Real-world Gen AI use cases

Gen AI innovations, particularly in semantic search, present a myriad of opportunities for the public and private sectors. From personalized responses for students, citizens, and customers to streamlining workflows for employees.

Read our other blogs about real-world use cases:
HelpdeskGPT & HrGPT

The challenge however lies in leveraging internal data to ensure relevance, accuracy, and security.

Your Data + Generative AI = Context-Rich Answers

The integration of Gen AI with private data is crucial for achieving mission value. While publicly available Gen AI applications are limited to internet data and prone to inaccuracies, the Elastic Stack platform ensures privacy-first Gen AI experiences. By prioritizing security, delivering hyper-relevant content, and reducing hallucinations, Elastic enables real-time, scalable, and secure Gen AI applications.

The Elastic Generative AI Value Proposition

To create business value with Gen AI, leveraging proprietary data is essential. Gen AI, using context windows, integrates with unstructured, structured, or semi-structured data to deliver highly relevant and contextual responses. ElasticSearch, trusted by over 50% of Fortune 500, ensures privacy-first Gen AI experiences.

• Prioritizes Security and Confidentiality: ElasticSearch implements clearance-level access, removing private information.
• Delivers Hyper-Relevant, Reliable Content: Ensures the most relevant content from proprietary data informs Gen AI responses.
• Reduces GAI Hallucinations: Infrequent inaccuracies as ElasticSearch uses mission-specific information.
• Lower Costs: By providing information most relevant to queries, ElasticSearch minimizes compute and storage resources.
• Unified Platform for AI Apps: ElasticSearch offers an end-to-end platform for building and delivering AI search applications.
• Real-time Guidance: The Elastic AI Assistant aids security teams in tasks like alert investigation, incident response, and query generation.
• Maintains Security and Confidentiality: ElasticSearch recognizes and implements appropriate access, removing private information.

Conclusion

In the dynamic landscape of AI-driven search results, whether or not combined with a Gen AI’s question/answer solution, the synergy between ElasticSearch and Gen AI unlocks unprecedented capabilities.
Whether serving the public sector or reshaping experiences in the private sector, the collaboration between data and Generative AI is a powerful force driving innovation and efficiency. Elastic’s commitment to security, relevance, and cost-effectiveness positions it as a cornerstone in the transformative journey of Generative AI.

Het bericht Getting the most out of Generative AI with Elastic. verscheen eerst op Elk Factory.

Het bericht Post ElasticON – Cybersecurity & AI verscheen eerst op Elk Factory.

1. CREATE AGENT POLICIES

An agent policy was created in Elastic Fleet for each operating system (Windows – MacOS) that needed monitoring.

2. ADD INTEGRATIONS TO POLICIES

Various integrations were added to these policies to log specific components such as Windows event logs, network packets, etc.

Both policies for both Windows and MacOS had the “System,” “Network Packet Capture,” and “Endpoint Security” integrations added. An additional integration named “Windows” was added to the Windows policy to capture Windows event logs.

3. CONFIGURE INTEGRATIONS

All integrations were then configured to capture the necessary data. The endpoint protection integration was also configured as an antivirus, taking action to detect and block threats.

After setting up the agent policies, Elastic Agents were deployed on Formica employees’ laptops. Once installed, the Elastic Agents sent data to Elastic Cloud, securing the laptops.

At the time of writing this article, Elastic had 1051 pre-made detection rules to support your SIEM. To determine which rules were relevant, the MITRE ATT&CK framework was used. Specific threat groups targeting the technology sector were identified, and rules for the attack techniques these groups use were activated. This way, alerts are generated when these attack methods occur on the laptops.

Elastic Security includes numerous out-of-the-box dashboards that provide insights into your environment. These dashboards display alerts, the number of incoming logs, and an overview of the protected laptops.

Elastic Security in action

Recently, there was a critical alert about an endpoint showing a suspicious launch agent named ‘ksinstall.’

1. First actions

Upon noticing this alert, details were examined in a timeline. Filtering on the “ksinstall” process revealed extensive information about all actions taken by ksinstall on the host.

Initially, it was unclear whether this was malicious or not.

2. Using the AI assistant

To further and quickly investigate the situation, the decision was made to use the security AI assistant introduced by Elastic in June 2023. The AI assistant operates using the well-known GPT-4 from OpenAI. To use the AI assistant, the following setup is required:

1. OpenAI developer account

Start by obtaining an OpenAI developer account to generate an API key for setting up the connector in Elastic Cloud.

2. Credit card top-up

Perform a one-time top-up via a credit card to add credits or tokens to your account, granting access to the GPT-4 model. You can only generate your API key after this top-up.

3. Elastic Cloud Configuration

Once you have the API key, open the AI assistant in Elastic Cloud, and it will guide you in setting up the connector.

4. Elastic AI assistance

Vraag 1 – Alert Summary

For the first question, we used one of the pre-made Elastic prompts to provide a summary of the alert and what it could mean. This gives a quick and clear overview of what is happening.

Vraag 2 – Workflow Alert Investigation

Next, we asked for a workflow to investigate the alert.

This workflow includes KQL queries that can be directly copied into Elastic “discover” or added to the timeline.

We placed these in “discover” and then displayed the fields ‘process.name’ and ‘process.args’ to quickly see what this process did to the system.

From this, you can see that ksinstall attempted to install the file Keystone.tbz. This file is in a Google Chrome folder, and ksinstall was a child process of Google Chrome.

Vraag 3 – Process arguments clarification

To clarify this, we asked the AI assistant what Keystone.tbz is and whether it is normal for Google Chrome to do this.

You quickly get an answer that this is part of the Chrome update process.

Vraag 4 – Malicious examples

Furthermore, we asked for examples of things that are suspicious and require investigation.

While continuing to search in the discover, none of these four points came up. So, we asked the assistant a final question to conclude.

Vraag 5 – Wrapping up

This was the answer that came out, and thus, we can conclude that this alert is a false positive.

3. RESULTS

With the help of the AI assistant, the alert was quickly addressed. The total cost of the conversation with the AI assistant was $0.32.

Elk Factory – Elastic Premier Partner

Elk Factory is the Elastic partner to implement the Elastic platform. We aim for a win-win! We look at how this platform can make your company benefit the best, in return we can enjoy another satisfied customer!

Get to know us and contact us without obligation.

Het bericht Reducing the SecOps workload with an AI powered Cybersecurity Solution. verscheen eerst op Elk Factory.

The Power of Elastic AI Assistant

Imagine having a virtual teammate, ready to assist you with just a click or a keyboard shortcut. Elastic AI Assistant, nestled within Elastic Security, provides an intuitive interface for your professionals to effortlessly access its capabilities.
One of its unique strengths lies in its ability to offer prebuilt, recommended prompts, ensuring that the AI-generated responses are tailored precisely for the user, be it a tier 1 or 2 security analyst.

The Magic Lies in Prompts and Context

At the heart of Elastic AI Assistant’s efficacy are its prebuilt prompts and context-driven approach. These prompts, carefully curated for various scenarios, facilitate tasks that are crucial for cybersecurity teams:

1. Alert Summarization: Instantly transforms an alert document into a detailed explanation of the triggering factors and provides recommended steps for effective triage and remediation. This dynamic runbook creation simplifies the response process during cyber attacks.
2. Workflow Suggestions: Offers step-by-step guides within Elastic, assisting users in tasks like adding an alert exception or creating custom dashboards. This feature streamlines operations, enhancing overall productivity.
3. Query Conversion: Simplifies migration from legacy SIEMs by converting queries from other products into Elastic queries. This process not only saves time but also significantly reduces migration costs, making the transition smoother and more cost-effective.
4. Agent Integration Advice: Provides guidance on the best methods for collecting information within Elastic, ensuring that users make informed decisions while gathering essential data.

Customization: Tailoring AI to Fit Your Workflow

Elastic AI Assistant goes a step further by allowing users to create their own prompts, tailoring the AI’s capabilities to align seamlessly with their unique workflows. This level of customization transforms Elastic AI Assistant from a tool into a trusted team member, adapting to the specific needs of each cybersecurity professional.

Seamless Collaboration and Integration

Elastic AI Assistant doesn’t just stop at providing answers; it fosters continuous conversation. As users interact with the model, it retains the context of the conversation. Once satisfied with the results, users can effortlessly integrate the insights into timeline investigations or cases, enhancing collaboration and knowledge sharing within the cybersecurity team.

Elevating Cybersecurity Efforts to New Heights

For cybersecurity, time is of the essence, and Elastic AI Assistant ensures that valuable time is spent on strategic decision-making rather than mundane tasks.
By harnessing the power of generative AI, Elastic AI Assistant stands as a beacon of innovation, transforming the way cybersecurity professionals operate. With its intuitive prompts, context-driven responses, and seamless customization, it’s not just an assistant; it’s a strategic partner, reinforcing the arsenal of cybersecurity experts in their ongoing battle against digital threats. Elastic AI Assistant represents a giant leap towards a safer, more secure digital future.

Cybersecurity Starter Pack

Protect your enterprise with the advanced cybersecurity solution of Elastic. Elk Factory, as premier Elastic partner offers a starter pack to bring your security to the next level. More info here.

Het bericht Revolutionizing Cyber Security with Intelligent Automation verscheen eerst op Elk Factory.

What is Observability?

Observability tools are a set of sophisticated software solutions that empower companies to gain deep insights into the performance and behavior of their systems and networks in real-time.
These tools go beyond traditional monitoring approaches by collecting vast amounts of data, analyzing it, and generating actionable insights to enhance overall operational efficiency. In the telecom sector, observability plays a pivotal role in identifying and mitigating fraud attempts proactively.

Real-time Detection and Alerts

Traditional fraud detection mechanisms often rely on batch processing and retrospective analysis, which can delay the discovery of fraudulent activities and lead to substantial losses. Observability, on the other hand, offers real-time detection capabilities. By continuously monitoring various data streams, including network traffic, user behavior, and transaction patterns, these tools can swiftly identify suspicious activities and promptly raise alerts to the relevant teams.

Predictive Analytics and Machine Learning

Fraudsters are becoming increasingly sophisticated, making their activities harder to detect using conventional methods. Observability tools leverage advanced technologies like machine learning, predictive analytics, and even AI to detect anomalous patterns and anticipate potential fraud attempts.
As these tools learn from past data and evolve with emerging fraud trends, they can proactively identify new attack vectors, preventing fraudulent activities before they cause harm.

Improved User Authentication and Security

Observability can significantly enhance user authentication processes by continuously monitoring user behavior and interactions across various channels. This behavioral analysis helps establish baselines for individual users and detect deviations from normal patterns. Suspicious activities, such as login attempts from unfamiliar locations or at unusual times, can trigger immediate security responses, such as multi-factor authentication or temporary account suspension.

(for increased protection against cyberattacks, Elk Factory recommends Elastic Security)

End-to-End Visibility

A comprehensive fraud prevention strategy requires end-to-end visibility into the entire telecom ecosystem. Elastic Observability provides a unified view of interconnected systems, applications, and user interactions, enabling telecom operators to monitor their infrastructure holistically. This heightened visibility allows for a faster response to potential threats and better collaboration between different teams to combat fraud effectively.

Fraud Prevention for IoT Devices

The rapid proliferation of Internet of Things (IoT) devices has introduced new avenues for fraudsters to exploit vulnerabilities. Observability can effectively safeguard IoT networks by continuously monitoring device communications and identifying unusual activities or potential security breaches.
This proactive approach can prevent IoT devices from becoming entry points for larger-scale attacks on telecom infrastructure.

With the steady rise of connected 5G devices, this will become an increased focus for the Telecom sector.

Data Anonymization and Privacy

While observability tools collect large amounts of sensitive data to detect fraudulent activities, telecom companies must prioritize data anonymization and privacy. These tools employ encryption techniques and data masking to protect user identities and sensitive information while still providing valuable insights into fraudulent activities.

As the sector continues to evolve, fraud prevention becomes an increasingly critical aspect of safeguarding assets and maintaining customer trust. Elastic observability offers a powerful solution by providing real-time insights, predictive analytics, and end-to-end visibility. With observability, telecom operators can stay one step ahead of fraudsters, detect and prevent fraudulent activities promptly, and secure their networks and customer data effectively. Embracing observability in the telecom sector is not just a best practice but a strategic imperative for staying competitive and resilient in an ever-evolving threat landscape.

Elk Factory – Elastic Premier Partner

Elk Factory is the Elastic partner to implement the Elastic Observability platform. We aim for a win-win! We look at how this platform can make your company benefit the best, in return we can enjoy another satisfied customer!

Get to know us and contact us without obligation.

Het bericht fraud prevention for the telecom sector with observability verscheen eerst op Elk Factory.

introduction

Computers are an integral part of our daily lives, but do we consider the potential built-in vulnerabilities? We urge our employees to choose strong credentials for their passwords, preferably with special characters, capital letters, and numbers. But what if there are a few lines of text or certain commands that can simply retrieve these credentials? What if these commands are built into Windows? What if they are freely available on the Internet?

We tested this with Elastic Security as a defense to prevent this breach.

First, we collected sensitive data and then moved it to ultimately hack it.

Powershell

The first step we take is through PowerShell. By using a few PowerShell commands, you can create a minidump script. This script enables the retrieval of credentials via lsass.exe (Local Security Authority Subsystem Service). These scripts are available on the internet and are only a few Google searches away.

As we can see, Elastic Security has already blocked this attempt. Thanks to the notification at the bottom of the screen, we know that the creation of the dump file has been prevented. We’ll have to try another way, then.

Mimikatz (Encryption/decryption)

There are plenty of ways to obtain password hashes via credential access – to respectively create a dump of them – you can obtain a lot of password hashes. These hashes are encrypted values that, after decryption, remain as plain-text passwords.

Ex:

Registry Hive Dumping

This is also a way for hackers to do credential dumping.

System administrators can use this to create backups.

Reg.exe is a Windows utility that allows users to access the Windows registry. Here they can then read, modify or delete it. A hacker can also use reg.exe to dump user data by following these steps:

1. As a low-privilege user, he can gain access to the system.
2. He can create a backup of HKLM/SYSTEM.
3. Then he can create a backup of the SAM (Security Account Manager) file (which contains the passwords of local accounts).
4. Then the files can be copied to a system where he has higher privileges.
5. Using programs like Mimikatz.exe or Hashcat.exe, the SAM file can be decoded to obtain the passwords in plain text.

Step 1 is to go to the correct folder. We do this by going to the reg (short for register). Then we try to make a backup. But again, we are already blocked by Elastic Security. This path also leads to a dead end.

As the screenshots show, Elastic Security stopped this with the message: “Failed to run: Access denied.”

Hashcat

The final step would be to convert the hashes to plain text. In this example, we used the hash in a program called Hashcat to translate it to plain text. We see that it was successfully executed under the status: Cracked. In Candidates.#1, we then see the password in plain text. This is how simple it can be for hackers to collect data on unprotected systems and hack it.

summary

Het bericht Hacking test(s): obtaining user data via known apps. verscheen eerst op Elk Factory.

INTRODUCTION

In this blog post, we will explore how Elastic Security handles a WannaCry ransomware attack on a host.

RANSOMWARE

Ransomware is a popular form of malware used by cybercriminals to encrypt and render computers unusable, denying users access to their files and systems. The criminals then demand ransom to return the computers. An example of this is the WannaCry attack that occurred in 2017, which affected hundreds of thousands of computers worldwide and caused millions of euros in damage to businesses.

ELASTIC SECURITY

Elastic Security is a major player in the cybersecurity industry. It allows you to protect, investigate, and respond to complex threats by unifying the capabilities of SIEM, endpoint security, and cloud security.

SIMULATION

SCENARIO

As an employee, you receive a phishing email stating that you need to download a new antivirus from your company. Once you click on the link, a WannaCry virus is downloaded onto your computer.

SETTING UP THE EXPERIMENT

To simulate this attack, we need 2 virtual machines: 1 for the attacker (Kali) and 1 for the victim (Windows). First, we start by downloading a WannaCry ransomware sample from The Zoo (a GitHub repository with live malware samples) on the attacker’s device.

ATTACKER KALI

Start by downloading the ransomware sample, which can be found on TheZoo GitHub repository. For this experiment, we will use WannaCry.

Once the zip is downloaded, extract the sample using the password infected. Rename the file to Anti-Virus.exe. We can then move it to an Apache web server to deliver it to the victim.

To move it, use this command:

mv Anti-Virus.exe /var/www/html

Start the Apache webserver:

service apache2 start

Once the webserver is started, you can download the sample from:

http://192.168.**.***/Anti-Virus.exe

This is the link that would be in the phishing email. Send yourself an email to your own email address so that it can be opened on the victim’s VM.

ELASTIC DEFENSE

Ensure that the host being tested has Elastic Defend integration. This will provide the necessary protection, and no specific rules need to be enabled.

VICTIM WINDOWS

To make sure we were testing Elastic Defend, we have disabled Windows Defender. Then, we opened the link in the email that downloads the virus. Elastic Defend immediately removes the file, and the downloads folder is empty. So, there is no chance to execute it.

ELASTIC DEFEND RESPONSE

In Elastic Defend, there are 2 alerts indicating that malware has been prevented: 1 for the download and 1 for the Anti-Virus.exe file. From here, you can also create a timeline and case of the alerts to further analyze them. For example, you can see which processes are involved in the malware.

CONCLUSION

Ransomware attacks are a real threat to businesses and governments. Therefore, it is essential to remain protected. In this blog post, we demonstrated how Elastic Security can help prevent ransomware attacks.

It is important to note that in addition to Endpoint Security, Elastic also provides full-fledged SIEM and Cloud Security within the same platform to achieve “XDR” (eXtended Detection & Response). Additionally, Elastic provides a powerful Observability solution within the same platform.

This makes Elastic the best choice to achieve different use cases with the same technology in a highly efficient manner.

Het bericht RANSOMWARE: PREVENTING WANNACRY ATTACKS WITH ELASTIC verscheen eerst op Elk Factory.

The digital world keeps broadening as we migrate more and more to the Cloud, Private cloud, or go Hybrid. Next to that, the further rise of AI, deep fakes, and more could pose new threats to the digital security of both businesses and individuals.
This causes the scope of cybersecurity to exponentially increase, cybersecurity experts have more to manage, more to investigate, and more to prevent, while the shortage of talent in the industry becomes more apparent.

One of the best ways to improve cybersecurity is to implement a single platform that guards the whole digital landscape of an organization. A platform that provides actionable analytics, speed, scalability, and cloud-native by design, amongst other characteristics

XDR is the driving force behind modern Cybersecurity investments

Extended detection response, is a suite of products, like EDR, SIEM, NDR, and MDR that all integrate into one product from a single vendor. A hybrid XDR implements – mostly because of legacy –. multiple security vendors.

A good implementation of XDR it will make the Cybersecurity team most effective.

• Detection of malicious user behavior
• Finding unknown and advanced threats
• Improving productivity
• Adapting future threat scenarios
• Supplementing or replacing existing SIEM & analytics to 2023 cybersecurity needs.
• NIS2 regulations will have a big impact on the cybersecurity of European businesses.

This report and the numbers are extracted from the Cybersecurity trends in 2023: Modernizing security operations webinar organized by Elastic

Het bericht Cybersecurity trends in 2023 verscheen eerst op Elk Factory.

At ElasticOn Amsterdam, the security team reaffirmed their ambition to create an Elastic Security solution for both cloud environments as well as the Endpoint functionality. This was reflected by renaming Endpoint security to Elastic Defend.

By integrating two critical components of Cybersecurity — endpoint security and SIEM — Elastic Security provides prevention, detection, and response capabilities for unified protection across your infrastructure, which is all based on collecting data, the core strength of Elastic.

The main functions of Elastic Security are the detection engine to identify attacks, investigations, interactive visualization possibilities, and case management with automated alerts.
A great feature is an option for active (prebuilt) machine-learning jobs to find anomalies. There are also out-of-the-box detection rules that make it easy to protect your organization.

Cloud Security

Marvin Ngoma’s “Defense Against The Dark Arts” talk, demonstrated new features such as Cloud security capabilities for both Kubernetes and docker environments as well as security focused to cloud environments such as AWS, Azure and Google cloud.

With the help of Machine learning and automating redundant steps, a security operator using Elastic security will be able to respond faster to intrusions.

Full Overview

Security also needs broader visibility and speed is very important. Organizations need real-time analysis of files, users, processes, and networks to determine the root cause and take immediately the necessary actions. Elastic can provide this security solution.

The future for Elastic security looks bright as it has the capability to cover the entire digital infrastructure of a company, both on the endpoint side covering all available operating systems, as well as on the cloud and on-premise.

Elastic Security provides great functionalities that are a big added value for companies & organizations.
It’s better safe than sorry .. Elastic Security can secure your organizations!

Het bericht Elastic Security at ElasticOn Amsterdam verscheen eerst op Elk Factory.

In this test, we will use the Elastic Security endpoint protection to stop the attack from executing as well as use its diagnostic tools to find the cause of the infection. To do this we will use John Hammond’s GitHub project to simulate the infection on our windows 11 victim running Elastic endpoint protection. This GitHub project will allow us to create the infected word document via an attacking Kali Linux machine which our unknowing subject will execute.

In most cases such documents would be distributed by bulk email, to quickly spread them to as many people as possible without any effort.

Infecting the computer

The first step is to download the infected Follina Document to our target machine.

When we open the document, nothing happens yet, as we will have to enable editing first. However, there are ways in which the exploit can launch remote code execution even when not enabling editing, but simply by opening the document.

In this case, the connection to the remote server will only happen once the document has been enabled for editing. Fetching the link to the remote server on our kali machine and sending our payload to the victim.

The Elastic Endpoint instance triggered an alert about an attempt to execute a malicious file on the windows 11 machine.

Elastic Security at work

We kick off our investigation in Kibana and see that the msdt.exe has been launched by a windows process, which is what we used to launch the payload. However, this process has been terminated by Elastics endpoint protection preventing remote code execution.

When we investigate the infection more deeply, we find out that the process stems from a suspicious Microsoft office child item. The rule even describes that these child processes are often launched during the exploitation of Office applications or from documents with malicious macros.

Using this information, we can launch a more thorough investigation with the case function. This makes it possible to work more effectively with a bigger team on incidents, as well as coordinate further investigations accordingly.

Conclusion

The test demonstrated how critical 0-day vulnerabilities do not have a fix available by the producer, which leaves many devices vulnerable. Luckily, Elastics endpoint protection not only stopped the process before harm could be done to the system but also carries the capabilities to effectively find the cause of the infection with a very user-friendly environment, making it easy to understand the process behind the infection.

Be warned that the Follina Exploit has already been used in the wild by TA413 CN APT, a Chinese hacker group that used URLs to deliver ZIP archives containing infected Word Documents. Other Hacker groups such as Fancy Bear have also used this exploit already.

Elk Factory

Elk Factory is a premier Elastic Partner for the Benelux. If you have any concerns or questions regarding your cybersecurity setup. Do not hesitate to contact us.

Subsidies by the Flemish gouvernement

Small to medium-sized enterprises in the Flemish region receive subsidies of up to 45% to deploy or expand their cybersecurity setup. For more information please read our blog (NL) regarding KMO subsidies or simply reach out to us.

Het bericht Zero-Day exploit Follina Microsoft Office verscheen eerst op Elk Factory.