Python backdoor attacks are increasingly common. Iran, for example, used a MechaFlounder Python backdoor attack against Turkey last year. Scripting attacks are nearly as common as malware-based attacks in the United States and, according to the most recent Crowdstrike Global Threat Report, scripting is the most common attack vector in the EMEA region.

Python’s growing popularity among attackers shouldn’t come as a surprise. Python is a simple but powerful programming language. With very little effort, a hacker can create a script of less than 100 lines that establishes persistence, so that even if you kill the process, it will start itself back up, establish a backdoor, obfuscate communications both internally and with external servers and set up command and control links. And if an attacker doesn’t want to write the code, that’s no problem either. Python backdoor scripts are easy to find – a simple GitHub search turns up more than 200.

Scripting attacks are favored by cybercriminals and nation states because they are hard to detect by endpoint detection and response (EDR) systems. Python is heavily used by admins, so malicious Python traffic looks exactly like the traffic produced by day-to-day network management tools.

It’s also fairly easy to get these malevolent scripts onto targeted networks. Simply include a malicious script in a commonly used library, change the file name by a single character and, undoubtedly, someone will use it by mistake or include it as a dependency in some other library. That’s particularly insidious, given how enormous the list of dependencies can be in many libraries.

By adding a bit of social engineering, attackers can successfully compromise specific targets. If an attacker knows the StackOverflow usernames of some of the admins at their targeted organization, he or she can respond to a question with ready-to-copy Python code that looks completely benign. This works because many of us have been “trained” by software companies to copy and paste code to deploy their software. Everyone knows it isn’t safe, but admins are often pressed for time and do it anyway.

Anatomy of a Python backdoor attack

Now, let’s imagine a Python backdoor has established itself on your network. How will the attack play out?

First, it will probably try to establish persistence. There are many ways to do this, but one of the easiest is to establish a crontab that restarts the script, even if it’s killed. To stop the process permanently, you’ll need to kill it and the crontab in the right sequence at the right time. Then it will make a connection to an external server to establish command and control, obfuscating communications so they look normal, which is relatively easy to do since its traffic already resembles that of ordinary day-to-day operations.

At this point, the script can do pretty much anything an admin can do. Scripting attacks are often used as the point of the spear for multi-layered attacks, in which the script downloads malware and installs it throughout the environment.

Fighting back against Python backdoors

Scripting attacks often bypass traditional perimeter and EDR defenses. Firewalls, for example, use approved network addresses to determine whether traffic is “safe,” but it can’t verify exactly what is communicating on either end. As a result, scripts can easily piggyback on approved firewall rules. As for EDR, traffic from malicious scripts is very similar to that produced by common admin tools. There’s no clear signature for EDR defenses to detect.

The most efficient way to protect against scripting attacks is to adopt an identity-based zero trust approach. In a software identity-based approach, policies are not based on network addresses, but rather on a unique identity for each workload. These identities are based on dozens of immutable properties of the device, software or script, such as a SHA-256 hash of the binary, the UUID of the bios or a cryptographic hash of a script.

Any approach that’s based on network addresses cannot adequately protect the environment. Network addresses change frequently, especially in autoscaling environments such as the cloud or containers, and as mentioned earlier, attackers can piggyback on approved policies to move laterally.

With a software and machine identity-based approach, IT can create policies that explicitly state which devices, software and scripts are allowed to communicate with one another — all other traffic is blocked by default. As a result, malicious scripts would be automatically blocked from establishing backdoors, deploying malware or communicating with sensitive assets.

Scripts are rapidly becoming the primary vector for bad actors to compromise enterprise networks. By establishing and enforcing zero trust based on identity, enterprises can shut them down before they have a chance to establish themselves in the environment.

The post Python backdoor attacks and how to prevent them appeared first on Artificial Intelligence.

Microsoft Corp. has what may sound like a counter-intuitive request: Please try to hack into Azure more often.

The company isn’t encouraging malicious attacks but it does want security researchers to spend more time poking holes in its flagship cloud service so the company can learn about flaws and fix them.

Many so-called White Hat hackers do this for the company’s older products like Windows, Office and browsers, but there aren’t enough working on Azure, said Kymberlee Price, who oversees community programs in Microsoft’s Security Response Center. The company is planning several steps to change that, including explicitly stating it won’t take legal action against researchers and creating a game-like reward system that gives successful bug-finders perks and bragging rights.

Microsoft currently offers bug bounty payments for Azure, but “it’s just not getting as much activity as I would like to see,” Ms. Price added.

It’s an issue Microsoft needs to worry about as it bets big on cloud services for revenue growth. The shift to cloud computing is changing cybersecurity, providing new opportunities and new challenges. One of the biggest risks is that Microsoft now runs services for customers in its cloud, which means the software giant is on the hook to protect them.

Microsoft is planning to release what’s called a Safe Harbor statement giving researchers legal clearance to report a vulnerability. “We’ve always done that but we’ve never formally articulated it,” Ms. Price said. It’s important to publish a formal policy as researchers work more on cloud systems where they may worry they’ll accidentally knock a service offline or access customer data and get in trouble, she said.

In her first stint at Microsoft in the 2000s, Ms. Price was one of the security engineers pioneering the company’s effort to collaborate with security researchers, rather than viewing them as adversaries. She left in 2009 and returned a little more than two years ago.

Right now attackers still target networks located at a company’s own offices more frequently than the cloud, but that’s changing, said Azure Chief Technology Officer Mark Russinovich. “The level of sophistication of the attackers and the interest in [attacking] the cloud just continues to grow as the cloud continues to grow,” he added.

Cloud security requires new tools and techniques but it also enables companies like Microsoft to track and analyze vast amounts of data to find malicious actors and scan networks of hundreds of thousands of customers so it can see attacks materialize.

Mr. Russinovich spoke about protecting the cloud at an academic conference at Microsoft attended by hundreds of Microsoft workers and security engineers from Amazon Web Services, Google, Nike and others. The event grew out of a trail-running group that includes Microsoft’s Ram Shankar Siva Kumar, who oversees a team of engineers who apply machine-learning to cybersecurity, and peers at AWS and Google. The group would often share techniques and research while on the trail and the idea for a formal conference to exchange ideas was born.

The hope is that sharing data, tools and techniques publicly will help everyone better fend off attackers. As long as private customer information is protected, Microsoft wants to share security data, said Steve Dispensa, general manager, cloud and AI security at Microsoft.

“The idea that we’re smarter than the attackers is a malignant myth — they know before we do where the weak spot is,” he said. “We publish data, we all learn, a rising tide lifts all boats.”

The post Microsoft to hackers: Please attack Azure appeared first on Artificial Intelligence.

6.5 trillion: That’s the astonishing number of online threats that staff at Microsoft’s Cyber Defence Operations Centre see each day.

And quite a portion of those attacks are aimed at the company itself. The highest number of attempted intrusions into Microsoft’s network of products and services ever detected in one 24-hour period was 1.5 billion.

Keeping these so-called “bad actors” at bay is the overall responsibility of Ann Johnson. She is the company’s Corporate Vice-President, in charge of the Cybersecurity Solutions Group.

“It is obviously complex, and that’s coming in at a global scale,” she told RTÉ News during a visit to Dublin this week.

“So we use a lot of machine learning technology, we use a lot of artificial intelligence and automation. We want to parse the threats. We want to see what is real. Separate the signal from the noise.

“The other thing is we want to automate the response as much as we can. Because at the end of the day, 6.5 trillion and 1.5 billion is not something any amount of humans can consume, right?

“So the landscape is increasingly complex, the attacks are coming from around the world. But we feel like we have some pretty good system defences in place, based on the intelligence we see.”

And “around the world” means, literally from everywhere. From cyber-criminals, from nation states, from random hackers working by themselves, in every part of the globe.

Their targets are diverse, from Microsoft’s business applications, through to its Azure cloud services and its Office 365 suite of apps.

But because Microsoft’s business is now hugely focused on cloud-based products, it means the challenge and method of defending each area is more or less the same, Ms Johnson said.

Cyber security and the threat posed by nation states have been very much in the mainstream news lately because of the focus on Huawei and the US government’s stated concerns that the telecoms firm’s equipment could be used by the Chinese government as a back door for spying and cyber-attacks.

These concerns recently led the Trump administration to ban US companies from selling products and services to the Chinese manufacturer.

Google has already signalled it will limit Huawei’s access to its Android mobile operating system, while Facebook has suspended pre-installing its apps on Huawei devices.

Microsoft, though, has said little publicly about how it intends to handle the situation, despite also being a significant supplier to Huawei.

“Microsoft will comply with anything that the United States government requires us to comply with obviously because we are a United States company,” Ms Johnson said.

And what about the alleged threats posed by China?

“I think that there are a wide variety of actors globally that we need to continually be vigilant about,” she said diplomatically.

That vigilance has to take many different forms, as the threat posed by hackers evolves by the second. But sometimes the security response doesn’t change quite so fast.

Take, for example, passwords, which have been the main means of authenticating identity for decades now, but which can be highly insecure.

“We are on a mission to be passwordless and we think our customers should be on a mission to be passwordless and we think consumers should be on a mission to be passwordless.”

“At the end of the day research still shows that … 76% of breaches start with some type of stolen credential. So the more we can get passwords out of the ecosystem the higher the cost to the attackers, they actually have to come up with new methods, and obviously the more secure our infrastructure is going to be and the more secure our customers are going to be,” said Ms Johnson.

Passwords will, she predicted, give way increasingly to biometrics, which are more frictionless, offer ease of use and a variety of alternative form factors, including even ear profiles.

And the Microsoft cyber general said we shouldn’t be concerned about the risk of biometric data being stolen and misused in the same way passwords have been, as long as it is secured using best practice techniques used to protect other forms of data from theft.

“There is nothing particularly unique about biometric data than any other IP data in your organisations,” said Ms Johnson, who comes from New York but now lives in Seattle.

“You encrypt the data, you hash the data, you secure access to the data, you make sure access to the network it is on is secure. It is not unique in any way. But you do need to treat it as high-value data.”

Another high risk when it comes to cyber-threats are people themselves, something Microsoft is all too well aware of.

Earlier this year, the company admitted its Outlook.com service had been breached by a hacker, allowing unauthorised access to some accounts, after a support agent’s credentials were compromised.

According to Ms Johnson, we need to become less dependent on the human firewall by instead building technologies that protect people as much as the data.

“They are going to click on the link, so let’s build technologies behind clicking on the link that keeps them secure,” she explained.

“Let’s build technologies that allow them to get rid of their passwords. Let’s make sure we educate the humans as much as possible, but also put in the controls behind them so we are not solely dependent on them.”

One of the most difficult dangers to solve right now though is a less obvious one to industry outsiders.

A talent shortage is currently gripping the cyber-security world, with 1.5 million openings at present, 2,500 of which are in Ireland.

By 2022, it is estimated that global industry talent shortfall will have risen to a staggering three million people.

“It is something that the entire industry needs to get oriented around with regard to how we recruit and how we retain … and how we train them,” she said.

But how does the gap get filled, and quickly?

“I think there’s a few different things,” Ms Johnson outlined.

“To start with we need to solve the diversity problem. Cybersecurity is still 10-15% female so that is easy math …The second thing though is that educational background, we have to stop being so dug in that there must be a STEM degree or they must have a certain background.

“The thing about machine learning and the thing about artificial intelligence is that you want different perspectives to train those engines anyway. So there is a huge benefit.

“The other thing is that we need to think about non-traditional channels. We do a lot of work, for example, with the US military, transitioning military members.

“You kind of have to pull all those levers.”

Ms Johnson believes some of the gap, but not all, can be filled by evolving technology, including artificial intelligence.

“I’m not a big believer in a silver bullet or a single solution,” she said.

“I think AI can go a long way towards helping solve the problem. But it is still pretty nascent … we are still discovering what those use cases are.”

Public concerns about cyber-security don’t, however, seem to be putting people off using the cloud for services and data storage.

Here, 85% of people already interact digitally with public sector cloud-based services, such as MyGovID, Motortax.ie and MyWelfare.ie, according to a recent Microsoft survey.

A similar number have heard of the cloud.

But trust isn’t as high, with 40% concerned about the safety of their personal data held by public cloud-based services.

Ms Johnson says that situation is changing rapidly though.

“When I started in Microsoft three-and-a-half years ago, I was still getting questions, ‘oh, is the cloud secure?’,” she said.

“Just the opposite (now). I’ve customers coming to me today saying, ‘look, I want to go to the cloud because I believe you can keep me more secure. You have the people, you have the tools. You have the global intelligence, you have the learnings. You can actually keep my infrastructure more secure than I can keep it myself’.”

That’s a big responsibility for any person or corporation to carry. But Ms Johnson said it isn’t necessarily the biggest risk Microsoft has to deal with, with the global economy and physical risks also looming in the background too.

“I never want to be an alarmist. I think we are doing an okay job,” she said.

“For everything you see on the news we have prevented 100 things. So I want people to know we are actually doing an okay job in the world of cyber-security today.”

“One thing we are seeing an increase in is the sophistication of cyber-crime gangs. So not nation states, but actually cyber-crime attacks.”

“They are increasing globally and they are pretty sophisticated and they are widespread. So there will always be a different kind of attack or a new actor coming in that we need to be thinking about and we need to be predictive about and build the right defences in advance,” added Ms Johnson.

The post Meet the woman in charge of defending Microsoft from cyber attack appeared first on Artificial Intelligence.