This article is contributed. See the original author and article here.
At Microsoft Ignite, Microsoft Dynamics 365 Marketing announced a range of new AI features. We strongly believe in the power of AI to help businesses and their customers grow. We also recognize that these new technologies have the potential for misuse and harm.
That’s why in Dynamics 365 Marketing, we are taking an intentional and rigorous approach to upholding Microsoft’s responsible AI principles. AI requires scrutiny, thoughtfulness, and research to first understand potential impacts on people and society, and then seek solutions that mitigate harm.
As Satya Nadella says, Microsoft runs on trust. And trust must be earned in the short term as well as the long term. In Dynamics 365 Marketing, we see responsible AI as an opportunity to demonstrate trustworthiness as well as a path for innovationa way to minimize harm and expand our capacity to provide useful and delightful experiences for our customers and their customers.
Let’s take a closer look at some of the work we’re doing on a new AI feature called Content ideas.
What is Content ideas and how does it work?
The Content ideas feature in Dynamics 365 Marketing helps marketers get inspiration for emails and create their best content faster. Marketers can type in a few key points, and Content ideas will generate original content based on those key points. Under the hood, Content ideas also references the customer’s past marketing emails so it can generate ideas that are similar in tone, structure, and style. This is a powerful advancement I’m very excited about, where marketers never have to start from a blank slate when writing content.
The AI technology behind this feature is a large language model called GPT-3, developed by OpenAI and currently available in an invite-only preview as part of Microsoft’s Azure OpenAI Service as well as through OpenAI’s API. GPT-3 can perform a wide range of natural language tasks, including summarizing text, analyzing text for sentiment, andas it’s applied in Content ideasgenerating original text that looks like a human wrote it. GPT-3 is one of the leading examples of the type of AI model the industry is moving toward, rapidly accelerating AI capabilities that bring value to customers.
But large language models such as GPT-3 come with risks, including generating content that isn’t factual or content that reflects the biases of the dataset used for trainingwhich, in the case of GPT-3, was approximately 45TB of text from the internet. To mitigate such risks, OpenAI and Microsoft are committed to helping customers identify potential safety issues that could arise from using GPT-3 and providing best practices for safety. And at Microsoft, as we incorporate these kinds of technologies into our products, we’re also investing deep thought into how risks might show up for our customers in our specific scenarios, and how we can address those challenges.
Here, we’ll zoom in on one area we’re looking at closely for Content ideas: the user experience (UX).
UX questions for a responsible AI approach
Dynamics 365 Marketing has focused on human-centered research to deeply understand the needs and aspirations of marketing content creators, as well as explorations in UI design and data science, to translate responsible AI principles into a powerful UX that elevates and empowers human expertise.
As Charles Lamanna, Corporate Vice President of our Business Applications and Platform says, “An emerging technology like GPT-3 is such an exciting breakthrough in innovation. I’m proud of products like Dynamics 365 Marketing, where teams are working across engineering and design to intentionally think about how we responsibly bring AI to our customers.”
Early research leads us to these key questions:
1. How might we build transparency around how Content ideas works, so people can use the feature to meet their specific needs?
Setting clear expectations about Content ideas’ capabilities and limitations is essential, both to help people achieve their goals and to prevent people from using it in a way that isn’t intended. The more people understand how GPT-3 uses their key points to generate original content, the easier it is for them to craft key points that will get them helpful suggestions. In the current UX for Content ideas, we offer a “Learn more” panel from multiple points during onboarding. This panel is structured similar to a FAQ, addressing top questions about what the feature does and how the technology works. We’re also using design principles such as progressive disclosure to give people relevant information at just the moment they need it. For example, after marketers have submitted their key points and are waiting for Content ideas to generate suggestions, the loading screen sets expectations around potentially seeing unexpected results and offers tips for what to do next if none of the suggestions are a good fit. We’re continuing to explore ways to help people better understand how their choices affect the system outputs.
2. Once people understand how the technology works, how might we give people more control over the system?
A foundational pillar in human-AI collaboration is making sure people have meaningful oversight and control. The right amount of control helps people make the system work for their goals and context, and helps them build confidence in the system. With Content ideas, we want to empower content creators’ expertise and give them the right levers and buttons so they can use the system in ways that work for them, while automating parts of the process that don’t require human judgment. For example, we frame the feature as a brainstorming and writing partner, rather than a magical tool that does all the writing for you. In the end, the author is in chargeContent ideas makes suggestions that they can choose to use, edit, or ignore. Our research has also shown that content creators want more granular control over generated suggestions, such as being able to copy and paste smaller sections from different suggestions, and the ability to instruct the system on additional attributes such as audience and tone. We’re exploring how to integrate these potential interactions and others along these lines.
3. Once people understand how the technology works and how they can influence it, how might we help them understand their accountability and feel confident about their responsibility for the final content?
Large pre-trained language models like GPT-3 are general purpose and don’t always produce perfectly accurate results, particularly for tasks that require specific knowledge like the latest pricing data for a product. This means that even with detailed key points to start with, Content ideas might include color variations, prices, or sale dates that could look realistic but might not be correct. We want to make sure content creators feel confident in their responsibility as final owners of the content, making sure they have robust opportunities throughout the experience to check for accuracy and edit as appropriate. Additionally, in our “Learn more” panel, we directly answer the question, “Can I use the suggestions word for word?” (The short answer: Yes, as long as you review carefully for accuracy and appropriateness.) As we move forward, we’re exploring ideas such as a reminder to check for accuracy before someone adds a suggestion to their draft, or a feature to flag details that might benefit from a close read.
4. How might we measure the success of our UX to capture how well we are building trust, supporting creativity, and empowering user confidence in using Content ideas to meet their goals?
Success in UX is often measured by things like: Were we able to help someone accomplish a task more quickly? Was the task done at a higher quality? And are people satisfied with the result? Content ideas invites us to consider additional ways in which people might have a successful experience. For example, since the feature can offer a range of possible ideas for a content creator to consider, if someone is looking for multiple avenues of inspiration, creativity might look like generating many ideas and then building new ideas from thererather than copying and pasting a single idea. In our research for Content ideas, we’re considering how to qualitatively assess people’s experiencessuch as how much they felt that the feature helped them become more creative, and how confident they were over having control over the final textso that we have a more holistic understanding of where we can improve the experience to support a range of user goals. We’re also exploring ways of gathering feedback in the UI to help us understand the usefulness of generated ideas.
These are hard questions, and we don’t have all the answers yet. But we are committed to developing solutions that minimize harm and empower human expertise, while always providing our customers and our users an amazing experience. Ultimately the goal is to build high-quality experiences that establish appropriate trust, bringing sustainable value to people and businesses. We’re educating ourselves and trying to learn quickly so that we can achieve this vision for our future and yours. I’m proud that Content ideas is one of many areas Microsoft is looking at when it comes to responsibly implementing AI technologies like GPT-3, such as the recently launched Ten Guidelines for Product Leaders to Implement AI Responsibly and the new responsible AI dashboard.
And to learn more about how your organization can elevate your customer experiences, visit the Dynamics 365 Marketing webpage and sign up for a free Dynamics 365 Marketing trial to explore real-time customer journey orchestration and the other rich capabilities offered in Dynamics 365 Marketing.
This article is contributed. See the original author and article here.
I have been on a journey to explore Azure IoT and push the thousands of events that flow through my local MQTT broker (Mosquitto) into Azure IoT.
After my last post in using the Azure IoT SDK for Python conjunction with Paho MQTT I thought my work here was complete. But I have just recently been made aware that there is native support for various Arduino devices by Microsoft and Espressif. How awesome is that!
Before you get too excited given the requirements of such libraries, this is not going to work on your Arduino Uno, Arduino Mega 2560 and so on. Support for Azure IoT Hub is (for now) reserved for the newer generation of boards from Espressif (ESP32, ESP8266) and the Realtek Ameba D. These boards can contain megabytes, not kilobytes of RAM, multi-core CPU’s and are able to load in a TCP/IP stack, MQTT and so on.
If there is a theme for my house, it is bookended with reliability, and with that, it’s time to put my rack-mounted Raspberry Pi away and adopt a microcontroller. A Raspberry Pi, as great as it is, is an SBC (Single Board Computer) that needs to be updated, watered and fed. It uses a file system, a flash memory subsystem. How does this bode for reliability, and have you ever had a corrupt file system on a microcontroller?
Like any good, opinionated architect, I would urge you to stop, put away your Raspberry Pi’s and take a different approach: a microcontroller.
Today, I leverage around 30 outputs on an Arduino Mega 2560 with an Ethernet and PoE shield using MQTT (The pub/sub client library) but it’s time to modernise, and given my love of ESP devices with Tasmota, I decided to purchase an ESP32 for this very task.In this post I will illustrate how to build a bridge from Mosquitto MQTT into Azure IoT Hub using this ESP32 device.
I covered in a prior post why I am going down this path of publishing telemetry to Azure IoT Hub, along with the several ways I have illustrated how one can go about achieving this goal. From direct connection to Azure IoT Hub (via MQTT and SAS tokens) through to Azure IoT Edge running locally with MQTT and finally the SDK’s.I have been able to achieve my goals with varying levels of success but have a few concerns on the approaches I have tried thus far.
Direct-Connection to Azure IoT Hub introduces latency to the cloud.
Authentication, from SAS tokens to X509 certificates: it’s not anonymous and some of my tiny devices (Tasmota) dont bode well.
Topic structure: it is defined (devices/{DeviceID}/messsages/events/) and not free form. It means reconfiguration, which isn’t hard, but a lot of friction.
Reliability: all solutions thus far have relied on a OS which require patching, updating and are even whilst small an administrative burden.
My goals for building a solution
No reconfiguration of any of my MQTT devices (Home Assistant, PLC, Arduino Mega 2560, ~75 Tasmota devices).
Bridge my existing MQTT broker (Mosquitto) in to Azure IoT.
Run on microcontroller, as I want to be reliable.
Pretty lofty goals, you may even say I am being lazy, but the reality is I want a low friction away to derive operational intelligence from the many thousands of events each day (read below, it’s over 10K per day!)
What we are going to build
To overcome, the limitations described above we are going to use an ESP32 microcontroller with C++ code with a libraries. Just incase you are not familar, let me introduce you to the ESP32.
ESP32
Where do I start? What is not love about this SOC? The ESP32 is a modern, powerful Arduino compliant microcontroller that power many devices from my irrigation controller (Opensprinkler) through to my kids learning robot (MBot) they are either using an ESP32 or an older derivative such as an ESP8266. Today I am using this as a software bridge but there is a plethora of I/O and support for PWM, I2c and more which make them a versatile all rounder.
The ESP32 is a series of low-cost, low-power system on a chipmicrocontrollers with integrated Wi-Fi and dual-mode Bluetooth. The ESP32 series employs either a Tensilica Xtensa LX6 microprocessor in both dual-core and single-core variations, Xtensa LX7 dual-core microprocessor or a single-coreRISC-V microprocessor and includes built-in antenna switches, RF balun, power amplifier, low-noise receive amplifier, filters, and power-management modules. ESP32 is created and developed by Espressif Systems, a Shanghai-based Chinese company, and is manufactured by TSMC using their 40 nm process. It is a successor to the ESP8266 microcontroller.
See the steps below as I tease out this solution or my GitHub repo for the full Arduino sketch. To give you a better understanding on how this works I will break it down in to the logical steps below required to receive messages from Mosquitto over MQTT using
‘PubSubClient’ and to then re-publish them in to Azure IoT Hub using the ‘Esp32MQTTClient’.
Step 1 – Arduino IDE – Add ESP32 to the Board Manager
The Arduino IDE does not know about the ESP32 so the very first step we need to do leverage the the Arduino IDE’s ‘Board Manager’ capability to provide support for the ESP32. In the Arduino IDE, open ‘Preferences’ and enter in one of the following URL’s
Open ‘Boards Manager’ from ‘Tools’ > ‘Board’ menu. Search for an install ‘ESP32’. Select your specific ESP32 board from the menu post installation.
Restart the Arduino IDE.
Step 2 – We Need A Library – PubSubClient
Whilst we now have support for the ESP32, we need to add a library that will allow us to subscribe to and receive MQTT messages from our Mosquitto broker. For this very purpose we need a MQTT library. There are many but I have used ‘PubSubClient’ in the past on other projects without any issues. To install, ‘Tools’ > ‘Manage Libraries’ > ‘PubSubClient’
Step 3 – Author Some Code (Libraries and Variables)
After validating your board is working (I would suggest uploading a Blink sketch) we can start coding. This example is based off the ‘Examples > ESP32 Azure IoT Arduino > Simple MQTT’;
We need to include some libraries, we will be using the Wi-Fi (for connectivity), PubSubClient (for Mosquitto MQTT) and the ESP32MQTTClient (for Azure IoT Hub).
Regarding Azure IoT Hub you will need to define your connection string. This post does not cover creating an IoT Hub or creating a device and assumed you have created this prior. See Use the Azure portal to create an IoT Hub | Microsoft Docs for more information on creating an Azure IoT Hub, adding a device and obtaining a device connection string.
Step 4 – Author Some Code (Setup Function: Connect to Wi-Fi , Azure and Mosquitto MQTT)
Our ‘setup’ function will establish connection to our LAN via Wi-Fi and then connect in to Azure where as the ‘MQTTConnect’ function not only connects to our local MQTT broker, but it defines the MQTT topics to subscribe to. You can subscribe to multiple MQTT topics by having multiple subscribe lines. You can also use MQTT wildcard filters to match events using fewer subscriptions.
Plus sign (+): It is a single level wildcard that matches any name for a specific topic level. We can use this wildcard instead of specifying a name for any topic level in the topic filter.
Hash (#): It is a multi level wildcard that we can use only at the end of the topic filter, as the last level and matches any topic whose first levels are the same as the topic levels specified at the left-hand side of the # symbol.
The serial monitor is handy in debugging any issues either with Wi-Fi or connecting in to Azure IoT Hub.
client.on_message = on_message
void setup() {
//Set baud rate
Serial.begin(115200);
WiFi.begin(ssid, password);
while (WiFi.status() != WL_CONNECTED) {
delay(500);
Serial.println("ESP32 : Connecting to WiFi...");
}
Serial.println("ESP32 : WiFi connected");
Serial.println("ESP32 : IP address: ");
Serial.println(WiFi.localIP());
//Set MQTT details
client.setServer(mqttServer, mqttPort);
client.setCallback(callback);
//Connect to Azure IOT
if (!Esp32MQTTClient_Init((const uint8_t*)connectionString))
{
hasIoTHub = false;
Serial.println("Azure IoT Hub : Initializing IoT hub failed.");
return;
}
hasIoTHub = true;
}
void MQTTConnect() {
// Loop until we're reconnected
while (!client.connected()) {
Serial.print("MQTT : Attempting MQTT connection...");
// Attempt to connect
if (client.connect("ESP32Client")) {
Serial.println("MQTT : Connected");
// Once connected, publish an announcement...
client.publish("stat/ESP32/IP_Address","Your IP Address");
//Subscribe to topics, one topic per line.
client.subscribe("stat/+/POWER");
} else {
Serial.print("MQTT : Failed to connect to MQTT , rc=");
Serial.print(client.state());
Serial.println("MQTT : Trying again to connect to MQTT in 5 seconds");
// Wait 5 seconds before retrying
delay(5000);
}
}
}
Step 4 – Author Some Code (MQTT Call Back & Publish To Azure)
After the setup functions we now need to create a function that will listen for incoming MQTT messages that match our subscription (callback), extract the topic and payload before massaging this data and sending to Azure via another function (AzureIoTHub).
void callback(char* topic, byte* payload, unsigned int length) {
MQTTTopic = String(topic);
MQTTPayload = "";
for (int i = 0; i < length; i++) {
// Serial.print((char)payload[i]); - Use for debugging
MQTTPayload = String(MQTTPayload + (char)payload[i]);
}
}
void AzureIoTHub() {
if (hasIoTHub)
{
String tempString;
tempString = "{" + MQTTTopic + ":" + MQTTPayload + "}";
if (Esp32MQTTClient_SendEvent(tempString.c_str()))
{
Serial.println("Azure IoT Hub : Sending data to Azure IoT Hub succeed");
}
else
{
Serial.println("Azure IoT Hub : Failure...");
}
MQTTPayload = "";
MQTTTopic = "";
}
}
Step 5 – Author Some Code (Our Main Loop)
The main loop is leveraging all of these functions and its logic can be best sumarised in to a few points. Connect to MQTT if there is no connection
If there is a MQTT Topic/Message which was decoded via our ‘callback’ function send this to Azure IoT Hub and re-connect if there is no connection.
void loop() {
//Connect to MQTT and reconnect if connection drops
if (!client.connected()) {
MQTTConnect();
}
//Respond to messages received
if (MQTTTopic != "") {
Serial.println("MQTT : Topic is [" + MQTTTopic +"]");
Serial.println("MQTT : Payload is [" + MQTTPayload + "]");
AzureIoTHub();
}
client.loop();
}
Pulling It All Together
Here is a complete copy of the above, plus a bit more. You could cut and paste the below or clone my GitHub repository.
#include <WiFi.h>
#include <PubSubClient.h>
#include "Esp32MQTTClient.h"
const char* ssid = "****";
const char* password = "****";
const char* mqttServer = "****";
const int mqttPort = 1883;
String MQTTTopic;
String MQTTPayload;
//Azure IOT Hub Setup
static const char* connectionString = "****";
static bool hasIoTHub = false;
WiFiClient espClient;
PubSubClient client(espClient);
void callback(char* topic, byte* payload, unsigned int length) {
MQTTTopic = String(topic);
MQTTPayload = "";
for (int i = 0; i < length; i++) {
// Serial.print((char)payload[i]); - Use for debugging
MQTTPayload = String(MQTTPayload + (char)payload[i]);
}
}
void MQTTConnect() {
// Loop until we're reconnected
while (!client.connected()) {
Serial.print("MQTT : Attempting MQTT connection...");
// Attempt to connect
if (client.connect("ESP32Client")) {
Serial.println("MQTT : Connected");
// Once connected, publish an announcement...
client.publish("stat/ESP32/IP_Address","Your IP Address");
//Subscribe to topics, one topic per line.
client.subscribe("stat/+/POWER");
} else {
Serial.print("MQTT : Failed to connect to MQTT , rc=");
Serial.print(client.state());
Serial.println("MQTT : Trying again to connect to MQTT in 5 seconds");
// Wait 5 seconds before retrying
delay(5000);
}
}
}
void setup() {
//Set baud rate
Serial.begin(115200);
WiFi.begin(ssid, password);
while (WiFi.status() != WL_CONNECTED) {
delay(500);
Serial.println("ESP32 : Connecting to WiFi...");
}
Serial.println("ESP32 : WiFi connected");
Serial.println("ESP32 : IP address: ");
Serial.println(WiFi.localIP());
//Set MQTT details
client.setServer(mqttServer, mqttPort);
client.setCallback(callback);
//Connect to Azure IOT
if (!Esp32MQTTClient_Init((const uint8_t*)connectionString))
{
hasIoTHub = false;
Serial.println("Azure IoT Hub : Initializing IoT hub failed.");
return;
}
hasIoTHub = true;
}
void loop() {
//Connect to MQTT and reconnect if connection drops
if (!client.connected()) {
MQTTConnect();
}
//Respond to messages received
if (MQTTTopic != "") {
Serial.println("MQTT : Topic is [" + MQTTTopic +"]");
Serial.println("MQTT : Payload is [" + MQTTPayload + "]");
AzureIoTHub();
}
client.loop();
}
void AzureIoTHub() {
if (hasIoTHub)
{
String tempString;
tempString = "{" + MQTTTopic + ":" + MQTTPayload + "}";
if (Esp32MQTTClient_SendEvent(tempString.c_str()))
{
Serial.println("Azure IoT Hub : Sending data to Azure IoT Hub succeed");
}
else
{
Serial.println("Azure IoT Hub : Failure...");
}
MQTTPayload = "";
MQTTTopic = "";
}
}
Seeing This In Action
Lets drop to a video to see this in working end-to-end, to validate messages are flowing in to Azure IoT Hub I can use the Azure CLI (AZ-CLI) to monitor the output coupled with the Arduino Serial monitor.
After 24 hours of running, we can see I have published 10.52K of messages in to Azure IoT Hub and there are certain ebbs and flows that occur in my house.
24 hour period of messages flowing in to Azure IoT Hub
Conclusion
There are many ways to skin this code cat. My requirements was to publish messages in to Azure and we have been able to achieve this via different ways (I am sure there is more). Automation is a journey, which path will you take?
We illustrated a transparent side-car approach that will listen to an existing broker, on topics you desire and push these in to Azure IoT, all without making any configuration changes (the most important thing for my implementation). This method runs on a microcontroller, consumes less than 5w of power and just works.
Are there any draw backs? Sure there are. Right now this is one way in direction (simplex) and allows me to push messages in to Azure IoT but not receive messages back.
Personally, I like this approach, it combines the elegance of a SDK as it’s my code and couples the reliability of a microcontroller. It’s my code, my choices on what I do, but I do understand this is not for everyone. We now have my messages, my events, in Azure and it’s time to make some friends and learn how to derive operational intelligence from visualizations through to machine learning and beyond.
This article is contributed. See the original author and article here.
Summary
Actions Critical Infrastructure Organizations Should Implement to Immediately Strengthen Their Cyber Posture. • Patch all systems. Prioritize patching known exploited vulnerabilities. • Implement multi-factor authentication. • Use antivirus software. • Develop internal contact lists and surge support.
Note: this advisory uses the MITRE Adversarial Tactics, Techniques, and Common Knowledge (ATT&CK®) framework, version 10. See the ATT&CK for Enterprise for all referenced threat actor tactics and techniques.
This joint Cybersecurity Advisory (CSA)—authored by the Cybersecurity and Infrastructure Security Agency (CISA), Federal Bureau of Investigation (FBI), and National Security Agency (NSA)—is part of our continuing cybersecurity mission to warn organizations of cyber threats and help the cybersecurity community reduce the risk presented by these threats. This CSA provides an overview of Russian state-sponsored cyber operations; commonly observed tactics, techniques, and procedures (TTPs); detection actions; incident response guidance; and mitigations. This overview is intended to help the cybersecurity community reduce the risk presented by these threats.
CISA, the FBI, and NSA encourage the cybersecurity community—especially critical infrastructure network defenders—to adopt a heightened state of awareness and to conduct proactive threat hunting, as outlined in the Detection section. Additionally, CISA, the FBI, and NSA strongly urge network defenders to implement the recommendations listed below and detailed in the Mitigations section. These mitigations will help organizations improve their functional resilience by reducing the risk of compromise or severe business degradation.
Be prepared. Confirm reporting processes and minimize personnel gaps in IT/OT security coverage. Create, maintain, and exercise a cyber incident response plan, resilience plan, and continuity of operations plan so that critical functions and operations can be kept running if technology systems are disrupted or need to be taken offline.
Enhance your organization’s cyber posture. Follow best practices for identity and access management, protective controls and architecture, and vulnerability and configuration management.
Increase organizational vigilance. Stay current on reporting on this threat. Subscribe to CISA’s mailing list and feeds to receive notifications when CISA releases information about a security topic or threat.
CISA, the FBI, and NSA encourage critical infrastructure organization leaders to review CISA Insights: Preparing for and Mitigating Cyber Threats for information on reducing cyber threats to their organization.
Historically, Russian state-sponsored advanced persistent threat (APT) actors have used common but effective tactics—including spearphishing, brute force, and exploiting known vulnerabilities against accounts and networks with weak security—to gain initial access to target networks. Vulnerabilities known to be exploited by Russian state-sponsored APT actors for initial access include:
Russian state-sponsored APT actors have also demonstrated sophisticated tradecraft and cyber capabilities by compromising third-party infrastructure, compromising third-party software, or developing and deploying custom malware. The actors have also demonstrated the ability to maintain persistent, undetected, long-term access in compromised environments—including cloud environments—by using legitimate credentials.
In some cases, Russian state-sponsored cyber operations against critical infrastructure organizations have specifically targeted operational technology (OT)/industrial control systems (ICS) networks with destructive malware. See the following advisories and alerts for information on historical Russian state-sponsored cyber-intrusion campaigns and customized malware that have targeted ICS:
Russian state-sponsored APT actors have used sophisticated cyber capabilities to target a variety of U.S. and international critical infrastructure organizations, including those in the Defense Industrial Base as well as the Healthcare and Public Health, Energy, Telecommunications, and Government Facilities Sectors. High-profile cyber activity publicly attributed to Russian state-sponsored APT actors by U.S. government reporting and legal actions includes:
Russian state-sponsored APT actors targeting state, local, tribal, and territorial (SLTT) governments and aviation networks, September 2020, through at least December 2020. Russian state-sponsored APT actors targeted dozens of SLTT government and aviation networks. The actors successfully compromised networks and exfiltrated data from multiple victims.
Russian state-sponsored APT actors’ global Energy Sector intrusion campaign, 2011 to 2018. These Russian state-sponsored APT actors conducted a multi-stage intrusion campaign in which they gained remote access to U.S. and international Energy Sector networks, deployed ICS-focused malware, and collected and exfiltrated enterprise and ICS-related data.
Russian state-sponsored APT actors’ campaign against Ukrainian critical infrastructure, 2015 and 2016. Russian state-sponsored APT actors conducted a cyberattack against Ukrainian energy distribution companies, leading to multiple companies experiencing unplanned power outages in December 2015. The actors deployed BlackEnergy malware to steal user credentials and used its destructive malware component, KillDisk, to make infected computers inoperable. In 2016, these actors conducted a cyber-intrusion campaign against a Ukrainian electrical transmission company and deployed CrashOverride malware specifically designed to attack power grids.
For more information on recent and historical Russian state-sponsored malicious cyber activity, see the referenced products below or cisa.gov/Russia.
Table 1 provides common, publicly known TTPs employed by Russian state-sponsored APT actors, which map to the MITRE ATT&CK for Enterprise framework, version 10. Note: these lists are not intended to be all inclusive. Russian state-sponsored actors have modified their TTPs before based on public reporting.[1] Therefore, CISA, the FBI, and NSA anticipate the Russian state-sponsored actors may modify their TTPs as they deem necessary to reduce their risk of detection.
Table 1: Common Tactics and Techniques Employed by Russian State-Sponsored APT Actors
Russian state-sponsored APT actors have gained initial access to victim organizations by compromising trusted third-party software. Notable incidents include M.E.Doc accounting software and SolarWinds Orion.
Command and Scripting Interpreter: PowerShell [T1059.003] and Windows Command Shell [T1059.003]
Russian state-sponsored APT actors have used cmd.exe to execute commands on remote machines. They have also used PowerShell to create new tasks on remote machines, identify configuration settings, exfiltrate data, and to execute other commands.
Russian state-sponsored APT actors have exfiltrated credentials and exported copies of the Active Directory database ntds.dit.
Steal or Forge Kerberos Tickets: Kerberoasting [T1558.003]
Russian state-sponsored APT actors have performed “Kerberoasting,” whereby they obtained the Ticket Granting Service (TGS) Tickets for Active Directory Service Principal Names (SPN) for offline cracking.
Russian state-sponsored APT actors have used previously compromised account credentials to attempt to access Group Managed Service Account (gMSA) passwords.
Russian state-sponsored APT actors have obtained private encryption keys from the Active Directory Federation Services (ADFS) container to decrypt corresponding SAML signing certificates.
Russian state-sponsored APT actors have used virtual private servers (VPSs) to route traffic to targets. The actors often use VPSs with IP addresses in the home country of the victim to hide activity among legitimate user traffic.
Given Russian state-sponsored APT actors demonstrated capability to maintain persistent, long-term access in compromised enterprise and cloud environments, CISA, the FBI, and NSA encourage all critical infrastructure organizations to:
Implement robust log collection and retention. Without a centralized log collection and monitoring capability, organizations have limited ability to investigate incidents or detect the threat actor behavior described in this advisory. Depending on the environment, examples include:
Native tools such as M365’s Sentinel.
Third-party tools, such as Sparrow, Hawk, or CrowdStrike’s Azure Reporting Tool (CRT), to review Microsoft cloud environments and to detect unusual activity, service principals, and application activity. Note: for guidance on using these and other detection tools, refer to CISA Alert Detecting Post-Compromise Threat Activity in Microsoft Cloud Environments.
Look for behavioral evidence or network and host-based artifacts from known Russian state-sponsored TTPs. See table 1 for commonly observed TTPs.
To detect password spray activity, review authentication logs for system and application login failures of valid accounts. Look for multiple, failed authentication attempts across multiple accounts.
To detect use of compromised credentials in combination with a VPS, follow the below steps:
Look for suspicious “impossible logins,” such as logins with changing username, user agent strings, and IP address combinations or logins where IP addresses do not align to the expected user’s geographic location.
Look for one IP used for multiple accounts, excluding expected logins.
Look for “impossible travel.” Impossible travel occurs when a user logs in from multiple IP addresses that are a significant geographic distance apart (i.e., a person could not realistically travel between the geographic locations of the two IP addresses during the time period between the logins). Note: implementing this detection opportunity can result in false positives if legitimate users apply VPN solutions before connecting into networks.
Look for processes and program execution command-line arguments that may indicate credential dumping, especially attempts to access or copy the ntds.dit file from a domain controller.
Look for suspicious privileged account use after resetting passwords or applying user account mitigations.
Look for unusual activity in typically dormant accounts.
Look for unusual user agent strings, such as strings not typically associated with normal user activity, which may indicate bot activity.
For organizations with OT/ICS systems:
Take note of unexpected equipment behavior; for example, unexpected reboots of digital controllers and other OT hardware and software.
Record delays or disruptions in communication with field equipment or other OT devices. Determine if system parts or components are lagging or unresponsive.
Incident Response
Organizations detecting potential APT activity in their IT or OT networks should:
Immediately isolate affected systems.
Secure backups. Ensure your backup data is offline and secure. If possible, scan your backup data with an antivirus program to ensure it is free of malware.
Collect and review relevant logs, data, and artifacts.
Consider soliciting support from a third-party IT organization to provide subject matter expertise, ensure the actor is eradicated from the network, and avoid residual issues that could enable follow-on exploitation.
Note: for OT assets, organizations should have a resilience plan that addresses how to operate if you lose access to—or control of—the IT and/or OT environment. Refer to the Mitigations section for more information.
See the joint advisory from Australia, Canada, New Zealand, the United Kingdom, and the United States on Technical Approaches to Uncovering and Remediating Malicious Activity for guidance on hunting or investigating a network, and for common mistakes in incident handling. CISA, the FBI, and NSA encourage critical infrastructure owners and operators to see CISA’s Federal Government Cybersecurity Incident and Vulnerability Response Playbooks. Although tailored to federal civilian branch agencies, these playbooks provide operational procedures for planning and conducting cybersecurity incident and vulnerability response activities and detail each step for both incident and vulnerability response.
Note: organizations should document incident response procedures in a cyber incident response plan, which organizations should create and exercise (as noted in the Mitigations section).
Mitigations
CISA, the FBI, and NSA encourage all organizations to implement the following recommendations to increase their cyber resilience against this threat.
Be Prepared
Confirm Reporting Processes and Minimize Coverage Gaps
Develop internal contact lists. Assign main points of contact for a suspected incident as well as roles and responsibilities and ensure personnel know how and when to report an incident.
Minimize gaps in IT/OT security personnel availability by identifying surge support for responding to an incident. Malicious cyber actors are known to target organizations on weekends and holidays when there are gaps in organizational cybersecurity—critical infrastructure organizations should proactively protect themselves by minimizing gaps in coverage.
Ensure IT/OT security personnel monitor key internal security capabilities and can identify anomalous behavior. Flag any identified IOCs and TTPs for immediate response. (See table 1 for commonly observed TTPs).
Create, Maintain, and Exercise a Cyber Incident Response, Resilience Plan, and Continuity of Operations Plan
Create, maintain, and exercise a cyber incident response and continuity of operations plan.
Ensure personnel are familiar with the key steps they need to take during an incident and are positioned to act in a calm and unified manner. Key questions:
Do personnel have the access they need?
Do they know the processes?
For OT assets/networks,
Identify a resilience plan that addresses how to operate if you lose access to—or control of—the IT and/or OT environment.
Identify OT and IT network interdependencies and develop workarounds or manual controls to ensure ICS networks can be isolated if the connections create risk to the safe and reliable operation of OT processes. Regularly test contingency plans, such as manual controls, so that safety critical functions can be maintained during a cyber incident. Ensure that the OT network can operate at necessary capacity even if the IT network is compromised.
Regularly test manual controls so that critical functions can be kept running if ICS or OT networks need to be taken offline.
Implement data backup procedures on both the IT and OT networks. Backup procedures should be conducted on a frequent, regular basis. Regularly test backup procedures and ensure that backups are isolated from network connections that could enable the spread of malware.
In addition to backing up data, develop recovery documents that include configuration settings for common devices and critical OT equipment. This can enable more efficient recovery following an incident.
Enhance your Organization’s Cyber Posture
CISA, the FBI, and NSA recommend organizations apply the best practices below for identity and access management, protective controls and architecture, and vulnerability and configuration management.
Identity and Access Management
Require multi-factor authentication for all users, without exception.
Require accounts to have strong passwords and do not allow passwords to be used across multiple accounts or stored on a system to which an adversary may have access.
Secure credentials. Russian state-sponsored APT actors have demonstrated their ability to maintain persistence using compromised credentials.
Use virtualizing solutions on modern hardware and software to ensure credentials are securely stored.
Disable the storage of clear text passwords in LSASS memory.
Consider disabling or limiting New Technology Local Area Network Manager (NTLM) and WDigest Authentication.
Implement Credential Guard for Windows 10 and Server 2016 (Refer to Microsoft: Manage Windows Defender Credential Guard for more information). For Windows Server 2012R2, enable Protected Process Light for Local Security Authority (LSA).
Minimize the Active Directory attack surface to reduce malicious ticket-granting activity. Malicious activity such as “Kerberoasting” takes advantage of Kerberos’ TGS and can be used to obtain hashed credentials that attackers attempt to crack.
Set a strong password policy for service accounts.
Audit Domain Controllers to log successful Kerberos TGS requests and ensure the events are monitored for anomalous activity.
Secure accounts.
Enforce the principle of least privilege. Administrator accounts should have the minimum permission they need to do their tasks.
Ensure there are unique and distinct administrative accounts for each set of administrative tasks.
Create non-privileged accounts for privileged users and ensure they use the non- privileged accounts for all non-privileged access (e.g., web browsing, email access).
Protective Controls and Architecture
Identify, detect, and investigate abnormal activity that may indicate lateral movement by a threat actor or malware. Use network monitoring tools and host-based logs and monitoring tools, such as an endpoint detection and response (EDR) tool. EDR tools are particularly useful for detecting lateral connections as they have insight into common and uncommon network connections for each host.
Enable strong spam filters.
Enable strong spam filters to prevent phishing emails from reaching end users.
Filter emails containing executable files to prevent them from reaching end users.
Implement a user training program to discourage users from visiting malicious websites or opening malicious attachments.
Note: CISA, the FBI, and NSA also recommend, as a longer-term effort, that critical infrastructure organizations implement network segmentation to separate network segments based on role and functionality. Network segmentation can help prevent lateral movement by controlling traffic flows between—and access to—various subnetworks.
Appropriately implement network segmentation between IT and OT networks. Network segmentation limits the ability of adversaries to pivot to the OT network even if the IT network is compromised. Define a demilitarized zone that eliminates unregulated communication between the IT and OT networks.
Organize OT assets into logical zones by taking into account criticality, consequence, and operational necessity. Define acceptable communication conduits between the zones and deploy security controls to filter network traffic and monitor communications between zones. Prohibit ICS protocols from traversing the IT network.
Vulnerability and Configuration Management
Update software, including operating systems, applications, and firmware on IT network assets, in a timely manner. Prioritize patching known exploited vulnerabilities, especially those CVEs identified in this CSA, and then critical and high vulnerabilities that allow for remote code execution or denial-of-service on internet-facing equipment.
Consider using a centralized patch management system. For OT networks, use a risk-based assessment strategy to determine the OT network assets and zones that should participate in the patch management program.
Consider signing up for CISA’s cyber hygiene services, including vulnerability scanning, to help reduce exposure to threats. CISA’s vulnerability scanning service evaluates external network presence by executing continuous scans of public, static IP addresses for accessible services and vulnerabilities.
Use industry recommended antivirus programs.
Set antivirus/antimalware programs to conduct regular scans of IT network assets using up-to-date signatures.
Use a risk-based asset inventory strategy to determine how OT network assets are identified and evaluated for the presence of malware.
Implement rigorous configuration management programs. Ensure the programs can track and mitigate emerging threats. Review system configurations for misconfigurations and security weaknesses.
Disable all unnecessary ports and protocols
Review network security device logs and determine whether to shut off unnecessary ports and protocols. Monitor common ports and protocols for command and control activity.
Turn off or disable any unnecessary services (e.g., PowerShell) or functionality within devices.
Ensure OT hardware is in read-only mode.
Increase Organizational Vigilance
Regularly review reporting on this threat. Consider signing up for CISA notifications to receive timely information on current security issues, vulnerabilities, and high-impact activity.
Resources
For more information on Russian state-sponsored malicious cyber activity, refer to cisa.gov/Russia.
Leaders of small businesses and small and local government agencies should see CISA’s Cyber Essentials for guidance on developing an actionable understanding of implementing organizational cybersecurity practices.
Critical infrastructure owners and operators with OT/ICS networks, should review the following resources for additional information:
NSA and CISA joint CSA NSA and CISA Recommend Immediate Actions to Reduce Exposure Across Operational Technologies and Control Systems
CISA factsheet Rising Ransomware Threat to Operational Technology Assets for additional recommendations.
Rewards for Justice Program
If you have information on state-sponsored Russian cyber operations targeting U.S. critical infrastructure, contact the Department of State’s Rewards for Justice Program. You may be eligible for a reward of up to $10 million, which DOS is offering for information leading to the identification or location of any person who, while acting under the direction or control of a foreign government, participates in malicious cyber activity against U.S. critical infrastructure in violation of the Computer Fraud and Abuse Act (CFAA). Contact +1-202-702-7843 on WhatsApp, Signal, or Telegram, or send information via the Rewards for Justice secure Tor-based tips line located on the Dark Web. For more details refer to rewardsforjustice.net/malicious_cyber_activity.
Caveats
The information you have accessed or received is being provided “as is” for informational purposes only. CISA, the FBI, and NSA do not endorse any commercial product or service, including any subjects of analysis. Any reference to specific commercial products, processes, or services by service mark, trademark, manufacturer, or otherwise, does not constitute or imply endorsement, recommendation, or favoring by CISA, the FBI, or NSA.
This article was originally posted by the FTC. See the original article here.
There’s a new spin on scammers asking people to pay with cryptocurrency. It involves an impersonator, a QR code, and a trip to a store (directed by a scammer on the phone) to send your money to them through a cryptocurrency ATM.
It works like this: someone might call pretending to be from the government, law enforcement, or a local utility company. Maybe a romantic interest you met online calls, or someone calls to say you’ve won the lottery or a prize. They’ll wind up asking you for money. If you believe the story they tell and you seem willing to engage, they’ll stay on the phone to direct you to withdraw money from your bank, investment, or retirement accounts. Then they’ll tell you to go to a store with a cryptocurrency ATM (and they’ll stay on the phone the whole time). Once you’re there, they’ll direct you to insert your money into the ATM and buy cryptocurrency. Here’s where the QR code comes in: they send you a QR code with their address embedded in it. Once you buy the cryptocurrency, they have you scan the code so the money gets transferred to them. But then your money is gone.
Here’s the main thing to know: nobody from the government, law enforcement, utility company, or prize promoter will ever tell you to pay them with cryptocurrency. If someone does, it’s a scam, every time. Any unexpected tweet, text, email, call, or social media message — particularly from someone you don’t know — asking you to pay them in advance for something, including with cryptocurrency, is a scam.
If you spot something like this, tell the FTC right away at ReportFraud.ftc.gov. And to learn more about avoiding cryptocurrency scams, visit ftc.gov/cryptocurrency.
Brought to you by Dr. Ware, Microsoft Office 365 Silver Partner, Charleston SC.
This article is contributed. See the original author and article here.
Howdy folks,
We’re thrilled to announce the General Availability (GA) of Continuous Access Evaluation (CAE) as part of the overall Azure AD Zero Trust Session Management portfolio!
CAE introduces real-time enforcement of account lifecycle events and policies, including:
Account revocation
Account disablement/deletion
Password change
User location change
User risk increase
On receiving such events, app sessions are immediately interrupted and users are redirected back to Azure AD to reauthenticate or reevaluate policy. With CAE, we have introduced a new concept of Zero Trust authentication session management that is built on the foundation of Zero Trust principles–Verify Explicitly and Assume Breach. With the Zero Trust approach, the authentication session lifespan now depends on session integrity rather than on a predefined duration. This work is consistent with an industry effort called Shared Signals and Events, and we’re proud to be the first company in the group with a generally available implementation of continuous access!
In fact, we’re so excited about CAE that we auto-enabled it for all tenants. Azure AD Premium 1 customers can make configuration changes or disable CAE in a session blade of Conditional Access.
Session blade of CAE for customizing configurations
With this GA, you’ll be more secure and resilient because the real-time enforcement of policies can safely extend session duration. In case of any Azure AD outages, users with CAE sessions can ride out these outages without ever noticing them.
“With CAE, gone are the days where we are waiting for the session to be revoked or the user to be reauthenticated for critical services like Exchange Online and SharePoint Online. If we ever had a security incident pop with a user identity, knowing that the token can be revoked instantly, is confidence inspiring. Further, the long default session lifetime with CAE is another benefit we welcome, particularly from the perspective of additional resilience to potential outages.”
— BRIDGEWATER
CAE has been one of our most popular preview features and has already been deployed successfully by thousands of customers across millions of users. You can learn more about CAE here, including a full list of apps that support CAE today.
As always, we’d love to hear any feedback or suggestions you have. Let us know what you think in the comments below or on the Azure AD feedback forum.
Recent Comments