Researchers demonstrate a proof-of-concept cyberattack vector that gets around remote, on-premises, and local versions of browser isolation security technology to send malicious communications from an attacker-controlled server.

Source: Sasin Paraska via Shutterstock

Security researchers have found a way to bypass three types of browser isolation, which would allow a cyberattacker to send malicious data to a remote device by using QR codes.

Researchers from Mandiant demonstrated a proof-of-concept (PoC) that gets around remote, on-premises, and local browser isolation by overriding HTTP request-based communication with machine-readable QR codes. In this way, the technique allows attackers to send commands from a command-and-control (C2) server to a victim's device.

Browser isolation is often used by organizations to fight phishing threats, protect a device from browser-delivered attacks, and deter typical C2 tactics used by attackers. The technique runs a browser in a secure environment — such as a cloud server or virtual machine — and then streams the visual content to the user's device.

When browser isolation is being used, the remote browser handles everything from page rendering to executing JavaScript, with only the visual appearance of the webpage sent back to the user's local browser.

As attackers generally send commands to and from a victim's device through HTTP requests, browser isolation makes it challenging for attackers to remotely control a device in the typical way. That's because the HTTP response returned to the local browser contains only the streaming engine to render the remote browser's visual page contents, "and only a stream of pixels is sent to the local browser to visually render the webpage," Mandiant principal security consultant Thibault Van Geluwe de Berlaere wrote in the post. "This prevents typical HTTP-based C2 because the local device cannot decode the HTTP response."

Related:Cybercrime Gangs Abscond With Thousands of AWS Credentials

**Bypassing Browser Isolation With QR Codes**

Mandiant researchers developed a PoC that demonstrates how to get around browser isolation using the Puppeteer JavaScript library and the Google Chrome browser in headless mode. However, any modern browser can be used to achieve the PoC, Van Geluwe de Berlaere noted.

Instead of returning the C2 data in the HTTP request headers or body, as a typical attacker-controlled attempt to send commands to a device might, the C2 server returns a valid webpage that visually shows a QR code. "The implant then uses a local headless browser … to render the page, grabs a screenshot, and reads the QR code to retrieve the embedded data," Van Geluwe de Berlaere wrote.

"By taking advantage of machine-readable QR codes, an attacker can send data from the attacker-controlled server to a malicious implant even when the webpage is rendered in a remote browser."

Related:Wyden and Schmitt Call for Investigation of Pentagon's Phone Systems

In the attack sequence, the malicious implant visually renders the webpage from the browser isolation's pixel streaming engine and decodes the command from the QR code displayed on the page. It then retrieves a valid HTML webpage from the C2 server with the command data encoded in a QR code visually shown on the page.

The remote browser then returns the pixel-streaming engine back to the local browser, starting a visual stream that shows the rendered page obtained from the C2 server. The implant waits for the page to fully render, then grabs a screenshot of the local browser that contains the QR code, which the malicious implant reads to execute the C2 command on the compromised device.

The implant then goes through the local browser again to navigate to a new URL that includes the command output encoded in a URL parameter. This parameter is passed through to the remote browser and ultimately to the C2 server, which decodes the command output as in traditional HTTP-based C2.

**Challenges to Implementing the Bypass**

Though the PoC demonstrates how attackers can get around browser isolation, there are some limitations and challenges to consider when using it, the researchers noted.

One is that it's not feasible to use the PoC with QR codes that have the maximum data size — i.e., 2,953 bytes, 177x177 grid, Error Correction Level "L" — as "the visual stream of the webpage rendered in the local browser was of insufficient quality to reliably read the QR code contents," Van Geluwe de Berlaere explained. Instead, the researchers used QR codes containing a maximum of 2,189 bytes of content.

Related:Pegasus Spyware Infections Proliferate Across iOS, Android Devices

Moreover, the requests take at least five seconds to reliably show and scan the QR code due to the processing involved when using Chrome in headless mode, as well as the time it takes for the remote browser to start up, page-rendering requirements, and the stream of visual content from the remote browser back to the local browser. "This introduces significant latency in the C2 channel," he wrote.

Finally, the PoC does not consider other security features of browser isolation, such as domain reputation, URL scanning, data-loss prevention, and request heuristics, which may need to be overcome if they are present in the browser-isolation environment on which it is being used.

Despite the success of the bypass, Mandiant still recommends browser isolation as a strong protection measure against client-side browser exploitation and phishing attacks. However, Van Geluwe de Berlaere wrote, it should be used as one part of "a well-rounded cyber defense posture" that also includes monitoring for anomalous network traffic and browser in automation mode to defend against Web-based attacks.

**About the Author**

Elizabeth Montalbano is a freelance writer, journalist, and therapeutic writing mentor with more than 25 years of professional experience. Her areas of expertise include technology, business, and culture. Elizabeth previously lived and worked as a full-time journalist in Phoenix, San Francisco, and New York City; she currently resides in a village on the southwest coast of Portugal. In her free time, she enjoys surfing, hiking with her dogs, traveling, playing music, yoga, and cooking.

Attackers Can Use QR Codes to Bypass Browser Isolation

More than 4% of US attempted e-commerce transactions between Thanksgiving and Cyber Monday suspected to be fraudulent.

PRESS RELEASE

MONTRÉAL, December 4, 2024 — Genetec Inc. (“Genetec”), the global leader in enterprise physical security software, today shared the results of its "2025 State of the Physical Security Report." Based on insights from over 5,600 physical security leaders worldwide (including end users, channel partners, systems integrators, and consultants), the report offers a comprehensive analysis of evolving trends in physical security operations.

**Hybrid cloud adoption grows as organizations seek flexibility and control**

As organizations evaluate cloud solutions for physical security, most are prioritizing a hybrid strategy that aligns with operational needs, budget constraints, and storage requirements. This pragmatic and flexible deployment approach allows critical data and applications to be managed both on-premises and in the cloud.

According to the report, 43% of end users envision hybrid deployments as their preferred approach within the next five years, compared to just 18% favoring fully cloud-based implementations and 17% planning to remain fully on-premises. This preference for hybrid-cloud is echoed by consultants and channel partners, with 66% of consultants planning to recommend hybrid deployments in the next five years.

This data not only reflects the rising demand for adaptable deployment models but also highlights a measured approach to cloud adoption as the industry matures.

By focusing on operational realities, varying costs of the cloud, and evolving seditecurity requirements, organizations will be better positioned to successfully adopt the cloud at a pace and cost that reflects their needs.

“There’s no all-or-nothing with a hybrid-cloud approach. Businesses remain in total control of how they deploy their systems across various locations. With an open ecosystem, they can implement the best technology—whether on-premises or in the cloud— that meets their business needs and avoid unnecessary compromise without ever being locked into proprietary solutions. This allows them to deploy, scale, and upgrade systems faster, streamline processes, and strengthen their security posture in the most efficient and effective ways,” said Christian Morin, Vice President Product Engineering, Genetec Inc.

**IT departments become central to decisions**

A decade ago, physical security systems in large organizations were typically managed by personnel in specialized security departments. However, the increasing adoption of cloud and hybrid-cloud solutions, the rise in cybersecurity threats, and the need to align physical and digital security have led IT teams to take an increasingly prominent role in influencing the acquisition and deployment of physical security systems.

According to the report, 77% of end users say physical security and information technology (IT) departments now work collaboratively. Additionally, IT departments are taking on an increasing role in the buying process, with over 50% of end users, systems integrators, and consultants reporting that IT teams are now actively involved in physical security purchasing decisions.

“The evolving role of physical security is reshaping how organizations secure both their people and digital networks. With IT at the forefront of implementing cloud and hybrid solutions, physical security operations are becoming more resilient, data-driven, and adaptable to evolving threats," Morin added.

**AI adoption grows as industry prioritizes practical applications**

The report reveals a significant rise in the interest toward AI adoption in physical security, with 37% of end users planning to implement AI-powered features in 2025, up from just 10% in 2024. This heightened interest aligns with a strategic, purpose-driven approach. With 42% of end users seeing AI as a tool to streamline security operations, organizations are focusing on practical applications, such as refining threat detection and automating routine processes, with intelligent automation as the ultimate goal.

Survey methodology

Genetec Inc. surveyed physical security professionals from August 12th to September 15th, 2024. Following a review of submissions and data cleansing, 5,696 respondents (including end users, channel partners, and consultants) were included in the sample for analysis. Survey samples were run across all regions including North America, Central America, the Caribbean, South America, Europe, the Middle East, Africa, East Asia, Southern Asia, South-Eastern Asia, Central Asia, Western Asia, and Australia-New Zealand.

Genetec Physical Security Report Shows Accelerating Hybrid Cloud Adoption

Using different parts of our brains gives us different perspectives on the world around us and new approaches to the problems we face in security.

Source: Dennis Hallinan via Alamy Stock Photo

COMMENTARY

I recently delivered one of the keynotes at the Fall Summit 2024 for Financial Services Information Sharing and Analysis Center (FS-ISAC), an industry consortium that works to build cybersecurity and resilience in the global financial system. My talk began with a lyrical analysis of the Joni Mitchell song "Both Sides Now" and continued into how we can take lessons from the song and apply them to our security programs.

To be clear, this was a risk. An audience of security professionals and security executives in the banking, financial services, and insurance (BFSI) vertical looking for information about technical innovation and new research may not respond positively to a talk that centers on a lyrical analysis of a song written in the 1960s.

If you aren't familiar with the lyrics, I highly encourage a listen — it's a great song.

What I learned is that people like it when we draw inspiration from sources outside of cybersecurity. After all, we are a relatively new field, and other professions have likely figured out a few things that we're still trying to work out. Security professionals can — and should — learn from other fields and apply those lessons to our work.

**1\. Pay Attention**

The analog world has many lessons to teach us. Inspiration, ideas, and solutions are all around us. We simply need to open our eyes to what surrounds us. It is not easy to take in everything when we are focused on our jobs and everyday life, but it is still worth taking a step back now and again to take in the wider world and the lessons it can teach us. Many of them are applicable to the security challenges we face.

**2\. Open a Book**

It may seem old-fashioned, but books are still one of the most amazing sources of knowledge and inspiration. Whether classic or modern, some of the top authors have grappled with, processed, thought through, and written about some of the most difficult and challenging issues. It would be silly to cast all that aside and think that there isn't anything in there we can learn from as a security community. So while William Shakespeare, Charles Dickens, Mark Twain, Leo Tolstoy, Jane Austen, the Bronte sisters, and others may not immediately bring security to mind, we are almost certain to find important lessons in their works.

**3\. Read Poetry**

One of the things that amazes me most is how poets can take the same words that most of us use day to day and form them into the most beautiful works of art. Aside from the powerful messages that poems can convey, there is a unique angle to problem-solving that poets take in order to be able to transform language as they do. As security professionals, we can learn a lot from both the messages that poets convey and the manner in which they do so. We as security professionals can certainly learn to convey more valuable messages to our stakeholders, as well as how to convey those messages more clearly.

**4\. Listen to Lyrics**

Although I only recently gave my first talk based on lyrical analysis, I have been listening to and analyzing lyrics for quite some time. Like authors and poets, good lyricists are also quite talented at getting powerful messages into relatively few words. In the security field, we can learn a lot from this. First off, understanding that our management, executives, and other stakeholders want fewer but more powerful words from us is an important lesson. So is being able to deliver that message in a catchy, fun, or impactful manner, as is the case with music. While it may be tempting to fill reports and presentations with an overdose of data, successful lyricists would advise us otherwise.

**5\. Appreciate Art**

If you've ever seen an original work of art (in a museum, for example), you know that it can sometimes take you aback in a way that seeing it online or seeing a replica cannot. While I am not a visual person, I can appreciate that some people are. As security professionals, we can take a lesson from this. Some people need to see data come alive visually in order to internalize it. We can take inspiration and learn from other fields that have worked out how to present data visually.

**6\. Study Creativity**

Creativity comes in many forms. Whether someone is an author, a poet, a lyricist, an artist, or any other creative type, they all have one thing in common: They take inspiration from the world around them and synthesize something new. As security professionals, we can learn from this. There is no shortage of the same old conventional wisdom floating around our industry. Much of that conventional wisdom has led to less-than-ideal outcomes. Creative thinking, fresh ideas, and new approaches could potentially do wonders for our field if we allow them to.

**Coda**

Literature, poetry, music, and art may not be sources you think of when looking for fresh thinking around security problems. They probably should be, though. Other fields that have been around considerably longer than the security field are likely good sources of inspiration for creative approaches to solving security issues. It seems about time we consider that when looking to advance the state of our field.

**About the Author**

Field CISO, F5

Josh Goldfarb is currently Field CISO at F5. Previously, Josh served as VP and CTO of Emerging Technologies at FireEye and as Chief Security Officer for nPulse Technologies until its acquisition by FireEye. Prior to joining nPulse, Josh worked as an independent consultant, applying his analytical methodology to help enterprises build and enhance their network traffic analysis, security operations, and incident response capabilities to improve their information security postures. Earlier in his career, Josh served as the Chief of Analysis for the United States Computer Emergency Readiness Team, where he built from the ground up and subsequently ran the network, endpoint, and malware analysis/forensics capabilities for US-CERT. In addition to Josh's blogging and public speaking appearances, he is also a regular contributor to Dark Reading and SecurityWeek.

How Art Appreciation Supplements Cybersecurity Skills

Vanir automates the process of scanning source code to identify missing security patches.

Source: Art of Food via Alamy Stock Photo

NEWS BRIEF

Security updates in the Android ecosystem is a complex, multistage affair, with each downstream manufacturer responsible for incorporating security fixes and deploying them to individual user devices. Manufacturers have diverse device portfolios with different models running different versions of the Android operating system and related software, which means they are responsible for multiple update versions. As it currently stands, updating Android devices is both time-consuming and labor-intensive.

Vanir, Google's latest open source security patch validation tool, speeds up the process of figuring out which security patches are missing from the platform by scanning custom platform code using static code analysis. By automating this process, OEMs can identify missing security updates much faster than current methods, according to an announcement on the Google Security Blog.

Vanir, which has a 97% accuracy rate, covers 95% of all Android, Wear, and Pixel vulnerabilities that already have public fixes, the company said. Inside Google, Vanir is part of the build system and tests against over 1,300 vulnerabilities, saving internal teams "over 500 hours to date in patch fix time," according to Google.

The tool does not rely on metadata, such as version numbers, repository history, or build configurations, to identify which updates are missing. Instead, Vanir uses automatic signature refinement techniques and multiple pattern analysis algorithms. Google said these algorithms have low false-alarm rates, noting that in two years of testing Vanir, only 2.72% of signatures triggered false alarms.

"This allows Vanir to efficiently find missing patches, even with code changes, while minimizing unnecessary alerts and manual review efforts," the company said.

A single engineer used Vanir to generate signatures for over 150 vulnerabilities and verify missing security patches across downstream branches in just five days, Google noted.

While Vanir was originally introduced at Android Bootcamp back in April and is designed for Android, the tool can be adapted to other ecosystems and platforms with small modifications. Vanir can be used as a standalone application as well as a Python library. Users can integrate Vanir with their continuous builds or test chains by wiring the tool with Vanir scanner libraries.

**About the Author**

Contributing Writer

Jennifer Lawinski is a writer and editor with more than 20 years experience in media, covering a wide range of topics including business, news, culture, science, technology and cybersecurity. After earning a Master's degree in Journalism from Boston University, she started her career as a beat reporter for The Daily News of Newburyport. She has since written for a variety of publications including CNN, Fox News, Tech Target, CRN, CIO Insight, MSN News and Live Science. She lives in Brooklyn with her partner and two cats.

Google Launches Open Source Patch Validation Tool

We can anticipate a growing number of emerging vulnerabilities in the near future, emphasizing the need for an effective prioritization strategy.

Audra Streetman, Senior Threat Intelligence Analyst, Splunk

December 9, 2024

4 Min Read

Source: Skorzewiak via Alamy Stock Photo

COMMENTARY

The work of cybersecurity defenders continues to evolve. The sheer amount of software and applications within an organization's IT environment has increased the attack surface and, consequently, the number of vulnerabilities. According to the Verizon "2024 Data Breach Investigations Report," "14% of breaches involved the exploitation of vulnerabilities as an initial access step, almost triple the amount from last year's report."

With vulnerability exploitation increasing, prioritization can be difficult and time-consuming if you don't have a clear plan. The consequences of large-scale incidents, such as Log4j and the MOVEit breach, have had lasting impacts on the cybersecurity world. However, cybersecurity defenders can learn from these experiences.

**Key Considerations for Vulnerability Evaluation**

The first step in vulnerability evaluation mirrors the basics of reading comprehension: understanding the who, what, when, where, and why:

Who: Who is discussing vulnerabilities? Pay attention to peers, industry experts, and government advisories. Know that vulnerability discourse on social media and online forums may include fear-mongering and hyperbole. 

What: After identifying a vulnerability, analyze its exploitability. Determine if it is exploitable over a network or requires local access, or if exploit code is public. 

When: Timing is crucial. Know when the vulnerability was disclosed and if it has been exploited in the wild.

Where: Know where the vulnerability exists in your environment, which can influence the impact of exploitation. Check if it appears in a software bill of materials (SBOM) or a vendor advisory, as this can direct your remediation efforts.

If a patch is available, determine if it will cause downtime and if you are bound by a service-level agreement. If you opt to not patch, or if a patch is not available, research mitigation guidance to minimize risk.

Why: Understand how the vulnerability aligns with recent trends in adversary behavior. Also, Common Vulnerability scores and Exploit Prediction scores can inform prioritization, but should not be relied upon as the only factor when evaluating vulnerabilities.

**Learning From Large-Scale Incidents****MOVEit **

A great way to combat vulnerabilities is to learn from the past. For example, when the MOVEit Transfer vulnerability emerged in 2023, there were early signs pointing to the potential for mass exploitation. The cybercriminal group behind the breach was known to target vulnerabilities in file transfer software for spray-and-pray attacks that relied on data exfiltration without encryption to reach more victims. Ultimately, more than 2,700 organizations and 95.8 million people were impacted by the breach, according to cybersecurity firm Emsisoft, teaching the cybersecurity world three things:

1.  Adversary behavior can influence the likelihood of exploitation. A critical vulnerability in a file transfer appliance carried additional urgency in 2023 because of the strategies employed by cybercriminals. 
    
2.  Zero-day vulnerabilities with low attack complexity are a higher priority. Attacks began days before the MOVEit vulnerability was publicly disclosed and one attack vector allowed data exfiltration directly from the MOVEit application. One caveat here is that not all zero-day vulnerabilities are a high priority; there are other factors to consider, such as attack complexity. 
    
3.  Vulnerabilities with cascading effects on the supply chain are critical priorities. Some organizations were impacted by the breach because their vendor's contractor's subcontractor used MOVEit Transfer.
    

**Log4j**

The 2021 Log4j incident highlights the challenges with identifying vulnerable software components in your environment. This vulnerability was a high priority for several reasons:

1.  It was remotely exploitable.
    
2.  It was publicly disclosed before a fix was available.
    
3.  Exploit code circulated online.
    
4.  Because the Log4j library was popular among Java developers, it was embedded into thousands of software packages and integrated into millions of systems worldwide. 
    

Many organizations struggled to identify where Log4j was present in their environment, as these open source components aren't always readily listed. Accurate asset inventories and widespread SBOM adoption — which is essentially an ingredients list of software components — can go a long way in improving how organizations identify and respond to future vulnerabilities. 

**Knowing the Score With Vulnerabilities**

Cybersecurity defenders have at their disposal a number of vulnerability databases and scoring frameworks, such as the Cybersecurity and Infrastructure Security Agency's (CISA's) Known Exploited Vulnerabilities (KEV) catalog and the National Vulnerability Database (NVD). As organizations mature and refine their vulnerability management program, they can begin to implement additional steps, such as continuous monitoring, automation, and the integration of vulnerability management tools with configuration management databases (CMDBs) to improve detection and remediation.

In the future, we may see software suppliers adopt a secure-by-design philosophy that takes greater ownership of customer security outcomes. This could be influenced by future regulations, heightened liability for security executives, and the loss of customer trust. We may also see new use cases for emerging technologies, like machine learning and artificial intelligence, to help speed up and guide the vulnerability prioritization process, while maintaining a human-in-the-loop approach. In the meantime, we can anticipate a growing number of emerging vulnerabilities, emphasizing the need for an effective prioritization strategy.

**About the Author**

Senior Threat Intelligence Analyst, Splunk

Audra Streetman is an active member of Splunk's global security team and previously contributed to Splunk's SURGe research team. Before arriving at Splunk, Audra worked as a reporter, producer, and news anchor at local TV stations in Indiana, California, Kentucky, and Colorado. Audra produced and co-hosted a podcast called The Security Detail, which examined the cyber threat landscape in different industries. Audra is a member of the GIAC Advisory Board and has several certifications, including GDAT, GCTI, Security+, Linux+, Network+, AWS Cloud Practitioner, and Splunk Enterprise Certified Admin.

Large-Scale Incidents &amp; the Art of Vulnerability Prioritization

An FBI operation nabbed a member of the infamous cybercrime group, who is spilling the tea on 'key Scattered Spider members' and their tactics.

Source: Steven Frame via Alamy Stock Photo

Chasing down members of Scattered Spider, the cybercrime group known for their social engineering takedowns of massive organizations, has been a top law enforcement priority over the past several months. Now, the Federal Bureau of Investigation has made a new arrest in the case, a 19-year-old hacker living in Fort Worth, Texas — and he's talking.

Remington Goy Ogletree is accused of a phishing operation that ran from October 2023 to last May, when, according to the complaint, he was able to gain credentials and unauthorized access to two telecommunications companies and one US-based national bank. He then stole data, including API keys and cryptocurrency, and sold off access to other threat actors on the Dark Web, according to the indictment.

He is also accused of hijacking one of the telecommunications platforms to send about 8.5 million phishing texts in an attempt to steal cryptocurrency. Ogletree likewise allegedly used a hacked telecom network to send phishing messages to employees of an unidentified financial institution with the intent to steal their credentials. The FBI complaint added that Ogletree hacked into a second telecommunications organization to send an additional 140,000 fraudulent phishing text messages.

**Suspect Spills Details on Scattered Spider Cybercrime Ring**

Once he was arrested in February, Ogletree admitted to being a part of the Scattered Spider threat group.

"I know key Scattered Spider members," Ogletree told the cops. "Any company getting ransom\[ed\] ... that's not crypto-related, it's gonna be them."

He went on to tell the FBI that Scattered Spider prefers to target business process outsourcing (BPO) organizations, "because outsourcing companies, they have less security." He also told law enforcement that Scattered Spider has already compromised five of the top BPO companies, the complaint explained.

Scattered Spider threat group is well known for recruiting young, native English speakers into its fold to help pull off brazen social engineering schemes to steal employee login credentials. Some of the group's most infamous breaches include last year's casino ransomware attacks on Caesars and MGM Resorts.

**FBI Keeps Nabbing Scattered Spider Members**

The arrest is the latest in a string of Scattered Spider stings. Just a few weeks ago, another group of Scattered Spider members was arrested and charged with various cybercrimes; four of them are American. Last June, a 22-year-old British man was arrested by Spanish police for his connection to Scattered Spider and was found with control of more than $27 million in Bitcoin. And in July, a 17-year-old was arrested in the UK for his role in the Scattered Spider operation.

The arrests are welcome news. Last year, law enforcement received criticism for not doing more to stop Scattered Spider and keep them from committing additional cybercrimes.

The FBI was able to nab Ogletree by posing as a cryptocurrency laundering operation called "Cash Service." When he engaged with the front operation to convert stolen crypto to cash, they were able to track him down and make the arrest, according to the complaint.

**About the Author**

Senior Editor, Dark Reading

Becky Bracken is a veteran multimedia journalist covering cybersecurity for Dark Reading.

Texas Teen Arrested for Scattered Spider Telecom Hacks

The activity-recording capability has drawn concerns from the security community and privacy experts, but the tech giant is being measured in its gradual rollout, which is still in preview mode.

Source: Pictorial Press Ltd via Alamy Stock Photo

NEWS BRIEF

Microsoft has expanded access for its Windows Recall feature to Copilot+ PCs that use AMD and Intel chipsets, after initially offering it to users with Snapdragon-powered machines. And, it has now launched in Europe.

The launch is part of a gradual rollout that for now is in a preview phase within the Windows Insiders testing community.

Recall is an AI-powered feature that allows PC users to record everything they do on their computers, and then go back to a desired "snapshot" of activity later. It's a useful tool, as Microsoft pointed out in its expansion announcement on Dec. 6: "It's now possible to quickly find and get back to apps, websites, images, or documents just by describing its content." But the capability also has sparked ongoing concerns about privacy and data security (Microsoft keeps and hosts the recorded content in the cloud), as well as the potential for the feature to be compromised and used for cyber-espionage ends.

The tech giant appears to be taking those concerns seriously; in June, it beefed up its planned privacy and security features for Recall, including data encryption, turning Recall off by default, and requiring users to enroll in Windows Hello biometrics authentication to prove they're present at the keyboard as recording is happening. It also added it to its bug bounty program to track down exploitable security vulnerabilities.

Microsoft has taken its time with the launch in light of the concerns; after being set to go live in June, Redmond pushed the release date for Recall back to October, and then to November, when it finally became available in limited release.

**About the Author**

Tara Seals has 20+ years of experience as a journalist, analyst and editor in the cybersecurity, communications and technology space. Prior to Dark Reading, Tara was Editor in Chief at Threatpost, and prior to that, the North American news lead for Infosecurity Magazine. She also spent 13 years working for Informa (formerly Virgo Publishing), as executive editor and editor-in-chief at publications focused on both the service provider and the enterprise arenas. A Texas native, she holds a B.A. from Columbia University, lives in Western Massachusetts with her family and is on a never-ending quest for good Mexican food in the Northeast.

Microsoft Expands Access to Windows Recall AI Feature

The cybersecurity industry faces a growing crisis in attracting and retaining SOC analysts.

Source: Dragos Condrea via Alamy Stock Photo

COMMENTARY

When I began my career, the security operations center (SOC) analyst role seemed like an exciting entry point into a promising career. And for me, it was. However, the job is increasingly perceived as thankless and high-stress, filled with repetitive tasks, high stakes, and limited opportunities for professional growth. 

High turnover and talent shortages are common, so if businesses want to retain skilled analysts and appeal to the next generation of talent, the SOC role needs a serious rebrand. 

**Why SOC Roles Are Losing Their Appeal**

I won't sugarcoat it: The SOC Tier I analyst role is incredibly challenging. In a typical day, analysts receive thousands of alerts, many of which are false positives. 

This constant flood of data leaves analysts struggling to sift through the noise and focus on real threats, a task that demands both accuracy and a clear rationale for every action taken. Dismissing an alert too quickly risks missing a critical event, while escalating a low-risk alert could divert resources away from more urgent priorities. This pressure, coupled with the fear of making mistakes that could affect the team or your own credibility, often leads to burnout. The pressure, the sheer volume of alerts, and the feeling of always being under scrutiny make this role uniquely taxing.

Another significant issue I've encountered is the lack of growth opportunities. With so much time dedicated to the constant alerts, analysts rarely have time to develop new skills. Despite the extensive training and certifications many analysts bring, they're often stuck with monotonous tasks like reviewing phishing emails, limiting exposure to broader infrastructure or skills required for senior roles. 

This lack of growth and evolution leads to disengagement and, eventually, many talented analysts leave the role entirely.

**Leveraging AI and Career Development to Transform SOC Jobs**

The key to transforming the status quo for SOC analysts lies in reimagining these positions to make them more dynamic, rewarding, and sustainable. 

One solution is thoughtfully integrating AI to enhance — not replace — human expertise. By doing so, organizations can:

*   Automatically resolve false positives, allowing SOC analysts to focus on more critical, actionable alerts
    
*   Automate repetitive tasks that can be time consuming, like threat intelligence enrichment, false positive filtering, and alert triage prioritization 
    
*   Provide 24/7 monitoring to alleviate the strain of on-call shifts and cover gaps by allowing AI to investigate and escalate alerts
    
*   Triage the flood of alerts to surface only the most critical and relevant issues, empowering SOC analysts to proactively threat hunt rather than only react to alerts 
    

These applications of AI not only reduce the workload but help prevent human error, which is more likely when analysts are overwhelmed by large volumes of data. 

But AI alone doesn't fix everything. While AI can free up analysts' time by automating many entry-level tasks, businesses must then provide the appropriate structure and growth opportunities to align with these changes. 

To help SOC analysts grow and avoid stagnation, while also providing the necessary support, businesses should do the following:

*   Provide mentorship opportunities after taking steps to ensure senior analysts aren't bogged down with the same repetitive tasks as junior analysts. In many cases I found that no one on the team had bandwidth for anything beyond alert response. 
    
*   Invest in training and upskilling so analysts can perform more sophisticated tasks and advance in their careers rather than becoming pigeonholed in low-level tasks.
    
*   Implement regular evaluations to assess the well-being and development needs of SOC analysts. These evaluations are commonplace in the public sector, but I've rarely encountered them in the corporate world. 
    
*   Foster a culture of continuous improvement throughout the organization, empowering all team members to seek out new skills and opportunities.
    
*   Secure a permanent seat for security in strategic decision-making. SOC teams are often seen as blockers and are typically the last to learn about key business changes. By integrating security early, security teams can influence strategies, ensuring that protocols are built in from the start and reducing future risks.
    

**Investing in Tools, Training, and the Future of SOC Roles**

Budget constraints and organizational inertia often prevent companies from investing in the tools and training needed to make analyst roles more meaningful and sustainable. 

However, the cost of not investing is far greater — high turnover leads to gaps in security coverage, increased vulnerability to cyberattacks, lost institutional knowledge, and longer incident response times. Plus finding, hiring, and training replacements only consumes more time and resources.

The solution lies in rethinking the SOC analyst role — embracing AI to reduce stress and improve efficiency while providing better support and growth opportunities. Forward-thinking businesses that face these challenges head-on will be better equipped with the highly skilled, motivated analysts ready to tackle the threats of the future.

I want to see SOC analysts succeed. These days, I love that I'm able to help SOC analysts as a solutions engineer, working with them to implement and adopt tools to alleviate the stress and alert fatigue that can come from working in a SOC. 

Companies that fail to address these issues risk losing not only their analysts but also their security edge against attackers.

**About the Author**

Solutions Engineer, Intezer

Jessica Belt is solutions engineer at Intezer, a leading provider of AI-powered technology for autonomous security operations. With five years of experience in cybersecurity and 10 years in event coordination, Jessica brings a unique combination of technical expertise and operational excellence. In her current role as a solutions engineer, Jessica leverages her experience as a former security engineer at a security operations center (SOC) to help teams optimize their workflows and enhance their security operations. In her previous roles, Jessica specialized in vulnerability management, threat intelligence, container security, incident response, and identity security.

Why SOC Roles Need to Evolve to Attract a New Generation

The "Census of Free and Open Source Software" report, which identifies the most critical software projects, sees more cloud infrastructure and Python software designated as critical software components.

Source: Photon Photo via Shutterstock

Open source components aimed at connecting applications to cloud resources and those written in Python have jumped up the list of critical packages, according to the latest rankings of the open source software ecosystem — a reordering that underscores the projects that need to be well-funded to improve the security of the software ecosystem.

The data-collection effort — known as the "Census of Free and Open Source Software" — classifies the open source projects into eight top 500 lists, depending on their ecosystem, whether version information is included, and whether direct and indirect dependencies are taken into account. The latest survey of software, known as Census III, found that packages for Python software and those meant to connect developers with specific cloud services — such as a toolkit for Amazon's Elastic Computing Cloud (EC2) or the API for connecting Go programs to Google Cloud — have become much more popular and, thus, critical to software development.

While cloud-native and hybrid development are by no means new, cloud providers have created an increasing number of software development kits (SDKs) for developers. Their widespread use has boosted those tools in the rankings of critical software, says David Wheeler, director of open source supply chain security for the Linux Foundation, which collaborates with Harvard Business School to produce the census.

"Cloud providers offer a lot of specialized services, but the early uses of cloud were a lot of lift-and-shift moves," he says. "Increasingly, we're seeing people write software specifically intended to be run on a cloud, \[and there is a\] rising level of these kinds of packages — it's something that is dramatically increasing."

The third "Census of Free and Open Source Software" report comes more than two years after the official publication of Census II in March 2022 — an initial version of that report was released in 2020 — and nine years after the original census report. The data-collection exercises aim to identify the most critical open source software so that the public and private sectors can effectively invest in the projects as a path to improve software security. Each software package is scored using data from software supply chain firms FOSSA, Snyk, Sonatype, and the Black Duck Cybersecurity Research Center.

The resilience of the software supply chain has become a major concern of the software industry and national governments. The Biden administration, for example, released a National Cybersecurity Strategy that firmly emphasized finding ways to improve the security of software and the open source ecosystem on which most applications rely.

**Critical Connections to the Cloud**

The Amazon Web Services (AWS) software development kit for Python, known as Boto3, rose to fifth place on the list of critical software on the "Non-npm, Direct, Version Agnostic Packages" list. The library was not ranked in the previous Census II. A similar package — aws-sdk — rose to the seventh spot on the JavaScript-ecosystem "npm, Direct, Version Agnostic Packages" list, from 307th in the previous census.

Other cloud-focused packages saw similar jumps: The software development kit to connect Go programs to Google Cloud ranked eighth, while the AWS kit for .NET rose to number 30. Neither were ranked in the previous census.

Because the Node Package Manager (npm) ecosystem sees a significant volume of JavaScript downloads — 4.5 trillion in 2024, compared to 530 billion for Python, according to Sonatype — the data overwhelms measurements of popularity. As a result, the census breaks out npm downloads from those for other software ecosystems.

The data underscores the criticality of open source software to the infrastructure underpinning cloud services, says Brian Fox, CTO and co-founder of Sonatype, a software supply chain management firm.

"Open source across the board just continues to see 'hockey stick' growth year after year, which is shocking — we're starting to see really, really big numbers," he says. "That's the reason why they're doing the census, because it is so important to be shining a light on these things."

**Perils of Python 2 Boost Compatibility Library**

Replacing or patching outdated software has become a central focus of efforts to eliminate vulnerabilities from software. Over the past decade, for example, Python developers have only slowly moved to use Python 3, which was originally introduced in 2006. Last year, 1% of Python developers used Python 2 as their primary programming language, down from 13% in 2019, according to data from JetBrains' annual "Developer Ecosystem" report.

As a result, a project designed to allow compatibility between software written in Python 2 and code in Python 3 — the "Six" project — has become a critical software component, according to Census III. Typically, Python versions are supported for five years. Python 3.11 — currently used by 27% of developers as their primary programming language, making it the most popular version at present — will reach its end of life in October 2027. The final version of Python 2 — version 2.7 — passed its end of life in January 2020.

The data does not address how often developers encounter — and interact with — components written in Python 2. The overwhelming shift to Python 3 is driving the use of Six, as developers need to use older code with programs written in the latest version of Python. In addition, certain groups of developers — such as 29% of data scientists and 19% of Web developers — continue to use some Python 2 code, according to data from JetBrains, a maker of development tools.

"If you look at the raw numbers, Python 3 is far more common, but in various specific domains Python 2 is still widely, widely used, which is why Six is showing up more," the Linux Foundation's Wheeler says. "I would argue it's why we're finally able to get so many more Python 3 users is because the bridge to move from 2 to 3 is easier."

While Census III is available to download from the Linux Foundation, companies should be automating their package management and regularly testing and updating their software, says Sonatype's Fox. The real lesson from the census is not which packages should be given the most attention, but which projects need additional funds and paid maintainers.

"The sustainability of the \[open source ecosystem\] is something that should be top of mind," he says. "We're dependent more and more on largely an aging and unpaid workforce for maintaining critical software — those two things together don't end well."

**About the Author**

Veteran technology journalist of more than 20 years. Former research engineer. Written for more than two dozen publications, including CNET News.com, Dark Reading, MIT's Technology Review, Popular Science, and Wired News. Five awards for journalism, including Best Deadline Journalism (Online) in 2003 for coverage of the Blaster worm. Crunches numbers on various trends using Python and R. Recent reports include analyses of the shortage in cybersecurity workers and annual vulnerability trends.

Open Source Security Priorities Get a Reshuffle

New Fortress Information Security research shows 90% of software products used by critical infrastructure organizations contain code developed in China.

PRESS RELEASE

ORLANDO, FL — December 5, 2024 — The code that makes up the software now powering U.S. utilities is rife with vulnerabilities, including hundreds that are “highly exploitable,” a new research report released by Fortress Information Security today finds. Researchers studied thousands of products and found troubling risk patterns.

The report, Beyond the Bill of Materials: The Silent Threat Lurking in Critical Infrastructure Software, also shows that 25 percent of software components and 90 percent of software products contained code from developers in China.

Compromised software code can provide threat actors with a “backdoor” into power grids, oil and gas pipelines, and communication networks. In similar research last year, Fortress discovered that code developed in China was 1.4 times more likely to contain vulnerabilities than code developed elsewhere.

“China is an existential threat to U.S. economic and physical security,” said Alex Santos, CEO of Fortress. “Software products with China-born code must be identified and weeded out from our nation’s critical infrastructure. We developed and then examined the Software Bill of Materials (SBOM) for the most widely used products managing the U.S. electric power grid. The next step is to take action to eliminate these systemic risks, and we look forward to working with utilities to do just that.”

Using the North American Energy Software Assurance Database (NAESAD) to review Software Bills of Materials (SBOMs) for more than 2,000 software products, researchers found:

More than 9,000 unique vulnerabilities – including 855 highly exploitable vulnerabilities that attackers can exploit with minimal effort.

Twenty components that account for more than 80% of critical vulnerabilities.

3,841 instances of Known Exploited Vulnerabilities (KEVs) across products. KEVs are a subset of vulnerabilities actively exploited by threat actors in the wild.

The Most Common Dependencies were 1) The Linux kernel, 2) zlib (a compression library), and 3) OpenSSL (an open-source cryptographic library). 

"Once again, we found that just a small number of common components, used across hundreds of products, were responsible for the bulk of critical vulnerabilities,” said Bryan Cowan, lead researcher for Fortress. “These are vulnerabilities that can be detected and software flaws that can be corrected. Addressing those 20 components would make our power plants, oil and gas refineries, and chemical companies much more secure.”

Brief Methodology

Fortress created a Software Bill of Materials (SBOM) for each product version using binary analysis. Researchers reviewed the SBOMs stored in NAESAD. Fortress analyzed more than 9,535 unique vulnerabilities identified across 8,758 unique components associated with 2,233 products across 243 vendors. This included information technology (IT) products, used for network management, and operational technology (OT) products, used for business functions. The team used the Exploit Prediction Scoring System (EPSS) as a proxy for exploitability. 

About Fortress. Securing critical supply chains and cyber assets from evolving threats.

Source

DARKReading