Information Security News Ghost Ransomware Targets Orgs in 70+ CountriesDark Reading by Elizabeth MontalbanoGhost ransomware continues to pose a significant threat globally, now targeting organisations in over 70 countries. This ransomware variant is particularly insidious due to its ability to encrypt data swiftly and demand …
Information Security News Thai authorities detain four Europeans in ransomware crackdown Cyberscoop by Greg OttoIn a coordinated operation, Thai authorities arrested four European nationals in Phuket, suspected of orchestrating Phobos ransomware attacks. The individuals allegedly extorted approximately $16 million in Bitcoin from over 1,000 victims …
By Shantanu Bhattacharya
Posted on February 06, 2025 | Originally published on RSAC Conference
📌 Read the original article on RSAC Conference
In the ever-evolving landscape of cybersecurity, attackers are constantly seeking new ways to bypass traditional defenses. This blog delves into the often-overlooked methods they use, focusing on how obscure techniques, specifically within UNIX system calls and file system manipulation, are employed to gain access and exfiltrate sensitive data. While a similar situation occurs with Windows system calls, we decided to focus on one system for better understanding and conciseness. It is important to recognize that our primary focus is on attacks leveraging user mode and how we can protect access using that.
We begin by exploring “the shadows” of UNIX-like systems, highlighting system calls that are typically not monitored, such as openat, ptrace, mmap, and others. These system calls are not inherently malicious; however, attackers cleverly misuse them. Think of it as using the wrong key to open a door. Attackers use ptrace, for example, to manipulate running processes and access data they’re not supposed to. Or they use mmap to map sensitive files like /etc/shadow directly into memory, bypassing traditional file-based access controls. Other examples include sendfile which can be used to transfer data directly from the file system to an unauthorized remote network location or rename that is used to exchange sensitive files with malicious ones. We even see the exploitation of dup to duplicate file descriptors to access privileged data. While a similar set of attacks are also possible with Windows based systems, these methods are very similar to their UNIX system-based counterparts, and hence it will not provide additional context.
Attackers manipulate file system features and metadata to carry out their activities. Methods range from hiding data within alternate data streams (ADS) and sparse files, to exploiting NTFS junctions, symbolic links, and even the use of rootkits to hide the malicious activities from the security tools. These methods are difficult to detect as they often utilize system level tools and techniques and do not necessarily leave a trail, particularly in the user-mode.
The current security landscape is often lacking when it comes to protecting against these more subtle attacks. Traditional security solutions, while proficient with user authentication, often fall short on device authentication using easily spoofable IP and MAC addresses, and they completely overlook software authentication, a huge gap that needs to be addressed. Consider this: current security checks if the user has the permission to use the software, but not the specific instance of that software is trusted and is authorized. This is a key weakness which can be exploited using compromised software instances to gain unauthorized access.
This is where a new solution comes in, using a multi-dimensional approach. Unlike traditional security which focuses on user credentials, the solution requires not only the right user, but also the right device and the right software. It authenticates each of the three, ensuring that the valid user with valid device and valid software instance is given access. In addition, it provides 24×7 monitoring of all data access paths, so even if an attack uses an obscure or unintended system call, access is automatically denied. This multi-faceted approach provides significantly more stringent access controls. It’s like adding multiple layers to a bank transaction. Organizations should take into consideration many of the obscure techniques used by hackers for their attack vectors. By treating administrator access as a higher privileged user, organizations can close the loopholes usually present in the security system.
Much like fortifying the foundation of a building, it is critical to ensure that operating system security is strengthened at both user and kernel level. It’s fundamental to all secure computing going forward.
In conclusion, by understanding obscure attack vectors and implementing robust and comprehensive security solutions such as the one offered by the solution, organizations and users can move closer to a truly secure digital environment. It’s time to look beyond the usual and fortify every aspect of our systems from the ground up.
Introduction In today’s interconnected world, the importance of digital rights cannot be overstated. While the European Union is making commendable strides in this arena, Australia stands at a pivotal juncture to assert its leadership in championing online freedom. The nation’s commitment to democratic values, coupled …
Information Security News: Federal Judge Tightens DOGE Leash Over Critical Treasury Payment System AccessThe Register by Brandon Vigliarolo and Jessica LyonA federal judge has mandated stricter regulatory oversight on the integration of Dogecoin (DOGE) within the U.S. Treasury’s critical payment systems, following concerns about the …
Osama Soliman is a seasoned GRC professional with extensive experience in risk management, internal controls, and regulatory compliance. He currently leads the Risk & Control function at a leading online food delivery platform, overseeing GRC activities across multiple markets, including Enterprise Risk Management (ERM), Technology Risk Management (TRM), and compliance with COSO and SCA frameworks.
Prior to this, Osama held key roles in audit and consultancy firms, specializing in IT audits, internal control evaluations, and cybersecurity assessments. He has led risk assurance initiatives, developed IT governance frameworks, and conducted regulatory compliance reviews across various industries.
With a background in Computer Science, Osama holds multiple certifications, including CISA, CRISC, GRCP/A, COBIT 2019, ITIL, and COSO ERM, reinforcing his expertise in GRC and risk management.
We are thrilled to have Osama join CyAN and look forward to his contributions!
Please join us in welcoming Osama Soliman to our network!
Information Security News: TSA’s Airport Facial-Recog Tech Faces Audit ProbeThe Register by Brandon VigliaroloThe U.S. Transportation Security Administration’s (TSA) facial recognition program is under audit by the Government Accountability Office (GAO) due to concerns over privacy, data security, and potential biases. The audit will assess …
January 28th was Data Protection Day—a global reminder that privacy isn’t just a legal formality or an operational headache. It’s a fundamental pillar of trust. If your business handles client or customer data (and let’s be honest, that includes almost every business these days), you …
In today’s digital world, data privacy has become a paramount concern for organizations and individuals alike. As cyber threats grow increasingly sophisticated, organizations turn to robust security solutions like Endpoint Detection and Response (EDR) and Extended Detection and Response (XDR) to safeguard sensitive data. Beyond their immediate role in mitigating cyber risks, these technologies also have profound implications for broader privacy governance—especially in the context of artificial intelligence (AI), where privacy and ethical concerns dominate discussions.
This blog explores how EDR/XDR technologies support data and information privacy and delves into their implications for AI governance, particularly in the realm of privacy compliance and risk mitigation.
Understanding EDR and XDR: A Foundation for Privacy Protection
Before diving into their privacy benefits, it’s essential to understand the basics of EDR and XDR technologies.
What is EDR?
Endpoint Detection and Response (EDR) is a security technology designed to monitor, detect, and respond to threats at endpoints, such as laptops, desktops, and mobile devices. EDR tools collect and analyse endpoint data, providing real-time visibility into activity and enabling rapid incident response.
What is XDR?
Extended Detection and Response (XDR) takes EDR a step further by integrating data from multiple security layers—endpoints, networks, servers, email systems, and cloud workloads. It provides a unified view of threats across the organization, allowing for comprehensive detection, analysis, and response.
How EDR/XDR Technologies Enhance Data Privacy
EDR and XDR technologies are instrumental in safeguarding sensitive information and ensuring data privacy. Here’s how they achieve this:
1. Threat Detection and Prevention
• EDR’s Real-Time Monitoring: EDR continuously monitors endpoint activity, identifying malicious behaviour or unauthorised access attempts that could compromise sensitive data. For example, if malware attempts to exfiltrate personal information, EDR can detect and block it in real time.
• XDR’s Broader Coverage: By correlating data from various sources, XDR enhances visibility and identifies sophisticated attack vectors, such as coordinated phishing campaigns or insider threats targeting sensitive information.
2. Data Encryption and Access Controls
• Endpoint Encryption Enforcement: EDR enforces encryption protocols, ensuring that sensitive data remains protected even if devices are lost or stolen.
• Access Management via XDR: XDR systems can integrate with identity and access management tools to enforce strict access controls and prevent unauthorised data access.
3. Privacy Breach Mitigation
• Rapid Incident Response: EDR provides forensic tools to investigate breaches quickly, minimizing the window of exposure for sensitive data.
• Anomaly Detection: XDR uses advanced analytics, including machine learning, to detect unusual data flows that may indicate a privacy breach, such as unauthorised data exfiltration.
4. Compliance with Privacy Regulations
• Regulatory Alignment: Many privacy regulations, such as GDPR, HIPAA, and CCPA, mandate robust data protection measures. EDR/XDR technologies help organisations meet these requirements by securing endpoints and data across the network.
• Audit Trails and Reporting: XDR’s centralised logging capabilities provide detailed records of security events, aiding compliance audits and demonstrating adherence to privacy laws.
5. AI-Powered Threat Intelligence
• Modern EDR/XDR solutions leverage AI to analyse vast amounts of data, enabling proactive detection of privacy risks. This ensures that threats are identified before they can exploit vulnerabilities.
The Intersection of EDR/XDR Technologies and AI Governance
As AI becomes a cornerstone of modern technologies, it presents unique challenges to data privacy. From algorithmic transparency to data sovereignty, the governance of AI requires robust frameworks that align with privacy principles. EDR/XDR technologies, with their focus on data security, play a crucial role in shaping these frameworks.
1. Protecting AI Training Data
AI models require vast amounts of data for training, much of which is sensitive or personal in nature. EDR/XDR technologies can secure this data by:
• Preventing Unauthorised Access: XDR ensures that AI training datasets are accessed only by authorised entities.
• Detecting Data Manipulation: EDR tools can flag suspicious activities that could compromise the integrity of AI training data.
2. Ensuring Compliance in AI Systems
• AI systems must comply with privacy regulations, including data minimisation and transparency requirements. XDR’s centralised management capabilities enable organisations to monitor AI-related data flows and ensure compliance with these principles.
3. Enhancing Accountability in AI Operations
• With advanced logging and forensic capabilities, XDR supports accountability by tracking how AI systems access and process sensitive data. This visibility is essential for identifying and addressing potential privacy violations.
4. Mitigating AI-Specific Threats
AI systems themselves can be targets of attacks, such as model poisoning or adversarial attacks that manipulate outputs. EDR/XDR technologies help secure the endpoints and systems involved in AI operations, reducing the risk of privacy breaches caused by compromised AI models.
Implications for AI Governance and Privacy Regulation
The integration of EDR/XDR technologies into privacy strategies has far-reaching implications for AI governance:
1. Strengthened Data Governance
By ensuring the security and integrity of data, EDR/XDR technologies support robust data governance frameworks that align with AI’s ethical principles. They enable organizations to manage AI datasets transparently and securely, fostering trust among stakeholders.
2. Proactive Risk Management
AI systems are only as trustworthy as the data they rely on. EDR/XDR’s threat detection capabilities provide an additional layer of protection against risks such as data poisoning or unauthorized access to AI models, reinforcing ethical AI use.
3. Enabling Privacy-First AI Development
The principles of privacy by design and privacy by default are critical for AI governance. By integrating EDR/XDR technologies into their security infrastructure, organizations can embed privacy protections into AI development processes from the ground up.
4. Facilitating Regulatory Compliance
As regulations like the EU AI Act and updated GDPR provisions increasingly address AI-specific privacy concerns, EDR/XDR technologies offer tools to ensure compliance. For example, they can generate detailed logs and reports demonstrating adherence to transparency and accountability requirements.
Conclusion: A Privacy-Driven Future with EDR/XDR and AI Governance
In an era where data privacy and AI ethics converge, EDR and XDR technologies are indispensable for organisations aiming to navigate this complex landscape. By securing endpoints and integrating threat detection across systems, these tools not only protect sensitive data but also support the ethical and compliant use of AI. As AI governance evolves, the role of security technologies like EDR/XDR will only grow, providing a foundation for trust, transparency, and accountability in the digital age. Organisations that prioritise these technologies will be better positioned to address privacy concerns, foster innovation, and lead the charge toward a responsible AI future.
We are proud to share that two of our esteemed CyAN members, Bharat Raigangar and Dr. Mathew Nicho, are featured as the cover story in the December 2024 issue of Enterprise IT World MEA! his engaging cover story reflects their thought leadership and their commitment …