apps via the App Store in Russia as that nation continues to censor internal dissent.

The regulator has already blocked access to dozens of VPNs in Russia, and Apple has now removed apps for 25 VPN services, including Proton VPN, Red Shield VPN, and Le VPN.

Millions in Russia use a VPN

Millions of people in or near conflict zones rely on VPNs to gain access to information that is not published via official channels. The number of Russians using such services spiked since the invasion of Ukraine, and adoption has not slowed. One VPN provider reports that Web traffic from nations with high degrees of censorship (including Russia) climbed an astounding 212% in 2023.

Russia doesn’t like its people avoiding censorship, which is why it forced Apple to remove the apps from its store. Some industry observers, including security consultant and Objective-See founder Patrick Wardle, have argued that if app sideloading were supported on iPhones, users might have options to download these apps elsewhere.

Apple isn’t the only big US tech firm to have acted against VPN apps in Russia. In 2022, Surfshark revealed that Google was forced to delist over 36,000 URL’s that linked to VPN services from Russia. 

A state of digital isolation

“While users on other operating systems can request mirror download links from VPN providers, it’s much trickier for iOS users who don’t want to jailbreak their devices to download the VPN apps that have been removed from the official store,” said Simon Migliano, head of research at Top10VPN.com. “It’s very disappointing to see Apple complying with the Russian authorities’ increasingly draconian crackdown on VPNs that pushes the country ever closer to digital isolation, cut off from the global internet.”

Apple is also just one component of a larger attack on VPN use in Russia. The UK Ministry of Defence (MoD) points out that the ban is “almost certainly intended to restrict the ability of Russian citizens to access independent Russian, and international media, as well as to simplify the ability of the security services to monitor Russian citizens.” 

The MoD also notes that simultaneously with the crackdown on VPN apps distributed in Russia, state authorities demanded telecom providers there end support for Voice over Internet Protocol (VoIP) telephony services

It’s a pattern of repression, control, and erosion of communication that was ongoing in Russia even before the invasion of Ukraine. “While there are a shrinking number of VPNs still available in the Russian version of the App Store, fewer and fewer high-quality services remain, which means they are less likely to work as they lack the sophisticated traffic obfuscation offered by bigger brands,” said Migliano.

Apple says nothing

Apple has made no public comment on the removal so far. If it did, I imagine it would argue that failure to comply with the request could also threaten the interests of existing iPhone users in Russia, as it is possible Apple would be forced to cease processing software updates and other forms of tech support to customers there. This would make their devices vulnerable to attack by state-sponsored hackers. 

It is also worth noting that any current or former Apple employees in Russia might have been exposed to reprisals by Russian authorities had the company refused to comply.

How to (still) access VPNs in Russia

There are some ways people in Russia (or elsewhere) can still use VPNs on iPhones without an app, principally by using an additional device as hotspot and a non-Russian VPN server. This requires changing your country in your AppleID settings, so you can access another nation’s App Store. You might also need a non-Russian payment method. 

“This should allow the installation of VPN apps that have been removed from the Russian app store. My advice would be to install several and cycle through them whenever they get blocked,” said Migliano.

“If you don’t already have a working VPN, it’s also possible to set up Tor on a non-iOS device that can act as a hotspot for connected mobile devices to access the App Store from international IP addresses. Currently, the best options for Russia are Astrill, PrivateVPN, and Windscribe, as they have the best connection success rate, despite the crackdown,” he added.

Please follow me on Mastodon, or join me in the AppleHolic’s bar & grill and Apple Discussions groups on MeWe.

More by Jonny Evans:

• Microsoft employees must use Apple iPhones in China
• Apple’s Phil Schiller may join OpenAI’s board
• With iOS 18, Apple deepens its connection to India
• MacStadium brings Orka Desktop for Devops

Detection is a traditional type of cybersecurity control, along with blocking, adjustment, administrative and other controls. Whereas before 2015 teams asked themselves what it was that they were supposed to detect, as MITRE ATT&CK evolved, SOCs were presented with practically unlimited space for ideas on creating detection scenarios.

With the number of scenarios becoming virtually unlimited, another question inevitably arises: “What do we detect first?” This and the fact that SOC teams forever play the long game, having to respond with limited resources to a changing threat landscape, evolving technology and increasingly sophisticated malicious actors, makes managing efforts to develop detection logic an integral part of any modern SOC’s activities.

The problem at hand is easy to put into practical terms: the bulk of the work done by any modern SOC – with the exception of certain specialized SOC types – is detecting, and responding to, information security incidents. Detection is directly associated with preparation of certain algorithms, such as signatures, hard-coded logic, statistical anomalies, machine learning and others, that help to automate the process. The preparation consists of at least two processes: managing detection scenarios and developing detection logic. These cover the life cycle, stages of development, testing methods, go-live, standardization, and so on. These processes, like any others, require certain inputs: an idea that describes the expected outcome at least in abstract terms.

This is where the first challenges arise: thanks to MITRE ATT&CK, there are too many ideas. The number of described techniques currently exceeds 200, and most are broken down into several sub-techniques – MITRE T1098 Account Manipulation, for one, contains six sub-techniques – while SOC’s resources are limited. Besides, SOC teams likely do not have access to every possible source of data for generating detection logic, and some of those they do have access to are not integrated with the SIEM system. Some sources can help with generating only very narrowly specialized detection logic, whereas others can be used to cover most of the MITRE ATT&CK matrix. Finally, certain cases require activating extra audit settings or adding selective anti-spam filtering. Besides, not all techniques are the same: some are used in most attacks, whereas others are fairly unique and will never be seen by a particular SOC team. Thus, setting priorities is both about defining a subset of techniques that can be detected with available data and about ranking the techniques within that subset to arrive at an optimized list of detection scenarios that enables detection control considering available resources and in the original spirit of MITRE ATT&CK: discovering only some of the malicious actor’s atomic actions is enough for detecting the attack.

A slight detour. Before proceeding to specific prioritization techniques, it is worth mentioning that this article looks at options based on tools built around the MITRE ATT&CK matrix. It assesses threat relevance in general, not in relation to specific organizations or business processes. Recommendations in this article can be used as a starting point for prioritizing detection scenarios. A more mature approach must include an assessment of a landscape that consists of security threats relevant to your particular organization, an allowance for your own threat model, an up-to-date risk register, and automation and manual development capabilities. All of this requires an in-depth review, as well as liaison between various processes and roles inside your SOC. We offer more detailed maturity recommendations as part of our SOC consulting services.

MITRE Data Sources

Optimized prioritization of the backlog as it applies to the current status of monitoring can be broken down into the following stages:

• Defining available data sources and how well they are connected;
• Identifying relevant MITRE ATT&CK techniques and sub-techniques;
• Finding an optimal relation between source status and technique relevance;
• Setting priorities.

A key consideration in implementing this sequence of steps is the possibility of linking information that the SOC receives from data sources to a specific technique that can be detected with that information. In 2021, MITRE completed its ATT&CK Data Sources project, its result being a methodology for describing a data object that can be used for detecting a specific technique. The key elements for describing data objects are:

• Data Source: an easily recognizable name that defines the data object (Active Directory, application log, driver, file, process and so on);
• Data Components: possible data object actions, statuses and parameters. For example, for a file data object, data components are file created, file deleted, file modified, file accessed, file metadata, and so on.

MITRE Data Sources

Virtually every technique in the MITRE ATT&CK matrix currently contains a Detection section that lists data objects and relevant data components that can be used for creating detection logic. A total of 41 data objects have been defined at the time of publishing this article.

MITRE most relevant data components

The column on the far right in the image above (Event Logs) illustrates the possibilities of expanding the methodology to cover specific events received from real data sources. Creating a mapping like this is not one of the ATT&CK Data Sources project goals. This Event Logs example is rather intended as an illustration. On the whole, each specific SOC is expected to independently define a list of events relevant to its sources, a fairly time-consuming task.

To optimize your approach to prioritization, you can start by isolating the most frequent data components that feature in most MITRE ATT&CK techniques.

The graph below presents the up-to-date top 10 data components for MITRE ATT&CK matrix version 15.1, the latest at the time of writing this.

The most relevant data components (download)

For these data components, you can define custom sources for the most results. The following will be of help:

• Expert knowledge and overall logic. Data objects and data components are typically informative enough for the engineer or analyst working with data sources to form an initial judgment on the specific sources that can be used.
• Validation directly inside the event collection system. The engineer or analyst can review available sources and match events with data objects and data components.
• Publicly available resources on the internet, such as Sensor Mappings to ATT&CK, a project by the Center for Threat-Informed Defense, or this excellent resource on Windows events: UltimateWindowsSecurity.

That said, most sources are fairly generic and typically connected when a monitoring system is implemented. In other words, the mapping can be reduced to selecting those sources which are connected in the corporate infrastructure or easy to connect.

The result is an unranked list of integrated data sources that can be used for developing detection logic, such as:

• For Command Execution: OS logs, EDR, networked device administration logs and so on;
• For Process Creation: OS logs, EDR;
• For Network Traffic Content: WAF, proxy, DNS, VPN and so on;
• For File Modification: DLP, EDR, OS logs and so on.

However, this list is not sufficient for prioritization. You also need to consider other criteria, such as:

• The quality of source integration. Two identical data sources may be integrated with the infrastructure differently, with different logging settings, one source being located only in one network segment, and so on.
• Usefulness of MITRE ATT&CK techniques. Not all techniques are equally useful in terms of optimization. Some techniques are more specialized and aimed at detecting rare attacker actions.
• Detection of the same techniques with several different data sources (simultaneously). The more options for detecting a technique have been configured, the higher the likelihood that it will be discovered.
• Data component variability. A selected data source may be useful for detecting not only those techniques associated with the top 10 data components but others as well. For example, an OS log can be used for detecting both Process Creation components and User Account Authentication components, a type not mentioned on the graph.

Prioritizing with DeTT&CT and ATT&CK Navigator

Now that we have an initial list of data sources available for creating detection logic, we can proceed to scoring and prioritization. You can automate some of this work with the help of DeTT&CT, a tool created by developers unaffiliated with MITRE to help SOCs with using MITRE ATT&CK for scoring and comparing the quality of data sources, coverage and detection scope according to MITRE ATT&CK techniques. The tool is available under the GPL-3.0 license.

DETT&CT supports an expanded list of data sources as compared to the MITRE model. This list is implemented by design and you do not need to redefine the MITRE matrix itself. The expanded model includes several data components, which are parts of MITRE’s Network Traffic component, such as Web, Email, Internal DNS, and DHCP.

You can install DETT&CT with the help of two commands: git clone and pip install -r. This gives you access to DETT&CT Editor: a web interface for describing data sources, and DETT&CT CLI for automated analysis of prepared input data that can help with prioritizing detection logic and more.

The first step in identifying relevant data sources is describing these. Go to Data Sources in DETT&CT Editor, click New file and fill out the fields:

• Domain: the version of the MITRE ATT&CK matrix to use (enterprise, mobile or ICS).
• This field is not used in analytics; it is intended for distinguishing between files with the description of sources.
• Systems: selection of platforms that any given data source belongs to. This helps to both separate platforms, such as Windows and Linux, and specify several platforms within one system. Going forward, keep in mind that a data source is assigned to a system, not a platform. In other words, if a source collects data from both Windows and Linux, you can leave one system with two platforms, but if one source collects data from Windows only, and another, from Linux only, you need to create two systems: one for Windows and one for Linux.

After filling out the general sections, you can proceed to analyzing data sources and mapping to the MITRE Data Sources. Click Add Data Source for each MITRE data object and fill out the relevant fields. Follow the link above for a detailed description of all fields and example content on the project page. We will focus on the most interesting field: Data quality. It describes the quality of data source integration as determined according to five criteria:

• Device completeness. Defines infrastructure coverage by the source, such as various versions of Windows or subnet segments, and so on.
• Data field completeness. Defines the completeness of data in events from the source. For example, information about Process Creation may be considered incomplete if we see that a process was created, but not the details of the parent process, or for Command Execution, we see the command but not the arguments, and so on.
• Defines the presence of a delay between the event happening and being added to a SIEM system or another detection system.
• Defines the extent to which the names of the data fields in an event from this source are consistent with standard naming.
• Compares the period for which data from the source is available for detection with the data retention policy defined for the source. For instance, data from a certain source is available for one month, whereas the policy or regulatory requirements define the retention period as one year.

A detailed description of the scoring system for filling out this field is available in the project description.

It is worth mentioning that at this step, you can describe more than just the top 10 data components that cover the majority of the MITRE ATT&CK techniques. Some sources can provide extra information: in addition to Process Creation, Windows Security Event Log provides data for User Account Authentication. This extension will help to analyze the matrix without limitations in the future.

After describing all the sources on the list defined earlier, you can proceed to analyze these with reference to the MITRE ATT&CK matrix.

The first and most trivial analytical report identifies the MITRE ATT&CK techniques that can be discovered with available data sources one way or another. This report is generated with the help of a configuration file with a description of data sources and DETT&CT CLI, which outputs a JSON file with MITRE ATT&CK technique coverage. You can use the following command for this:

python dettect.py ds -fd <data-source-yaml-dir>/<data-sources-file.yaml> -l

The resulting JSON is ready to be used with the MITRE ATT&CK matrix visualization tool, MITRE ATT&CK Navigator. See below for an example.

MITRE ATT&CK coverage with available data sources

This gives a literal answer to the question of what techniques the SOC can discover with the set of data sources that it has. The numbers in the bottom right-hand corner of some of the cells reflect sub-technique coverage by the data sources, and the colors, how many different sources can be used to detect the technique. The darker the color, the greater the number of sources.

DETT&CT CLI can also generate an XLSX file that you can conveniently use as the integration of existing sources evolves, a parallel task that is part of the data source management process. You can use the following command to generate the file:

python dettect.py ds -fd <data-source-yaml-dir>/<data-sources-file.yaml> -e

The next analytical report we are interested in assesses the SOC’s capabilities in terms of detecting MITRE ATT&CK techniques and sub-techniques while considering the scoring of integrated source quality as done previously. You can generate the report by running the following command:

python dettect.py ds -fd <data-source-yaml-dir>/<data-sources-file.yaml> --yaml

This generates a DETT&CT configuration file that both contains matrix coverage information and considers the quality of the data sources, providing a deeper insight into the level of visibility for each technique. The report can help to identify the techniques for which the SOC in its current shape can achieve the best results in terms of completeness of detection and coverage of the infrastructure.

This information too can be visualized with MITRE ATT&CK Navigator. You can use the following DETT&CT CLI command for this:

python dettect.py v -ft output/<techniques-administration-file.yaml> -l

See below for an example.

MITRE ATT&CK coverage with available sources considering their quality

For each technique, the score is calculated as an average of all relevant data source scores. For each data source, it is calculated from specific parameters. The following parameters have increased weight:

• Device completeness;
• Data field completeness;
• Retention.

To set up the scoring model, you need to modify the project source code.

It is worth mentioning that the scoring system presented by the developers of DETT&CT tends to be fairly subjective in some cases, for example:

• You may have one data source out of the three mentioned in connection with the specific technique. However, in some cases, one data source may not be enough even to detect the technique on a minimal level.
• In other cases, the reverse may be true, with one data source giving exhaustive information for complete detection of the technique.
• Detection may be based on a data source that is not currently mentioned in the MITRE ATT&CK Data Sources or Detections for that particular technique.

In these cases, the DETT&CT configuration file techniques-administration-file.yaml can be adjusted manually.

Now that the available data sources and the quality of their integration have been associated with the MITRE ATT&CK matrix, the last step is ranking the available techniques. You can use the Procedure Examples section in the matrix, which defines the groups that use a specific technique or sub-technique in their attacks. You can use the following DETT&CT command to run the operation for the entire MITRE ATT&CK matrix:

python dettect.py g

In the interests of prioritization, we can merge the two datasets (technique feasibility considering available data sources and their quality, and the most frequently used MITRE ATT&CK techniques):

python dettect.py g -p PLATFORM -o output/<techniques-administration- file.yaml> -t visibility

The result is a JSON file containing techniques that the SOC can work with and their description, which includes the following:

• Detection ability scoring;
• Known attack frequency scoring.

See the image below for an example.

Technique frequency and detection ability

As you can see in the image, some of the techniques are colored shades of red, which means they have been used in attacks (according to MITRE), but the SOC has no ability to detect them. Other techniques are colored shades of blue, which means the SOC can detect them, but MITRE has no data on these techniques having been used in any attacks. Finally, the techniques colored shades of orange are those which groups known to MITRE have used and the SOC has the ability to detect.

It is worth mentioning that groups, attacks and software used in attacks, which are linked to a specific technique, represent retrospective data collected throughout the period that the matrix has existed. In some cases, this may result in increased priority for techniques that were relevant for attacks, say, from 2015 through 2020, which is not really relevant for 2024.

However, isolating a subset of techniques ever used in attacks produces more meaningful results than simple enumeration. You can further rank the resulting subset in the following ways:

• By using the MITRE ATT&CK matrix in the form of an Excel table. Each object (Software, Campaigns, Groups) contains the property Created (date when the object was created) that you can rely on when isolating the most relevant objects and then use the resulting list of relevant objects to generate an overlap as described above:
  python dettect.py g -g sample-data/groups.yaml -p PLATFORM -o output/<techniques-administration-file.yaml> -t visibility
• By using the TOP ATT&CK TECHNIQUES project created by MITRE Engenuity.

TOP ATT&CK TECHNIQUES was aimed at developing a tool for ranking MITRE ATT&CK techniques and accepts similar inputs to DETT&CT. The tool produces a definition of 10 most relevant MITRE ATT&CK techniques for detecting with available monitoring capabilities in various areas of the corporate infrastructure: network communications, processes, the file system, cloud-based solutions and hardware. The project also considers the following criteria:

• Choke Points, or specialized techniques where other techniques converge or diverge. Examples of these include T1047 WMI, as it helps to implement a number of other WMI techniques, or T1059 Command and Scripting Interpreter, as many other techniques rely on a command-line interface or other shells, such as PowerShell, Bash and others. Detecting this technique will likely lead to discovering a broad spectrum of attacks.
• Prevalence: technique frequency over time.

MITRE ATT&CK technique ranking methodology in TOP ATT&CK TECHNIQUES

Note, however, that the project is based on MITRE ATT&CK v.10 and is not supported.

Finalizing priorities

By completing the steps above, the SOC team obtains a subset of MITRE ATT&CK techniques that feature to this or that extent in known attacks and can be detected with available data sources, with an allowance for the way these are configured in the infrastructure. Unfortunately, DETT&CT does not offer any way of creating a convenient XLSX file with an overlap between techniques used in attacks and those that the SOC can detect. However, we have a JSON file that can be used to generate the overlap with the help of MITRE ATT&CK Navigator. So, all you need to do for prioritization is to parse the JSON, say, with the help of Python. The final prioritization conditions may be as follows:

• Priority 1 (critical): Visibility_score >= 3 and Attacker_score >= 75. From an applied perspective, this isolates MITRE ATT&CK techniques that most frequently feature in attacks and that the SOC requires minimal or no preparation to detect.
• Priority 2 (high): (Visibility_score < 3 and Visibility_score >= 1) and Attacker_score >= 75. These are MITRE ATT&CK techniques that most frequently feature in attacks and that the SOC is capable of detecting. However, some work on logging may be required, or monitoring coverage may not be good enough.
• Priority 3 (medium): Visibility_score >= 3 and Attacker_score < 75. These are MITRE ATT&CK techniques with medium to low frequency that the SOC requires minimal or no preparation to detect.
• Priority 4 (low): (Visibility_score < 3 and Visibility_score >= 1) and Attacker_score < 75. These are all other MITRE ATT&CK techniques that feature in attacks and the SOC has the capability to detect.

As a result, the SOC obtains a list of MITRE ATT&CK techniques ranked into four groups and mapped to its capabilities and global statistics on malicious actors’ actions in attacks. The list is optimized in terms of the cost to write detection logic and can be used as a prioritized development backlog.

Prioritization extension and parallel tasks

In conclusion, we would like to highlight the key assumptions and recommendations for using the suggested prioritization method.

• As mentioned above, it is not fully appropriate to use the MITRE ATT&CK statistics on the frequency of techniques in attacks. For more mature prioritization, the SOC team must rely on relevant threat data. This requires defining a threat landscape based on analysis of threat data, mapping applicable threats to specific devices and systems, and isolating the most relevant techniques that may be used against a specific system in the specific corporate environment. An approach like this calls for in-depth analysis of all SOC activities and links between processes. Thus, when generating a scenario library for a customer as part of our consulting services, we leverage Kaspersky Threat Intelligence data on threats relevant to the organization, Managed Detection and Response statistics on detected incidents, and information about techniques that we obtained while investigating real-life incidents and analyzing digital evidence as part of Incident Response service.
• The suggested method relies on SOC capabilities and essential MITRE ATT&CK analytics. That said, the method is optimized for effort reduction and helps to start developing relevant detection logic immediately. This makes it suitable for small-scale SOCs that consist of a SIEM administrator or analyst. In addition to this, the SOC builds what is essentially a detection functionality roadmap, which can be used for demonstrating the process, defining KPIs and justifying a need for expanding the team.

Lastly, we introduce several points regarding the possibilities for improving the approach described herein and parallel tasks that can be done with tools described in this article.

You can use the following to further improve the prioritization process.

• Grouping by detection. On a basic level, there are two groups: network detection or detection on a device. Considering the characteristics of the infrastructure and data sources in creating detection logic for different groups helps to avoid a bias and ensure a more complete coverage of the infrastructure.
• Grouping by attack stage. Detection at the stage of Initial Access requires more effort, but it leaves more time to respond than detection at the Exfiltration stage.
• Criticality coefficient. Certain techniques, such as all those associated with vulnerability exploitation or suspicious PowerShell commands, cannot be fully covered. If this is the case, the criticality level can be used as an additional criterion.
• Granular approach when describing source quality. As mentioned earlier, DETT&CT helps with creating quality descriptions of available data sources, but it lacks exception functionality. Sometimes, a source is not required for the entire infrastructure, or there is more than one data source providing information for similar systems. In that case, a more granular approach that relies on specific systems, subnets or devices can help to make the assessment more relevant. However, an approach like that calls for liaison with internal teams responsible for configuration changes and device inventory, who will have to at least provide information about the business criticality of assets.

Besides improving the prioritization method, the tools suggested can be used for completing a number of parallel tasks that help the SOC to evolve.

• Expanding the list of sources. As shown above, the coverage of the MITRE ATT&CK matrix requires diverse data sources. By mapping existing sources to techniques, you can identify missing logs and create a roadmap for connecting or introducing these sources.
• Improving the quality of sources. Scoring the quality of data sources can help create a roadmap for improving existing sources, for example in terms of infrastructure coverage, normalization or data retention.
• Detection tracking. DETT&CT offers, among other things, a detection logic scoring feature, which you can use to build a detection scenario revision process.

Cybersecurity researchers have discovered a security vulnerability in the RADIUS network authentication protocol called BlastRADIUS that could be exploited by an attacker to stage Mallory-in-the-middle (MitM) attacks and bypass integrity checks under certain circumstances. "The RADIUS protocol allows certain Access-Request messages to have no integrity or authentication checks," InkBridge Newsroomhttp://www.blogger.com/profile/[email protected]

Cybersecurity researchers have discovered a security vulnerability in the RADIUS network authentication protocol called BlastRADIUS that could be exploited by an attacker to stage Mallory-in-the-middle (MitM) attacks and bypass integrity checks under certain circumstances. "The RADIUS protocol allows certain Access-Request messages to have no integrity or authentication checks," InkBridge

Facebook-parent Meta has been working on developing a new small language model (SLM) compatible with mobile devices with the aim of running on-device applications while mitigating energy consumption during model inferencing tasks, a paper published by company researchers showed.  

To set the context, large language models (LLMs) have a lot more parameters. For instance, Mistral-22B has 22 billion parameters while GPT-4 has 1.76 trillion parameters. In contrast, smaller language models have relatively fewer parameters, such as Microsoft’s Phi-3 family of SLMs, which have different versions starting from 3.8 billion parameters.  

A parameter helps an LLM decide between different answers it can provide to queries — the more the number of parameters, the more the need for a larger computing infrastructure.

However, Meta researchers believe that effective SLMs with less than a billion parameters can be developed and it would unlock the adoption of generative AI across use cases involving mobile devices, which have relatively less compute infrastructure than a server or a rack.

The researchers, according to the paper, ran experiments with models, architected differently, having 125 million and 350 million parameters, and found that smaller models prioritizing depth over width enhance model performance.

“Contrary to prevailing belief emphasizing the pivotal role of data and parameter quantity in determining model quality, our investigation underscores the significance of model architecture for sub-billion scale LLMs,” the researchers wrote.

“Leveraging deep and thin architectures, coupled with embedding sharing and grouped-query attention mechanisms, we establish a strong baseline network denoted as MobileLLM, which attains a remarkable 2.7%/4.3% accuracy boost over preceding 125M/350M state-of-the-art models,” they added.

The 125 and 350 million models, dubbed MobileLLM, according to the researchers, were as effective as large language models, such as Llama 2, in handling chat and several API calling tasks, highlighting the capability of small models for common on-device use cases. While MobileLLM is not available across any of Meta’s products for public use, the researchers have made the code and data for the experiment available along with the paper.

More Meta news:

• Meta’s privacy policy lets it use your posts to train its AI
• Meta signals the end of the road for Workplace
• Meta opens its mixed-reality Horizon OS to other headset makers

Cybersecurity has always been dynamic, and threats are evolving rapidly. One of the latest entrants into this dangerous arena is Eldorado, a ransomware-as-a-service (RaaS) that targets Windows and Linux systems. As revealed by Group-IB's recent discovery , this new ransomware has been making waves since it was first discovered in March 2024.

Cybersecurity researchers have found that it's possible for attackers to weaponize improperly configured Jenkins Script Console instances to further criminal activities such as cryptocurrency mining. "Misconfigurations such as improperly set up authentication mechanisms expose the '/script' endpoint to attackers," Trend Micro's Shubham Singh and Sunil Bharti said in a technical write-up

Cybersecurity researchers have found that it's possible for attackers to weaponize improperly configured Jenkins Script Console instances to further criminal activities such as cryptocurrency mining. "Misconfigurations such as improperly set up authentication mechanisms expose the '/script' endpoint to attackers," Trend Micro's Shubham Singh and Sunil Bharti said in a technical write-up Newsroomhttp://www.blogger.com/profile/[email protected]

GFiber, sesterská společnost Googlu, v americkém Kansas City otestovala pasivní optické připojení 50G-PON, které nabídne rychlost až 50 Gb/s. Teoretickou hranici však firma v ukázce nedosáhla, naměřila „jen“ 41,89 Gb/s na straně downlinku a 19,6 Gb/s na straně uplinku. Vybavení dodala finská Nokia, ...

Discover how cybercriminals behave in Dark Web forums- what services they buy and sell, what motivates them, and even how they scam each other. Clear Web vs. Deep Web vs. Dark Web Threat intelligence professionals divide the internet into three main components: Clear Web - Web assets that can be viewed through public search engines, including media, blogs, and other pages and sites. Deep Web -

Discover how cybercriminals behave in Dark Web forums- what services they buy and sell, what motivates them, and even how they scam each other. Clear Web vs. Deep Web vs. Dark Web Threat intelligence professionals divide the internet into three main components: Clear Web - Web assets that can be viewed through public search engines, including media, blogs, and other pages and sites. Deep Web - The Hacker Newshttp://www.blogger.com/profile/[email protected]

Fairly 'low budget', unsophisticated malware, say researchers, but it can collect the same data as Pegasus

Interview  When it comes to surveillance malware, sophisticated spyware with complex capabilities tends to hog the limelight – for example NSO Group's Pegasus, which is sold to established governments. But it's actually less polished kit that you've never heard of, like GuardZoo – developed and used by Houthi rebels in Yemen – that dominates the space.…

Tyto filmy a seriály jsou teď na českém Max (dříve HBO Max) nejoblíbenější. Nerozlišujeme žánr, stáří ani hodnocení na filmových webech. Jde o souhrnnou oblíbenost za poslední týdny, kterou zjišťuje a počítá web FlixPatrol.

Military personnel from Middle East countries are the target of an ongoing surveillanceware operation that delivers an Android data-gathering tool called GuardZoo. The campaign, believed to have commenced as early as October 2019, has been attributed to a Houthi-aligned threat actor based on the application lures, command-and-control (C2) server logs, targeting footprint, and the attack

Military personnel from Middle East countries are the target of an ongoing surveillanceware operation that delivers an Android data-gathering tool called GuardZoo. The campaign, believed to have commenced as early as October 2019, has been attributed to a Houthi-aligned threat actor based on the application lures, command-and-control (C2) server logs, targeting footprint, and the attack Newsroomhttp://www.blogger.com/profile/[email protected]

The AI hype keeps on coming. 

The latest news is the arrival of an entirely new line of Windows computers, Copilot+ PCs, which are specifically designed with artificial intelligence (AI) in mind. Microsoft claims they’ll dramatically speed up AI, offer new features unavailable to other PCs, and deliver improved battery life. The new machines point the way to the future of Windows and of AI, if the company is to be believed.

Laptops from Acer, ASUS, Dell, HP, Lenovo, Samsung, and Microsoft were released several weeks ago, long enough to find out how they perform in real life. So how do they stack up? Are they everything Microsoft claimed they would be, or just one more overhyped new technology?

To find out, let’s start by looking at Microsoft’s promises about what the Copilot+ PCs will do. In a blog post announcing them, the company crows:

“Copilot+ PCs are the fastest, most intelligent Windows PCs ever built. With powerful new silicon capable of an incredible 40+ TOPS (trillion operations per second), all–day battery life and access to the most advanced AI models, Copilot+ PCs will enable you to do things you can’t on any other PC. Easily find and remember what you have seen in your PC with Recall, generate and refine AI images in near real-time directly on the device using Cocreator, and bridge language barriers with Live Captions, translating audio from 40+ languages into English. “

The laptops are based on Qualcomm Arm-based processors, which include a neural processing unit (NPU) to handle AI-related tasks. Normally, AI processing occurs in the cloud rather than on a local PC, potentially slowing things down AI. On Copilot+ PCs, Microsoft claims, much of that processing will stay local on the machine.

Recalling Recall

Microsoft went into hype overdrive when touting the new machines’ Recall feature. There’s good reason for that. Anyone who has spent too much time trying to remember and open a specific email, website or file they worked on months ago would want it — and that pretty much means all of us. It’s clearly the killer app that could sell countless Copilot+ PCs.

But Recall has an Achilles heel. As I wrote earlier, it could be the ultimate security and privacy nightmare. It works by constantly taking screenshots of everything you do, storing them on your PC, creating a searchable database of them, and then using AI tools on them so you can find what you want quickly.

Initially, Microsoft claimed that because all that work is done locally rather than in the cloud, it wouldn’t lead to privacy or security issues. But many security researchers and analysts disagree. 

Jeff Pollard, vice president and principal analyst at Forrester, told Computerworld “I think a built-in keylogger and screen-shotter that perfectly captures everything you do on the machine within a certain time frame is a tremendous privacy nightmare for users.”

If a hacker gains access to your PC, researchers found, he or she can read the database, which isn’t even encrypted. At first, Microsoft tried to convince everyone that the privacy issues were much ado about nothing. But then it backed off. The company announced in a blog post that the feature won’t be available on Copilot+ PCs when they launch. Microsoft says it will make Recall available some day — though it won’t say when.

That means the biggest reason for buying a Copilot+ at the moment remains elusive. 

Other Copilot+ PC woes

These machines have other issues, too. One of the most head-scratching ones is that the Copilot app on Copilot+ PCs appears to be less powerful than the app on traditional PCs. On Copilot+ PCs, Copilot runs as a traditional Windows app rather than as a sidebar pane, as it now normally does on traditional PCs. So, you can resize it, move it around the screen, and do anything with it that you can do with any window.

That’s not the problem. The problem is that Microsoft also took away some Copilot features. When run as a sidebar pane, Copilot can perform some basic Windows tasks for you, such as turning dark mode on or off. The app on Copilot+ PCs can’t do that. (By the way, Copilot as a Windows app is now also available for non-Copilot+ PCs, and it has the same problem as the Windows app on Copilot+ PCs.)

Another oddity: Although the new Copilot+ PCs have a dedicated Copilot key, the PCs won’t allow you to launch Copilot with the keyboard shortcut Windows key-C as you can on other PCs. Go figure.

And there’s more, according to Computerworld and PC World contributor Chris Hoffman. On the new machines, he says, “Copilot doesn’t run offline or use the new integrated neural processing unit (NPU) hardware to do anything at all.”

Running AI offline was one of the big promises of the new line. Perhaps someday that will happen, but as Hoffman notes, that day isn’t yet upon us.

Emulation: Thumbs up or thumbs down?

Because Copilot+ PCs run Windows on an Arm chip, they have to run Windows apps via emulation. Theoretically, that could be problematic or slow apps down. Microsoft contends that the chips are so fast that the apps run fine. 

Not everyone agrees. Many reviewers generally report no serious problems, but Android Authority warns: “emulation is hit-and-miss.”

PC World’s Mark Hachman found that most apps work fine, with one big caveat: “There’s a good chance your favorite games won’t even run” on a Copilot+ PC.

The upshot

So, should you buy one of these machines? I won’t hem and haw. The answer is no. Their two most important AI-related features — Recall and local AI processing — aren’t yet available. And running games on one, is that’s a priority, is iffy at best.

There are plenty of very good thin, powerful Windows laptops out there. If you need a new PC, buy one of those, not a Copilot+ PC. Even if you’re looking for true AI power, you’d do better to wait.

Priony jsou tak zvláštní, že někteří vědci uvažovali o jejich mimozemském původu • Prionové choroby postihují lidi i zvířata a lidé se jimi mohou od zvířat nakazit • Nový typ molekulárního nástroje označovaný jako CHARM slibuje účinnou prevenci i léčbu

Excel’s Ribbon is great for finding everything you might ever want to do in a spreadsheet, particularly things you don’t do frequently, like managing and querying data connections or automatically grabbing geographic statistics from the internet and inserting them into cells.

But if you’re looking to do things fast, you’ll find keyboard shortcuts far more useful. Why bother to lift your hands from the keyboard if you want to open or close a file, apply formatting to cells, navigate through workbooks, undo and redo actions, calculate all worksheets in all open workbooks, and more? With keyboard shortcuts you won’t have to.

There are keyboard shortcuts to accomplish a vast array of tasks in the Excel desktop client, in both the Windows and Mac versions. (Fewer shortcuts are available for the Mac, but you can create your own custom keyboard shortcuts if you like.)

We’ve listed the shortcuts we’ve found the most useful below. Most work whether you’re using a subscription (Microsoft 365/Office 365) or non-subscription version of Excel. For even more shortcuts, see Microsoft’s Office site.

Useful Excel keyboard shortcuts

Note: On Macs, the ⌘ key is the same as the Command or Cmd key. Also note that with many Mac keyboards, you must press the Fn key in addition to a function key.

General shortcuts ActionWindows key combinationMac key combinationCreate a new workbookCtrl-N⌘-NOpen a workbookCtrl-O⌘-OSave a workbookCtrl-S⌘-SClose a workbookCtrl-W⌘-WPrint a workbookCtrl-P⌘-PInsert a new worksheet (tab)Alt-Shift-F1Shift-Fn-F11Display the Find dialog boxCtrl-FControl-FDisplay the Go To dialog boxF5Fn-F5Undo the last actionCtrl-Z⌘-Z or Control-ZRedo the last actionCtrl-Y⌘-Y or Control-YInsert or edit a cell commentShift-F2⌘-Shift-Fn-F2Select all cells that contain commentsCtrl-Shift-O Spell-check the active worksheet or selected rangeF7Fn-F7 Worksheet navigation ActionWindows key combinationMac key combinationMove one screen up / downPgUp / PgDnPage Up / Page Down or
Fn-up arrow / Fn-down arrowMove one screen to the left / rightAlt-PgUp / Alt-PgDnOption-Page Up /
Option-Page Down or
Fn-Option-up arrow /
Fn-Option-down arrowMove one worksheet tab to the left / rightCtrl-PgUp / Ctrl-PgDnControl-Page Down /
Control-Page Up or
Option-right arrow
/ Option-Left arrowMove one cell up / downup arrow / down arrowup arrow / down arrowMove to the next cell to the rightTabright arrowMove to the cell to the leftShift-Tableft arrowMove to the beginning of a rowHomeHome or Fn-left arrowMove to the beginning of a worksheetCtrl-HomeControl-Home or
Control-Fn-Left arrowMove to the last cell that has content in itCtrl-EndControl-End or
Control-Fn-right arrowMove to the word to the left while in a cellCtrl-left arrow⌘-left arrowMove to the word to the right while in a cellCtrl-right arrow⌘-right arrowDisplay the Go To dialog boxCtrl-G or F5Ctrl-G or Fn-F5Switch between the worksheet, the Ribbon,
the task pane, and Zoom controlsF6Fn-F6If more than one worksheet is open,
switch to the next oneCtrl-F6⌘-~ Working with data ActionWindows key combinationMac key combinationSelect a rowShift-SpacebarShift-SpacebarSelect a columnCtrl-SpacebarControl-SpacebarSelect an entire worksheetCtrl-A or
Ctrl-Shift-Spacebar⌘-AExtend selection by a single cellShift-arrow keyShift-arrow keyExtend selection down / up one screenShift-PgDn / Shift-PgUpShift-PgDn /
Shift-PgUp or
Shift-Fn-down arrow /
Shift-Fn-up arrowExtend selection to the beginning of a rowShift-HomeShift-Home or
Shift-Fn-left arrowExtend selection to the beginning of the
worksheetCtrl-Shift-HomeControl-Shift-Home or
Control-Shift-Fn-left arrowHide selected rowsCtrl-9⌘-9 or Control-9Unhide hidden rows in a selectionCtrl-Shift-(⌘-Shift-( or Control-Shift-(Hide selected columnsCtrl-0⌘-0 or Control-0Unhide hidden columns in a selectionCtrl-Shift-)⌘-Shift-) or Control-Shift-)Copy cell’s contents to the clipboardCtrl-C⌘-C or Control-CCopy and delete cell’s contentsCtrl-X⌘-X or Control-XPaste from the clipboard into a cellCtrl-V⌘-V or Control-VDisplay the Paste Special dialog boxCtrl-Alt-V⌘-Option-V or
Control-Option-VFinish entering data in a cell and
move to the next cell down / upEnter / Shift-EnterEnter / Shift-EnterCancel your entry in a cellEscEscUse Flash Fill to fill the current column based on adjacent columnsCtrl-EControl-EInsert the current dateCtrl-;Control-;Insert the current timeCtrl-Shift-;⌘-;Display the Create Table dialog boxCtrl-T or Ctrl-LControl-TWhen in the formula bar, move
the cursor to the end of the textCtrl-End⌘-End or
⌘-Fn-right arrowWhen in the formula bar, select all
text from the cursor to the endCtrl-Shift-End⌘-Shift-End or
⌘-Shift-Fn-right arrowDisplay Quick Analysis options
for selected cells that contain dataCtrl-Q Create, run, edit, or delete a macroAlt-F8Option-Fn-F8 Formatting cells and data ActionWindows key combinationMac key combinationDisplay the Format Cells dialog boxCtrl-1⌘-1 or Control-1Display the Style dialog box (Windows) /
Modify Cell Style dialog box (Mac)Alt-‘Option-‘Apply a border to a cell or selectionCtrl-Shift-&⌘-Option-0Remove a border from a cell or selectionCtrl-Shift-_ (underscore)⌘-Option– (hyphen)Apply the Currency format with
two decimal placesCtrl-Shift-$Control-Shift-$Apply the Number formatCtrl-Shift-~Control-Shift-~Apply the Percentage format with
no decimal placesCtrl-Shift-%Control-Shift-%Apply the Date format using day,
month, and yearCtrl-Shift-#Control-Shift-#Apply the Time format using the
12-hour clockCtrl-Shift-@Control-Shift-@Insert a hyperlinkCtrl-K⌘-K or Control-K Working with formulas and functions ActionWindows key combinationMac key combinationBegin a formula==Insert a functionShift-F3Shift-Fn-F3Insert an AutoSum functionAlt-=⌘-Shift-TAccept / insert function with AutoCompleteTabTab-down arrowCancel an entry in the cell or formula barEscEscEdit active cell, put insertion point at endF2Control-UToggle between displaying formulas
and cell valuesCtrl-`Control-`Cycle formula references among
absolute, relative, and mixedF4⌘-T or Fn-F4Copy and paste the formula
from the cell above into the
current oneCtrl-‘Control-Shift-“Calculate the current worksheetShift-F9Shift-Fn-F9Calculate all worksheets in all
workbooks that are openF9Fn-F9Expand or collapse the formula barCtrl-Shift-UControl-Shift-U Ribbon navigation

Excel for Mac does not have keyboard shortcuts for the Ribbon.

ActionWindows key combinationDisplay Ribbon shortcutsAltGo to the File tabAlt-FGo to the Home tabAlt-HGo to the Insert tabAlt-NGo to the Page Layout tabAlt-PGo to the Formulas tabAlt-MGo to the Data tabAlt-AGo to the Review tabAlt-RGo to the View tabAlt-WPut cursor in the Tell Me or Search boxAlt-QGo to the Chart Design tab when cursor is on a chartAlt-JCGo to the Format tab when cursor is on a chartAlt-JAGo to the Table Design tab when cursor is on a tableAlt-JTGo to the Picture Format tab when cursor is on an imageAlt-JPGo to the Draw tab (if available)Alt-JIGo to the Power Pivot tab (if available)Alt-B Source: Microsoft

Looking for more help with Excel for Windows? If you have an Office subscription, see “Excel for Office 365/Microsoft 365 cheat sheet.” If you have a non-subscription version of Office, see “Excel 2016 and 2019 cheat sheet.” We’ve also got cheat sheets for an array of other Microsoft products, including older versions of Office.

Related:

• Handy Word keyboard shortcuts for Windows and Mac
• Handy PowerPoint keyboard shortcuts for Windows and Mac
• Handy Outlook keyboard shortcuts for Windows and Mac