The Hidden Cybersecurity Risks of M&A

Source: Dark Reading

Author: Denny LeCompte

URL: https://www.darkreading.com/cyber-risk/hidden-cybersecurity-risks-mergers-acquisitions

ONE SENTENCE SUMMARY:

Ignoring cybersecurity during mergers and acquisitions exposes businesses to hidden vulnerabilities, compliance issues, and costly security breaches post-acquisition.

MAIN POINTS:

  1. Mergers involve inheriting digital footprints including endpoints, credentials, and hidden security vulnerabilities.
  2. Cybersecurity is frequently neglected in due diligence, creating substantial risk post-acquisition.
  3. IT integration chaos often leads to insufficient access control and outdated credential management.
  4. Legacy systems from acquired companies pose significant cybersecurity threats if not assessed.
  5. Employees are vulnerable to phishing scams during transitions, increasing insider threat risks.
  6. Inadequate cybersecurity training can result in sensitive data leaks and breaches post-merger.
  7. Regulatory and compliance mismatches between companies can create serious legal and financial liabilities.
  8. Comprehensive cybersecurity audits must evaluate identities, compliance histories, and past breaches.
  9. Companies should promptly standardize security policies and adopt modern, cloud-native security solutions.
  10. Proactive cybersecurity integration during mergers is essential to protect reputation, trust, and financial value.

TAKEAWAYS:

  1. Prioritize cybersecurity due diligence alongside financial and operational assessments.
  2. Enforce strict access control policies and revoke outdated credentials immediately post-acquisition.
  3. Conduct thorough audits of legacy IT systems and address incompatibilities proactively.
  4. Implement cybersecurity awareness and anti-phishing training programs early in the merger process.
  5. Align quickly with the strictest compliance standards from both companies to mitigate regulatory risks.

BadSuccessor: Unpatched Microsoft Active Directory attack enables domain takeover

Source: BadSuccessor: Unpatched Microsoft Active Directory attack enables domain takeover | CSO Online

Author: unknown

URL: https://www.csoonline.com/article/3992456/badsuccessor-unpatched-microsoft-active-directory-attack-enables-domain-takeover.html

ONE SENTENCE SUMMARY:

Researchers discovered a critical vulnerability named “BadSuccessor” in Windows Server 2025 Active Directory allowing attackers full domain compromise without needing privileged accounts.

MAIN POINTS:

  1. Researchers identified “BadSuccessor,” a new vulnerability in Windows Server 2025 Active Directory.
  2. The flaw exploits Delegated Managed Service Accounts (dMSA), intended to mitigate Kerberoasting attacks.
  3. Attackers can impersonate any user, including domain administrators, through manipulated dMSA account attributes.
  4. Microsoft rated the issue moderately severe, not immediately urgent, despite researchers’ strong disagreement.
  5. dMSA accounts inherit permissions of superseded service accounts through migration processes lacking proper validation.
  6. Key Distribution Center (KDC) mistakenly grants privileges based solely on easily manipulated account attributes.
  7. Attackers can exploit CreateChild permissions on Organizational Units (OUs) to create malicious dMSA accounts.
  8. Unprivileged users can arbitrarily set attributes to falsely indicate completed migrations, gaining unauthorized privileges.
  9. Attackers can extract encrypted passwords included in the KERB-DMSA-KEYPACKAGE structure of session tickets.
  10. Akamai released a PowerShell script and monitoring guidelines for organizations until Microsoft provides an official patch.

TAKEAWAYS:

  1. Immediately restrict CreateChild permissions to trusted administrators.
  2. Use Akamai’s provided PowerShell script to audit current AD environments for vulnerable permissions.
  3. Implement recommended SACLs to log suspicious dMSA creations and attribute modifications.
  4. Regularly monitor for unusual TGTs containing KERB-DMSA-KEYPACKAGE structures.
  5. Advocate for urgent internal review of AD permissions despite Microsoft’s moderate severity rating.

Getting started with Conditional Access: Comparing Entra ID Conditional Access with Cisco Duo Security

Source: The Red Canary Blog: Information Security Insights

Author: Sam Straka

URL: https://redcanary.com/blog/security-operations/conditional-access-cisco-duo/

ONE SENTENCE SUMMARY:

This blog compares Microsoft’s Entra ID Conditional Access and Cisco’s Duo Adaptive Access Policies, highlighting their similarities, differences, and integration possibilities.

MAIN POINTS:

  1. Duo primarily provides MFA layered over existing identity solutions, unlike full IAM platforms like Microsoft.
  2. Duo policies can be globally applied or targeted per application/user group, similar to Entra ID.
  3. Duo enforces MFA by default, with conditional bypass options for trusted scenarios.
  4. Device compliance checks in Duo use certificates or health apps, comparable to Entra ID Intune integration.
  5. Duo’s user interface for granular device policy rules is user-friendly and intuitive.
  6. Duo offers geolocation and trusted network conditions similar to Entra ID’s named locations.
  7. Duo introduced Risk-Based Authentication (RBA) in 2023, focusing on anomalies during MFA steps.
  8. Duo doesn’t directly block legacy authentication, relying instead on primary authentication systems.
  9. Duo excels at enforcing device health and compliance checks for sensitive resource access.
  10. Duo integrates as a third-party MFA provider with Entra ID Conditional Access via custom controls.

TAKEAWAYS:

  1. Duo is ideal for organizations looking primarily for strong MFA and device health checks.
  2. Microsoft Entra ID offers deeper integration with device management and broader risk evaluation signals.
  3. Duo’s RBA effectively addresses MFA fatigue and anomalous sign-in behaviors.
  4. Combining Duo with Entra ID provides comprehensive conditional access coverage but introduces complexity.
  5. Advanced conditional access features in both solutions require higher-tier licensing plans.

AWS Default IAM Roles Found to Enable Lateral Movement and Cross-Service Exploitation

Source: The Hacker News

Author: [email protected] (The Hacker News)

URL: https://thehackernews.com/2025/05/aws-default-iam-roles-found-to-enable.html

ONE SENTENCE SUMMARY:

Researchers discovered insecure default IAM roles in AWS services enabling attackers to escalate privileges and compromise entire AWS accounts.

MAIN POINTS:

  1. Default IAM roles in AWS services grant overly broad permissions, enabling privilege escalation.
  2. Vulnerable IAM roles found in AWS services like SageMaker, Glue, EMR, and Lightsail.
  3. Similar issues identified in open-source framework Ray, using AmazonS3FullAccess policy.
  4. Attackers exploit default IAM roles to move laterally across AWS services.
  5. IAM roles with AmazonS3FullAccess provide complete read/write access to all S3 buckets.
  6. Attackers can modify AWS assets such as CloudFormation templates and SageMaker resources.
  7. Malicious machine learning models uploaded to Hugging Face can execute arbitrary code on SageMaker.
  8. AWS addressed vulnerabilities by restricting AmazonS3FullAccess policy for default roles.
  9. Researchers advise organizations to audit and tightly scope default IAM role permissions.
  10. Similar privilege escalation vulnerability found in Azure Storage mounting utility AZNFS-mount.

TAKEAWAYS:

  1. Default IAM roles must be strictly limited to required resources and actions.
  2. Organizations should proactively audit default IAM role permissions to minimize risk.
  3. Permissive IAM roles can break isolation boundaries between cloud services.
  4. Attackers leverage broad IAM permissions for lateral movement and privilege escalation.
  5. Cloud providers regularly patch vulnerabilities; organizations must promptly apply security updates.

Why Probability Theory is Hard. It’s not because you’re stupid or…

Source: Medium

Author: Graeme Keith

URL: https://www.cantorsparadise.com/why-probability-theory-is-hard-af838f053882

ONE SENTENCE SUMMARY:

Probability theory is fundamentally challenging due to its non-intuitive nature, conceptual confusion, and reliance on deliberate, slow cognitive processing.

MAIN POINTS:

  1. Probability theory lacks intuitive understanding, unlike mechanical systems we naturally learn through repetition.
  2. Humans struggle to develop reliable intuition for uncertain systems due to inconsistent outcomes.
  3. Kahnemann’s “Thinking Fast and Slow” emphasizes probability’s reliance on slow, deliberate System II thinking.
  4. Even experienced mathematicians rarely develop instinctive probabilistic intuitions, despite extensive practice.
  5. Probability theorists disagree fundamentally on definitions, causing confusion for learners.
  6. Practical probability problems often involve unclear outcome spaces, complicating conceptual clarity.
  7. Probability education frequently resorts to rote memorization due to conceptual complexity.
  8. Notation in probability theory is often confusing, complicating student comprehension.
  9. Despite complexity, basic probability knowledge significantly improves decision-making under uncertainty.
  10. Minimal probabilistic understanding is vastly superior to purely intuitive or guess-based approaches.

TAKEAWAYS:

  1. Accept that probability is inherently difficult, not due to personal inadequacy.
  2. Focus on developing methodical, slow-thinking approaches to probability problems.
  3. Be patient and kind with yourself when struggling with probabilistic concepts.
  4. Prioritize basic probabilistic literacy to substantially enhance practical decision-making.
  5. Understand that conceptual disagreements within probability theory contribute to its learning difficulty.

New ‘Defendnot’ tool tricks Windows into disabling Microsoft Defender

Source: BleepingComputer

Author: Lawrence Abrams

URL: https://www.bleepingcomputer.com/news/microsoft/new-defendnot-tool-tricks-windows-into-disabling-microsoft-defender/

ONE SENTENCE SUMMARY:

The Defendnot tool exploits an undocumented Windows API to disable Microsoft Defender by registering a fake antivirus product.

MAIN POINTS:

  1. Defendnot disables Microsoft Defender by registering a fake antivirus using Windows Security Center API.
  2. Windows disables Defender automatically when another antivirus registers to prevent security conflicts.
  3. Researcher es3n1n developed Defendnot based on an earlier project called no-defender.
  4. The earlier no-defender tool was removed from GitHub due to a DMCA copyright claim.
  5. Defendnot avoids legal issues by using a self-built dummy antivirus DLL rather than third-party code.
  6. Protected Process Light (PPL) and digital signatures normally safeguard the WSC API.
  7. Defendnot bypasses security by injecting its DLL into the trusted Microsoft-signed Taskmgr.exe process.
  8. The tool supports configuration via ctx.bin file, custom antivirus names, and verbose logging.
  9. Defendnot achieves persistence by creating an autorun entry in Windows Task Scheduler.
  10. Microsoft Defender identifies and quarantines Defendnot as ‘Win32/Sabsik.FL.!ml’.

TAKEAWAYS:

  1. Windows Security Center API can be manipulated to disable built-in security defenses.
  2. Trusted processes like Task Manager can be exploited to bypass Windows security protections.
  3. Persistence mechanisms via Task Scheduler highlight the importance of monitoring scheduled tasks.
  4. Microsoft Defender actively detects and blocks Defendnot, signaling ongoing defender capabilities.
  5. Security teams should be aware of undocumented APIs and regularly audit registered antivirus products.

73% of CISOs admit security incidents due to unknown or unmanaged assets

Source: 73% of CISOs admit security incidents due to unknown or unmanaged assets | CSO Online

Author: unknown

URL: https://www.csoonline.com/article/3980431/more-assets-more-attack-surface-more-risk.html

Key Takeaways:

  1. Lack of Asset Visibility and Accurate Management
    Almost three-quarters (73%) of cybersecurity leaders experienced incidents directly linked to unidentified or improperly managed IT assets. Without full visibility into their digital environments, organizations struggle to fully grasp the extent and nature of their potential vulnerabilities, significantly weakening their cybersecurity.

  2. Recognition of Impact on Business Risk
    Approximately 9 out of 10 executives recognize the critical importance of effectively managing the digital attack surface as it directly affects business risk. Security issues stemming from mismanaged or unknown IT assets can have serious consequences, including interruptions in business continuity (42%), harm to customer trust and brand reputation (39%), diminished competitiveness (39%), weakened supplier relationships (39%), and negative impacts on employee productivity and financial performance (38% each).

  3. Inadequate adoption of Proactive Risk Management
    Despite clear recognition of the threat and the potential negative impacts on business operations, only 43% of companies actively use specialized tools for proactive attack surface management. A large majority (58%) stated they lack continuous monitoring processes—even though such proactive security management tools and monitoring are essential for promptly mitigating and containing cybersecurity risks.

  4. Urgent Call to Action
    The survey highlights an increasing urgency for improving cybersecurity posture. Many enterprises remain behind the curve, reluctant or slow in adopting robust security strategies, tools, and ongoing monitoring processes needed to contain their rapidly expanding cyber risks. Cyber risk management must be prioritized at the highest levels to safeguard enterprises effectively.

In conclusion, the Trend Micro survey points to a common cybersecurity challenge: while businesses are aware of the problem and its serious consequences, actual implementation to proactively manage and reduce the attack surface remains limited and inadequate. Chief security officers and business leaders must urgently prioritize comprehensive visibility, proper asset inventory management, continuous risk monitoring, and proactive management to minimize cybersecurity incidents and shield their organization from severe business disruptions.

Utilizing ASNs for Hunting & Response

Source: Huntress Blog

Author: unknown

URL: https://www.huntress.com/blog/utilizing-asns-for-hunting-and-response

ONE SENTENCE SUMMARY:

ASN enrichment of IP addresses significantly enhances threat detection and incident response effectiveness beyond basic geolocation data alone.

MAIN POINTS:

  1. IP addresses are important but limited without enrichment for investigative analysis.
  2. Autonomous Systems Numbers (ASNs) identify networks with unified routing policies.
  3. ASN enrichment provides context beyond basic geographic IP address data.
  4. Knowing an IP’s ASN can distinguish residential ISPs from suspicious hosting providers.
  5. ASN data helped identify compromised accounts during remote desktop intrusions.
  6. ASN telemetry highlighted malicious authentications in a RADIUS password spray incident.
  7. Geolocation alone failed to detect compromise, underscoring ASN enrichment’s value.
  8. VPN compromise cases frequently rely on ASN data to confirm malicious behavior.
  9. Authentication anomalies identified via ASN enrichment can guide security responses.
  10. ASN enrichment supports accurate narrative building and risk-based security recommendations.

TAKEAWAYS:

  1. Always enrich IP addresses with ASN data during investigations.
  2. Do not rely solely on IP geolocation; ASN adds critical context.
  3. Analyze authentication patterns alongside ASN data to detect anomalies.
  4. Recognize that certain ASNs frequently correlate with malicious activities.
  5. Integrate ASN telemetry systematically into threat hunting workflows.

How to capture forensic evidence for Microsoft 365

Source: CISA warns of cyberattacks targeting the US oil and gas infrastructure | CSO Online Author: unknown URL: https://www.csoonline.com/article/3979073/how-to-capture-forensic-evidence-for-microsoft-365.html

ONE SENTENCE SUMMARY:

Enterprise endpoint protection is insufficient without robust cloud security measures, including forensic logging, OAuth protection, and resource allocation.

MAIN POINTS:

  1. Endpoint protections alone no longer fully secure enterprise environments.
  2. Attackers now exploit cloud services and OAuth workflows to gain unauthorized access.
  3. Phishing attacks via applications like Signal and WhatsApp target cloud authentication.
  4. OAuth tokens provide attackers extensive access to Microsoft 365, AWS, or Google Workspace.
  5. Cloud resources often lack sufficient monitoring, logging, and forensic capabilities.
  6. Forensic logging in Microsoft 365 requires specific E5 licenses and configurations.
  7. Microsoft Purview Insider Risk Management enables capturing forensic evidence from cloud resources.
  8. Configuring forensic evidence capturing requires specific roles and administrative steps.
  9. Forensic evidence policy settings should include activity types, bandwidth, and offline capturing limits.
  10. Cloud forensic investigations may involve vendor dependencies and additional storage budget requirements.

TAKEAWAYS:

  1. Strengthen cloud security as attackers shift away from traditional endpoint attacks.
  2. Prioritize OAuth security to protect sensitive cloud-based resources.
  3. Ensure appropriate Microsoft licensing and roles are in place for forensic logging.
  4. Clearly define forensic evidence policies, including bandwidth and storage considerations.
  5. Plan for cloud forensic investigations, accounting for vendor cooperation and potential delays.

Proactive threat hunting with Talos IR

Source: Cisco Talos Blog Author: Mike Trewartha URL: https://blog.talosintelligence.com/proactive-threat-hunting-with-talos-ir/

ONE SENTENCE SUMMARY:

Cisco Talos IR proactively enhances cybersecurity through structured threat hunting using baseline analysis, hypothesis-driven investigations, and machine learning.

MAIN POINTS:

  1. Cisco Talos IR emphasizes proactive threat hunting to prevent cybersecurity incidents.
  2. The PEAK Framework (Prepare, Execute, Act with Knowledge) guides precise threat hunting methodologies.
  3. Baseline hunts document normal system behaviors to detect anomalous activities signaling threats.
  4. Hypothesis-driven hunts test specific assumptions based on emerging threat intelligence.
  5. Model-assisted threat hunts (M-ATH) utilize machine learning to uncover hidden threats.
  6. Talos Threat Intelligence enriches threat hunting, refining hypotheses and enhancing detection accuracy.
  7. Talos IR Retainer customers receive ongoing proactive threat hunting engagements.
  8. Early detection through proactive hunts reduces the risk of threats escalating.
  9. Continuous improvement of hunting models strengthens organizational security posture over time.
  10. Real-time collaboration with Incident Response ensures rapid containment and mitigation.

TAKEAWAYS:

  1. Proactive threat hunting complements traditional cybersecurity defenses.
  2. Establishing baselines is crucial to spotting subtle malicious activities.
  3. Regular hypothesis testing helps anticipate attacker behaviors and tactics.
  4. Leveraging machine learning significantly boosts threat detection capabilities.
  5. Integration of threat intelligence data ensures hunts remain relevant and effective.

sectemplates/incident-response/v1 at main · securitytemplates/sectemplates

Source: GitHub Author: unknown URL: https://github.com/securitytemplates/sectemplates/tree/main/incident-response/v1

ONE SENTENCE SUMMARY:

The Incident Response Program Pack 1.5 provides comprehensive resources, templates, and guidelines to build an effective security incident response program.

MAIN POINTS:

  1. Defines essential incident response terminology, roles, stakeholders, and severity rankings clearly.
  2. Offers a detailed checklist for researching, piloting, testing, and launching the response program.
  3. Provides a simplified incident response workflow aligning with the provided runbook.
  4. Includes a structured incident response runbook to ensure consistent handling of incidents.
  5. Presents a working document template designed for comprehensive incident detail capturing.
  6. Recommends a structured, blameless postmortem to evaluate incidents and improve future responses.
  7. Supplies filled-out examples of working documents and postmortem templates for practical reference.
  8. Highlights key metrics useful for effectively measuring the incident response program’s performance.
  9. Clarifies advantages of using Sectemplates’ battle-tested materials over general AI-generated content.
  10. Suggests NIST 800-61 as a resource for organizations needing a more extensive response framework.

TAKEAWAYS:

  1. Clearly defining roles and severity levels ensures effective communication during incidents.
  2. Using checklists and structured workflows promotes consistency and reliability.
  3. Conducting blameless postmortems encourages honest reflection and continuous improvement.
  4. Utilizing real-world tested templates reduces confusion and enhances operational effectiveness.
  5. Measuring program effectiveness through defined metrics supports continuous improvement efforts.

Kali Linux warns of update failures after losing repo signing key

Source: BleepingComputer Author: Sergiu Gatlan URL: https://www.bleepingcomputer.com/news/linux/kali-linux-warns-of-update-failures-after-losing-repo-signing-key/

ONE SENTENCE SUMMARY:

Offensive Security advises Kali Linux users to manually install a new repository signing key after losing the previous key.

MAIN POINTS:

  1. Offensive Security lost the Kali Linux repository signing key, requiring a replacement key.
  2. Users with the old key experience update failures due to key verification errors.
  3. The repository was temporarily frozen on February 18th to minimize user impact.
  4. OffSec issued a new signing key (ED65462EC8D5E4C5) signed by Kali developers.
  5. Users must manually download and install the new key to resolve the issue.
  6. The recommended command to fetch the new key is provided clearly by OffSec.
  7. Checksums and instructions for verifying the new keyring are available from OffSec.
  8. Users uncomfortable updating keys manually can reinstall Kali using updated images.
  9. This incident mirrors a similar 2018 event when Kali’s GPG key expired.
  10. Regular updating of Kali Linux keyrings is essential to prevent update mismatches.

TAKEAWAYS:

  1. Regularly update Kali Linux systems to avoid key mismatches and repository issues.
  2. Follow official instructions carefully when manually updating repository signing keys.
  3. Verify new repository keys using provided checksums to ensure authenticity.
  4. Consider reinstalling Kali Linux from updated images if unsure about manual key updates.
  5. Maintain awareness of Kali Linux communications to promptly handle security-related updates.

What’s worth automating in cyber hygiene, and what’s not

Source: Help Net Security Author: Mirko Zorz URL: https://www.helpnetsecurity.com/2025/04/29/automating-cyber-hygiene/

ONE SENTENCE SUMMARY:

Automation in cyber hygiene enhances visibility, streamlines patching and credential management, yet requires human oversight to manage exceptions effectively.

MAIN POINTS:

  1. Automate asset discovery first to ensure comprehensive visibility of systems and accounts.
  2. Exposure management tools provide critical external asset discovery without internal assumptions.
  3. Effective exposure management identifies shadow IT, dangling DNS, risky cloud usage, and domain squatting.
  4. Automating patches requires fallback mechanisms, clear alerts, and alignment with business schedules.
  5. Prioritize patches based on vulnerability exploitability, not simply availability.
  6. Automate credential rotation for service accounts, privileged credentials, and API keys.
  7. Credential vaulting tools prevent hardcoded passwords, unauthorized sharing, and provide detailed audit logs.
  8. Automate onboarding and offboarding of employees to ensure timely account provisioning and revocation.
  9. Avoid automating exception handling; humans should approve and renew exceptions regularly.
  10. Automate alerts and reporting with prioritization based on severity, exploitability, and business impact.

TAKEAWAYS:

  1. Always start automation efforts by establishing clear visibility across all digital assets.
  2. Automation should complement, not replace, human judgment—especially regarding exceptions and access logic.
  3. Credential automation and vaulting significantly reduce risk from compromised privileged accounts.
  4. Align automated processes with security frameworks like NIST and ISO to enhance audit readiness and compliance.
  5. Continuously measure automated processes and regularly reassess their effectiveness and risk impact.

Exposure Management Works When the CIO and CSO Are in Sync

Source: Tenable Blog Author: Patricia Grant URL: https://www.tenable.com/blog/exposure-management-works-when-the-cio-and-cso-are-in-sync

ONE SENTENCE SUMMARY: Effective exposure management requires strong CIO-CSO collaboration, unified visibility, proactive endpoint security, strategic prioritization, and clear risk communication.

MAIN POINTS:

  1. CIO and CSO alignment is crucial for successful exposure management.
  2. Shared responsibility between IT and security teams ensures robust enterprise protection.
  3. Constant collaboration is necessary due to rapid shifts in threat landscapes.
  4. Exposure management provides unified visibility across cloud, on-prem, and hybrid assets.
  5. Endpoints require proactive security measures, such as rapid zero-day patching.
  6. Exposure management helps identify unknown risks like forgotten systems and open ports.
  7. Prioritizing vulnerabilities based on impact, not volume, leads to strategic advantage.
  8. Effective cybersecurity requires modernized change management and clear communication.
  9. Cyber risk must be translated into business language for effective board-level discussions.
  10. Visibility through exposure management empowers customers to address critical threats effectively.

TAKEAWAYS:

  1. Foster a close, trusting relationship between CIO and CSO for effective exposure management.
  2. Utilize exposure management tools to prioritize impactful vulnerabilities over sheer quantity.
  3. Implement proactive endpoint security practices, especially rapid response to zero-day threats.
  4. Modernize change management and communication strategies to engage employees effectively.
  5. Translate technical cybersecurity risks into strategic business language for board-level clarity.

SWE-agent/SWE-agent: SWE-agent takes a GitHub issue and tries to automatically fix it, using GPT-4, or your LM of choice.

Source: GitHub Author: unknown URL: https://github.com/SWE-agent/SWE-agent

ONE SENTENCE SUMMARY:

SWE-agent is an autonomous tool-using framework developed by Princeton and Stanford researchers for automated software engineering and cybersecurity tasks.

MAIN POINTS:

  1. SWE-agent allows language models like GPT-4o or Claude Sonnet 3.7 autonomous tool use.
  2. Utilizes agent-computer interfaces (ACIs) for interacting with isolated computer environments.
  3. Developed by researchers from Princeton University and Stanford University.
  4. Offers EnIGMA, a mode specialized in offensive cybersecurity capture-the-flag challenges.
  5. EnIGMA achieves state-of-the-art results in cybersecurity benchmarks.
  6. Includes tools like debugger, server connection, and summarizer for long outputs.
  7. Recommended to use SWE-agent version 0.7 during EnIGMA updates for 1.0.
  8. Community participation encouraged via Discord, with open contributions through GitHub.
  9. Research detailed in academic papers presented at NeurIPS 2024.
  10. MIT licensed project, open for academic citation and use.

TAKEAWAYS:

  1. SWE-agent enhances automated software engineering with autonomous tool use.
  2. Specialized EnIGMA mode excels in cybersecurity competitions.
  3. Important functionalities like debugging and summarizing improve usability.
  4. Active community involvement and contribution are highly encouraged.
  5. Proper citation of SWE-agent and EnIGMA is requested for academic use.

Cybersecurity metrics that matter (and how to measure them)

Source: The Red Canary Blog: Information Security Insights Author: Brian Donohue URL: https://redcanary.com/blog/threat-detection/cybersecurity-metrics/

ONE SENTENCE SUMMARY:

Security operations centers should prioritize accuracy, volume, and timeliness metrics, carefully defining and consistently measuring them to avoid misleading interpretations.

MAIN POINTS:

  1. Security metrics vary widely; clearly defined metrics ensure consistency and usefulness.
  2. SOC metrics typically focus on accuracy, volume, and timeliness.
  3. Mean-based metrics are problematic due to susceptibility to extreme outliers.
  4. Median metrics offer a more accurate representation of typical SOC performance.
  5. Definitions of detection, response, and mitigation significantly impact metric results.
  6. Clarifying when measurement begins and ends is crucial to meaningful SOC metrics.
  7. Time-to-detect can vary based on whether threats are identified or confirmed threats published.
  8. Response metrics must define precisely when a response action officially occurs.
  9. Publicly reported SOC metrics are hard to interpret without underlying context and definitions.
  10. Dwell time differs from breakout time; the latter may be a more critical security metric.

TAKEAWAYS:

  1. Clearly define and standardize measurement terms for SOC metrics.
  2. Favor median over mean to avoid misleading results from outliers.
  3. Clarify exactly when measurement “clocks” start and end for consistent metric tracking.
  4. Consider both dwell time and breakout time when evaluating threat response effectiveness.
  5. Always question and contextualize publicly reported SOC metrics to avoid misinterpretation.

MITRE Launches New D3FEND CAD Tool to Create Precise Cybersecurity Scenarios

Source: Cyber Security News Author: Guru Baran URL: https://cybersecuritynews.com/mitre-launches-new-d3fend-cad-tool/

ONE SENTENCE SUMMARY:

MITRE launched the D3FEND CAD tool, offering structured cybersecurity modeling through semantic knowledge graphs to enhance threat analysis and defense.

MAIN POINTS:

  1. MITRE released D3FEND CAD tool as part of comprehensive D3FEND 1.0 ontology release.
  2. CAD tool uses structured knowledge graphs rather than traditional unstructured cybersecurity diagrams.
  3. D3FEND ontology provides semantically rigorous cybersecurity knowledge representation.
  4. Users create cybersecurity scenarios using intuitive drag-and-drop browser interface.
  5. Attack nodes link directly to MITRE ATT&CK techniques.
  6. Tool includes Countermeasure and Digital Artifact nodes based on D3FEND ontology.
  7. “Explode” feature reveals potential attacks, defenses, and artifacts within nodes.
  8. Supports threat intelligence, modeling, detection engineering, incident investigation, and risk assessment.
  9. Export formats include JSON, TTL, PNG, and STIX 2.1 JSON import capability.
  10. Developed collaboratively by MITRE, NSA, and U.S. defense departments.

TAKEAWAYS:

  1. Structured knowledge modeling improves cybersecurity threat visualization and analysis.
  2. D3FEND CAD enables teams to collaboratively create and share precise cybersecurity scenarios.
  3. Standardized vocabulary and ontology facilitate clear communication across cybersecurity roles.
  4. Integration with MITRE ATT&CK and STIX enhances threat intelligence capabilities.
  5. Adopting structured cybersecurity modeling represents a significant advancement in defense strategy development.

A Data-Driven Approach to Windows Advanced Audit Policy – What to Enable and Why

Source: Security Blogs | Splunk Author: unknown URL: https://www.splunk.com/en_us/blog/security/windows-audit-policy-guide.html

ONE SENTENCE SUMMARY:

Configuring Windows Advanced Audit Policies effectively balances log volume and relevance, leveraging data-driven strategies and MITRE ATT&CK alignment for optimal threat detection.

MAIN POINTS:

  1. Windows event logs are essential but default logging lacks depth for detecting sophisticated threats.
  2. Windows Advanced Audit Policies provide granular control over security event logging.
  3. Advanced Audit Policies split broad categories into detailed subcategories for precise monitoring.
  4. Effective configuration involves balancing event volume, relevance, and system overhead.
  5. The Splunk Threat Research Team compiled Event ID mappings to simplify auditing configurations.
  6. Excessive logging can overwhelm SIEM solutions, increase costs, and burden analysts.
  7. STRT adopted a data-driven approach, analyzing official Microsoft and third-party guidelines.
  8. Event volume data varies by installed roles, features, and configured System Access Control Lists (SACLs).
  9. Certain subcategories require additional setup, registry edits, or reboots to function properly.
  10. Mapping Windows Event IDs to MITRE ATT&CK techniques helps prioritize critical security events.

TAKEAWAYS:

  1. Prioritize auditing configurations by aligning them to MITRE ATT&CK techniques and threat actor TTPs.
  2. Use STRT’s Event ID mapping resources to streamline and optimize your auditing strategy.
  3. Consider additional configuration requirements for certain audit subcategories to ensure proper logging.
  4. Evaluate event volume and relevance carefully to avoid overwhelming security monitoring systems.
  5. Leverage industry guidelines and real-world incident data to inform decisions on audit policy settings.

Phishers Exploit Google Sites and DKIM Replay to Send Signed Emails, Steal Credentials

Source: The Hacker News Author: [email protected] (The Hacker News) URL: https://thehackernews.com/2025/04/phishers-exploit-google-sites-and-dkim.html

ONE SENTENCE SUMMARY:

Attackers executed a sophisticated phishing attack utilizing Google’s infrastructure and DKIM replay techniques, successfully bypassing security checks to harvest user credentials.

MAIN POINTS:

  1. Attackers leveraged Google’s legitimate email infrastructure for phishing, bypassing typical security alerts.
  2. Phishing emails appeared authentic, passing DKIM, SPF, and DMARC authentication checks.
  3. Victims received fake subpoenas directing them to malicious sites hosted on Google Sites.
  4. Fraudulent websites mimicked Google Support, tricking users into inputting credentials.
  5. Attackers exploited legacy Google Sites’ support of arbitrary scripts to host phishing content.
  6. Emails appeared to originate from “accounts.google.com,” despite originating elsewhere.
  7. DKIM replay attack used Google’s OAuth application process to generate genuine-looking security alerts.
  8. Gmail displayed messages as addressed to “me,” adding authenticity and reducing suspicion.
  9. Google has implemented fixes to prevent this abuse pathway and advised adopting two-factor authentication.
  10. Phishing attacks increasingly exploit SVG attachments to embed malicious HTML and JavaScript.

TAKEAWAYS:

  1. Legitimate infrastructures like Google can be exploited for sophisticated phishing attacks.
  2. DKIM signatures alone cannot guarantee email authenticity; vigilance remains essential.
  3. Legacy services supporting arbitrary scripts pose significant security risks.
  4. Enabling two-factor authentication and passkeys provides critical protection against phishing threats.
  5. Always scrutinize unexpected security alerts, even if they appear authentic and trustworthy.

Widespread Microsoft Entra lockouts tied to new security feature rollout

Source: BleepingComputer Author: Lawrence Abrams URL: https://www.bleepingcomputer.com/news/microsoft/widespread-microsoft-entra-lockouts-tied-to-new-security-feature-rollout/

ONE SENTENCE SUMMARY: A widespread false-positive issue with Microsoft’s new Entra ID “MACE Credential Revocation” app mistakenly locked numerous user accounts.

MAIN POINTS:

  1. Microsoft Entra ID’s new MACE app rollout triggered widespread false account lockouts.
  2. Alerts began last night, locking accounts that had unique passwords and MFA protections.
  3. Admins reported thousands of lockout notifications across multiple organizations.
  4. Reddit threads confirm multiple businesses experienced significant user account impacts.
  5. Affected accounts showed no suspicious activity or matching data breaches.
  6. Microsoft privately attributed the issue to errors during MACE app deployment.
  7. The MACE Credential Revocation app detects leaked credentials to protect user accounts.
  8. Lockouts were mistakenly flagged as leaked credentials from dark web breaches.
  9. Microsoft has not yet publicly acknowledged or explained the incident officially.
  10. Administrators should verify alerts but recognize mass lockouts likely due to rollout issue.

TAKEAWAYS:

  1. Carefully monitor automated security rollouts for potential false positives.
  2. Confirm alerts with independent breach notification tools like Have I Been Pwned.
  3. Maintain clear communication channels with vendors to quickly resolve issues.
  4. Consider temporarily disabling automated lockout actions during major updates.
  5. Ensure rapid internal communication to minimize user disruption during incidents.

SPF Record Cleanup Techniques

Source: dmarcian Author: John Bowers URL: https://dmarcian.com/spf-record-cleanup-techniques/

ONE SENTENCE SUMMARY:

dmarcian provides guidance on avoiding SPF over-authentication by safely removing unnecessary or incorrectly placed SPF include statements from organizational domains.

MAIN POINTS:

  1. Over-authentication occurs when unnecessary email sources remain in SPF records.
  2. SPF statements should be regularly reviewed to remove unused email sending sources.
  3. Subdomain usage is a best practice for proper SPF alignment and reducing lookup counts.
  4. Active Campaign requires subdomains; remove “include:emsd1.com” from organizational SPF.
  5. Adobe Marketo needs a subdomain and trusted IP; remove “include:mktomail.com”.
  6. AmazonSES requires subdomains; remove “include:amazonses.com” from organizational SPF.
  7. Bird (SparkPost) mandates subdomains; remove “_spf.sparkpostmail.com” or “_spf.eu.sparkpostmail.com”.
  8. Cvent cannot achieve SPF alignment; rely on DKIM instead and remove “include:cvent-planner.com”.
  9. Salesforce Marketing Cloud needs Sender Authentication Package; remove “include:cust-spf.exacttarget.com”.
  10. SendGrid usually requires subdomains; remove “include:sendgrid.net” from organizational SPF.

TAKEAWAYS:

  1. Regularly audit SPF records to maintain accuracy and avoid over-authentication.
  2. Use subdomains consistently for SPF alignment to improve email deliverability.
  3. Remove outdated or unnecessary SPF include statements from organizational domains.
  4. Confirm no aligned email volume before removing SPF includes using SPF Surveyor.
  5. Rely on DKIM when SPF alignment is not achievable (e.g., Cvent).

CISOs rethink hiring to emphasize skills over degrees and experience

Source: CISOs rethink hiring to emphasize skills over degrees and experience | CSO Online Author: unknown URL: https://www.csoonline.com/article/3963314/cisos-rethink-hiring-to-emphasize-skills-over-degrees-and-experience.html

ONE SENTENCE SUMMARY: Security leaders increasingly adopt skills-based hiring over degrees, emphasizing competencies, problem-solving, and practical assessments to improve cybersecurity recruitment.

MAIN POINTS:

  1. CISOs are shifting from degree-based hiring to skills-based approaches due to talent shortages.
  2. ISC2’s CISO Jon France removed degree and some certification requirements for cybersecurity roles.
  3. Skills-based hiring evaluates problem-solving, curiosity, and communication over academic credentials.
  4. Implementing skills-based hiring effectively requires significant changes beyond job postings.
  5. Burning Glass Institute’s report indicates limited success so far in skills-based hiring adoption.
  6. Only 37% of organizations studied successfully implemented genuine skills-based hiring methods.
  7. France collaborates with HR to craft job descriptions focused on tasks and required practical skills.
  8. Certifications can still be required post-hiring to confirm willingness and aptitude for continued learning.
  9. CyberSN and Immersive effectively use skills assessments and practical scenarios in hiring processes.
  10. Skills-based hiring has produced diverse candidate pools, improving cybersecurity team performance.

TAKEAWAYS:

  1. Prioritize demonstrable skills, critical thinking, and curiosity over traditional educational credentials.
  2. Collaborate closely with HR to rewrite job descriptions clearly outlining practical skills needed.
  3. Implement thorough candidate assessments using realistic scenarios and problem-solving exercises.
  4. Recognize certifications as useful skill indicators, potentially required after hiring.
  5. Expect significant effort and organizational change to successfully adopt a skills-based hiring approach.

Microsoft blocks ActiveX by default in Microsoft 365, Office 2024

Source: BleepingComputer Author: Sergiu Gatlan URL: https://www.bleepingcomputer.com/news/microsoft/microsoft-blocks-activex-by-default-in-microsoft-365-office-2024/

ONE SENTENCE SUMMARY: Microsoft is disabling ActiveX controls in Office 2024 applications to enhance security against malware and unauthorized code execution risks.

MAIN POINTS:

  1. Microsoft will disable ActiveX controls in Office 2024 apps later this month.
  2. ActiveX, introduced in 1996, enabled interactive embedded objects in Office documents.
  3. Word, Excel, PowerPoint, and Visio will block ActiveX entirely without notification.
  4. A “BLOCKED CONTENT” notification will appear upon opening documents with ActiveX controls.
  5. Microsoft advises users against opening unexpected attachments or changing ActiveX settings unnecessarily.
  6. Existing ActiveX objects will remain visible but non-interactive, appearing as static images.
  7. Users can manually enable ActiveX via Trust Center settings, affecting all Office apps simultaneously.
  8. ActiveX controls have historically been exploited for zero-day vulnerabilities and malware infections.
  9. Cybercriminals have previously used ActiveX in Word documents to deploy TrickBot malware and Cobalt Strike.
  10. Disabling ActiveX aligns with Microsoft’s broader strategy to disable legacy Office features prone to exploitation.

TAKEAWAYS:

  1. Keep ActiveX controls disabled for optimal security unless absolutely necessary.
  2. Be cautious and avoid enabling ActiveX prompted by unknown pop-ups or suspicious attachments.
  3. Consider the security benefits of Microsoft’s ongoing removal of legacy Office vulnerabilities.
  4. Understand that enabling ActiveX via Trust Center settings impacts all Office applications.
  5. Recognize Microsoft’s proactive steps in mitigating malware threats by disabling risky legacy features.

PentestPlaybook/ad-lab-scripts: AD Lab Setup Scripts

Source: GitHub Author: unknown URL: https://github.com/PentestPlaybook/ad-lab-scripts

ONE SENTENCE SUMMARY:

This repository offers automation scripts to quickly build an intentionally vulnerable Active Directory lab environment for penetration testing practice.

MAIN POINTS:

  1. Repository contains scripts for quickly setting up an Active Directory testing environment.
  2. Each script corresponds to a specific virtual machine like Domain Controller or workstation.
  3. Users can selectively deploy machines individually or create complex network scenarios.
  4. Scripts perform roles installation, user creation, and set intentional vulnerabilities.
  5. Environment supports practicing lateral movement and privilege escalation attacks.
  6. Requires placing Windows ISO files in the repository directory before running scripts.
  7. Lab environment is intentionally insecure and only intended for local testing use.
  8. Common setup issues include missing ISO files, insufficient resources, or antivirus interference.
  9. Scripts primarily tested with VMware but can be adapted for other hypervisors.
  10. Contributions such as new scripts or improvements are welcomed through GitHub pull requests.

TAKEAWAYS:

  1. Quickly build a realistic, vulnerable Active Directory lab for penetration testing.
  2. Customize your environment by choosing specific machines and deployment order.
  3. Safely practice common AD attacks like lateral movement and privilege escalation.
  4. Ensure ISO files and system resources are prepared to prevent setup issues.
  5. Engage with the community by contributing improvements or additional scripts.

Explore how to secure AI by attending our Learn Live Series

Source: Microsoft Security Blog Author: Shirleyse Haley URL: https://techcommunity.microsoft.com/blog/microsoft-security-blog/explore-how-to-secure-ai-by-attending-our-learn-live-series/4399703

ONE SENTENCE SUMMARY: Microsoft’s Learn Live webinar series helps IT professionals secure AI environments using Microsoft Purview and Defender for Cloud solutions.

MAIN POINTS:

  1. Learn Live webinar series teaches securing AI applications using Microsoft Security solutions.
  2. Sessions demonstrate practical use of Microsoft Purview and Defender for Cloud tools.
  3. Manage AI data security challenges using Microsoft Purview’s sensitivity labels.
  4. Protect against generative AI data exposure with endpoint Data Loss Prevention (DLP).
  5. Use Microsoft Purview eDiscovery for investigating Microsoft 365 Copilot interactions.
  6. Apply Data Lifecycle Management in Purview to manage Copilot data retention effectively.
  7. Utilize Purview’s Data Security Posture Management (DSPM) to monitor AI interactions.
  8. Detect AI security risks through reports and insights provided by Purview DSPM.
  9. Configure security policies like DLP and sensitivity labels for AI-referenced data protection.
  10. Leverage Microsoft Defender for Cloud for advanced protection of AI workloads.

TAKEAWAYS:

  1. Organizations must proactively address AI-specific security threats and data exposure risks.
  2. Microsoft Purview provides comprehensive tools for data security and compliance management.
  3. Microsoft Defender for Cloud offers advanced threat protection tailored for AI applications.
  4. Hands-on Learn Live sessions demonstrate practical solutions to AI security challenges.
  5. Recorded webinar sessions are available on-demand, ensuring ongoing learning opportunities.