I’ve been writing about the possibility of AIs automatically discovering code vulnerabilities since at least 2018. This is an ongoing area of research: AIs doing source code scanning, AIs finding zero-days in the wild, and everything in between. The AIs aren’t very good at it yet, but they’re getting better.
Since July 2024, ZeroPath is taking a novel approach combining deep program analysis with adversarial AI agents for validation. Our methodology has uncovered numerous critical vulnerabilities in production systems, including several that traditional Static Application Security Testing (SAST) tools were ill-equipped to find. This post provides a technical deep-dive into our research methodology and a living summary of the bugs found in popular open-source tools.
Expect lots of developments in this area over the next few years.
Let’s stick with software. Imagine that we have an AI that finds software vulnerabilities. Yes, the attackers can use those AIs to break into systems. But the defenders can use the same AIs to find software vulnerabilities and then patch them. This capability, once it exists, will probably be built into the standard suite of software development tools. We can imagine a future where all the easily findable vulnerabilities (not all the vulnerabilities; there are lots of theoretical results about that) are removed in software before shipping.
When that day comes, all legacy code would be vulnerable. But all new code would be secure. And, eventually, those software vulnerabilities will be a thing of the past. In my head, some future programmer shakes their head and says, “Remember the early decades of this century when software was full of vulnerabilities? That’s before the AIs found them all. Wow, that was a crazy time.” We’re not there yet. We’re not even remotely there yet. But it’s a reasonable extrapolation.
EDITED TO ADD: And Google’s LLM just discovered an exploitable zero-day.
Вратата се отваря и над главите ни дрънва звънче. В същия момент чуваме сирената за въздушна тревога. Поредната, неизброима за последните петнайсет дни в Украйна. Ние обаче не влизаме в бомбоубежище, а предпочитаме вратата със звънчето на една от многото книжарници в Киев.
На търговската улица „Покровская“ книжарниците са повече от хранителните магазини или от тези за дрехи. Така е не само в Киев, а и навсякъде в Украйна – малки уютни книжарнички, някои от които антикварни, или големи светли книжарници, все намерили място в подножията на старинни сгради. Често в тях има обособен кът за четене, където се сервира кафе или чай. Прави ни впечатление големият брой нови издания на украински автори. Купуваме няколко книги и бързаме към един от островите на река Днепър, където е срещата ни с Катерина.
До острова се стига най-бързо с метро, но ние избираме да вземем такси, за да виждаме града и реката, докато пътуваме. Пълзим бавно към огромния мост, докато задръстването не ни спира. Тогава шофьорът се обръща към нас: „Съжалявам, че няма да пристигнем бързо, но ако не се чувствате добре, мога да ви предложа вода, разбира се, безплатно. Ако предпочитате да отворим прозорците, ще спра климатика.“ И той се навежда към предната седалка, вади отдолу две бутилки минерална вода, подава ни ги и продължава. „Ако ви боли глава, ето лекарство.“ Пресяга се към жабката и вади малък несесер с лекарства. Гледаме го изумени и го убеждаваме, че всичко е наред, но човекът не мирясва. „Вината е моя, че влязохме в задръстването, затова моля ви, ако имате нужда от нещо…“
Клатим отрицателно глава с усмивка – всичко е наред, залезът е осветил блестящите сгради на Киев, реката кротко ни разкрива цялата си прелест с островите, потънали в зеленина. Нямаме нужда от нищо. Човекът чак тогава се усмихва, навежда се пак към жабката и вади цветни моливи и скицник: „Имам и това, ако някой е с детенце, му давам да рисува, за да не скучае в задръстването.“ Пътуваме с Bolt и сме платили предварително, след като приложението изчисли най-бързия маршрут. Затова 20 минути по-късно слизаме от таксито и само махваме на шофьора за сбогом, а той пак е усмихнат, нищо че курсът му е на загуба.
Катерина Бусел, учителка по аржентинско танго, ни чака пред школата. Когато се запознахме с нея преди година на една милонга (събитие, на което се танцува социално аржентинско танго за любители), тя дойде при нас и ни каза:
О, дошли сте да видите как се танцува по време на война ли?
После станахме приятелки и година по-късно Катерина започна разказа си за войната и тангото така:
Беше някаква лудост, плачех по цял ден и бях в шок. Ракети летяха над Киев. Не знаех какво да правя. Отидох в къщата на брат ми в селце до Киев. Партньорът ми Антоний остана само няколко дни и се върна в Киев като доброволец.
Антоний подхваща разказа оттам, където Катерина е спряла: „Единственото, което правехме, беше да четем новини – седяхме на една маса нервни, постоянно някой казваше: „Към нас идват 10 000 танка“, после лягахме да спим облечени, защото през нощта можеше да ни се наложи да напуснем селцето бързо. Разбрах, че ще ми е сложно да живея в тази обстановка, и реших да се върна в Киев. Отидох в Ирпин – да евакуирам хора. После започнахме да возим хуманитарна помощ до Чернигов. Градът беше почти окупиран, мостовете – разрушени и единственият път беше през реката. Извеждахме хората с лодки. Голям риск, защото руснаците ни чакаха на отсрещната страна и ни обстрелваха. Един от приятелите мизагина. Слезли от лодката, за да вземат хора с един бус, и тогава са ги обстрелвали с миномет. Снарядът е попаднал право в буса и ги убил всички на място. Там дроновете насочваха директно ударите. Но след като прогонихме руските окупанти, можехме да се движим по-свободно и решихме да опитаме да танцуваме отново.“
Мълчим известно време. Те – потънали в спомените си, аз – в опит да си представя всичко това. Катерина проговаря първа:
„Помня първата милонга. Събрахме се около 20 човека. Видяхме се за първи път след началото на войната и усетихме колко ни е трудно да танцуваме, защото телата ни… не усещахме телата си въобще. Беше толкова странно да танцуваш, толкова изкуствено, телата ни бяха изкуствени. Може би прилича на голяма болка, но болката беше в умовете ни. Въпреки това, когато човек отиде на милонга, си прави прическа, избира красива рокля и обувки и някак се чувстваш добре, а като видиш другите, които също са се погрижили да са хубави, се чувстваш още по-добре. Тогава разбрах, че ние трябва да танцуваме, защото имаме нужда отново да започнем да усещаме телата си, да се усещаме един друг. Защото тези наши умове с натрупания стрес и ужас в тях трябваше да се променят някак.“
Казвам на Катерина, че в по-голямата част от Украйна войната не се вижда в най-грозните ѝ лица, градовете живеят привидно спокойно и на мен ми е трудно да обясня това в България. Тя се усмихва с онзи цинизъм, с който ме посрещна преди година: „Вашите хора си мислят, че като танцуваме, значи няма война, нали… Всъщност само изглежда, че няма война, но и в градовете ни е зле, защото всеки ден имаме тревога за въздушни обстрели и попадения на дронове или ракети, след които следват жертви на невинни хора и режим на тока. Сега всички имаме генератори, но с тока, който произвеждат, човек може да си направи само чай и имаш светлина, а ако е много топло, както е в момента, не можем да пуснем климатик. Хладилниците също не работят, защото токът от генератора не стига.
Но ако се върнем на танцуването, в началото си мислех, че едва ли сега е най-подходящото време да учиш някого да танцува. Постепенно обаче започнаха да ми се обаждат хора за уроци и това се превърна за нас в прозорец, през който влиза свеж въздух, защото, докато танцуваме, можем да усещаме себе си, един друг, да се прегърнем, да общуваме и за тези няколко часа дишаме истински.“
Вечерта е скрила реката. Бързаме да стигнем до хотела преди комендантския час. На всичкото отгоре – пак проклетите сирени… Следващата сутрин Киев е озарен от слънце, а ние се катерим по един от хълмовете на града, за да се видим с Тетяна Филевска, художествена директорка на Украинския културен институт. Първото, което ѝ казвам, е колко са ме впечатлили книжарниците, пълни с книги на украински автори. Тетяна поклаща глава в съгласие:
„Звучи странно, но творческият дух се възражда и сега, по време на войната, в Киев отварят повече книжарници, отколкото през последните три години. Хората осъзнават, че убежището на културата им е необходимо, за да се чувстват по-защитени, за да оцелеят под постоянното напрежение и екзистенциалната заплаха, в която живеем. Културата осигурява пространство на спокойствие, доверие. По време на война музите не мълчат. В Киев сега се играят театрални представления и билетите са разпродадени от месеци, например за прочутата пиеса „Конотопська відьма“ („Конотопската вещица“) в Националния драматичен театър „Иван Франко“. Режисирана е от Иван Уривский – съвсем млад режисьор. Бих я нарекла черна комедия.Хората плащат десеторна цена, за да влязат в театъра. Нямам спомен това да се е случвало миналите десетилетия.
Според мен едно от обясненията е, че след като възвърна независимостта си, Украйна търпеше руската културна злоупотреба, защото пазарът на културата и изкуството беше до голяма степен под контрола на Русия и беше заливан с руски книги, музика и театър. Нямаше пространство, за да развием своя собствена културна сцена и икономика. Тук гастролираха руски театри, а руските книги бяха навсякъде. Обаче след инвазията има търсене на украинска култура.
Колкото до книгите, писателите ни пишат и от окопите. Например Артем Чех е на фронта от началото на войната през 2014 г. След като за първи път служи във войската през 2014 г., издава книга – „Нулева точка“ и се зарича никога повече да не пише за войната. По време на втория си престой на фронта през 2022 г. пише роман в окопите – не за тази война, а за украинците, които са се били във Войната за независимост в САЩ. Любопитно е да наблюдаваме как творците се опитват да размишляват над настоящите събития, но по някакъв начин изграждат диалог с други исторически периоди.
Друг такъв случай е новата книга на София Андрухович, която излезе преди няколко месеца. Изобщо не споменава войната, но всъщност се отнася за нея, защото действието се развива точно след края ѝ. Докато сме в нея, си представяме как ще успеем да я преживеем, как ще се справим с травмите, как ще построим бъдещето си, след като приключи. Но после?“
Питам Тетяна, какво предпочитат да гледат сега украинците – документални филми, които разказват реални истории от фронта, или нещо различно. Тетяна мълчи известно време.
„Получих първата си паническа атака през юни 2022 г, когато гледах документален филм за сегашната руска инвазия. Не можех да престана да плача, вдигнах кръвно. Затова разбирам хората, които избягват да гледат филми за войната. Но режисьорите не бива да спират да ги заснемат. Виждаме как нещата се променят с всеки изминал ден. Война някъде другаде веднага отвлича вниманието. Ако не правим филми, ако не уловим тези мигове, те ще изчезнат завинаги. По-късно ще имаме нужда от тях, когато се възстановим, когато имаме смелост и сме в състояние да ги гледаме. Ще ни възвърнат паметта. По себе си забелязах, че ако в продължение на няколко дни в Киев няма атаки, забравям страха, забравям какво е усещането да чуеш как десетки ракети поразяват града. Така работи умът ми, опитва се да ме предпази, защото, ако постоянно си спомням ужаса и болката, няма да съм в състояние да продължа да съществувам, да се грижа за децата си, да разговарям с хората.
Сега действителността надминава всякакво въображение и единственото, което можеш да направиш, е да опишеш какво виждаш или какво изпитваш. Дори да е твърде болезнено, дори да ти е непосилно да намериш и изречеш думите, търсиш подход, с който да не травмираш хората, да не ги изправяш отново пред болката, понеже живеем непрекъснато в нея. Някои са на фронта, други са загинали, трети са загубили дома си, чакат да бъдат мобилизирани и са под стрес… Когато си лягаме, не знаем дали ще се събудим, защото никога не знаеш къде ще удари следващата руска ракета. Виждаме всеки ден по новините как умират хора дори на най-безопасните места до границата с ЕС. Просто защото Русия съществува.“
Тетяна ми разказва, че голяма част от книгите на украински писатели излизат първо на чужд език, какъвто е случаят с Артем Чапай – той също е войник. На фронта е от началото на пълномащабната война. Книгата му е публикувана във Франция през май тази година, а ще излезе в Украйна през октомври, финансирана от френско издателство. Тетяна обяснява, че след 2022 г. голяма част от държавното финансиране за култура се отклонява, защото приоритет са сигурността, медицинската помощ, образованието и социалната сфера. Същевременно обаче в Украйна постъпват много средства отвън и украинската култура се издържа основно от частно финансиране или международни фондове.
Тук веднага ми хрумва какво ли би станало, ако украинците вземат че си гласуват един закон за чуждестранните агенти. Казвам го на Тетяна. Тя е възпитана, много деликатна жена. Говори чудесен английски, но при този въпрос занемява за миг.
„Шегувате се, нали?“ Пита ме малко изумена. Кимвам с усмивка, но настоявам да коментираме такива закони, защото те са в дневния ред на България.
„Според мен всичко, което наподобява случващото се в Русия, е опасно. Трябва да сте бдителни и да внимавате. За разлика от Русия, където хората на изкуството се опитват да стоят встрани и да се разграничат от държавата, да кажат: „Не сме от тях, нямаме нищо общо, не сме отговорни за онези хора и за войниците“, хората на културата и интелектуалците в Украйна заявяват: „Ние сме отговорни за всичко, което става тук, ако е необходимо, ще отидем и на фронта“.
Според мен това е тест за културните и интелектуални общности във вашата страна. Част от обществото ли са? Способни ли са да достигнат до сърцата на хората?
Не разбирам защо руските писатели, които подкрепят демокрацията, докато си живеят щастливо в Берлин или Париж, не говорят на своите войници на фронта. Защо не пишат и не им кажат какво става, за да могат те да разберат. Защо си писател, човек на изкуството? За кого? Трябва да говориш на народа си, да бъдеш част от нацията. Хората на изкуството, писателите – те трябва да променят нещата. В Украйна интелектуалците и творците внасят промяната. Затова обществото ни е толкова солидарно, макар по някои въпроси да не сме единни. Обаче тук културният елит задава линията на обществото. Това е дългът на културата. Трябва да ги има. Трябва да водят обществото, хората.“
Преди да си тръгнем, питам Тетяна това, което питам и всички в Украйна: от какво имате нужда?
„Хората на изкуството на фронта както и останалите войници имат нужда от още оръжие, за да спрат по-бързо войната. Разбира се, на всички им липсва дейността им. Същевременно обаче те са приели ролята си на войници и просто им трябва оръжие, за да се налага на по-малко хора на изкуството да влязат във войската и евентуално да умрат.
Хората на изкуството в Украйна имат нужда и от възможност да бъдат чути. Така че, ако имате начин да преведете украинска книга, да поканите украински музиканти, да давате информация за украинското изкуство, бихте ни помогнали много. Имаме онлайн платформа. Казва се Inside UA. Там може да прочете за украинската култура.“
В последната ни нощ в Украйна замръкнахме в Чернивци. Въпреки че минава 22 часа, а градът е потънал в мрак заради режима на тока, в хотела ни очакват. Предложиха ни готвачът да ни приготви храна, защото няма къде да се нахраним в този час. Включиха генератора, за да се изкъпем след 9 часа път и ни връчиха две фенерчета, за да осветим банята, докато се къпем, и балкона, докато се храним над красивия площад в Чернивци. На сутринта заминахме за България.
The spooky season has come and gone now. While there aren’t any Halloween-themed releases, AWS has celebrated it in big style by having a plethora of exciting releases last week! I think it’s safe to say that we have truly entered the ‘pre’ re:Invent stage as more and more interesting things are being released every week on the countdown to AWS re:Invent 2024.
There is a lot to cover, so let me put my wizard hat on, open the big bag of treats, and dive into last week’s goodies!
Something for developers There was no shortage of treats from AWS for developers this Halloween!
AWS enhances the Lambda application building experience with VS Code IDE and AWS Toolkit — AWS has enhanced AWS Lambda development with the AWS Toolkit for Visual Studio Code, providing a guided setup for coding, testing, and deploying Lambda applications directly within the IDE. It includes sample walkthroughs and one-click deployment, simplifying the development process. Now, building apps with Lambda is as intuitive as crafting a spell in a wizard’s workshop!
AWS Amplify integration with Amazon S3 for static website hosting — AWS Amplify Hosting now integrates with Amazon S3 for seamless static website hosting, with global CDN support via Amazon CloudFront. This simplifies set up, offering secure, high-performance delivery with custom domains and SSL certificates. Hosting your site is now easier than spotting a jack-o’-lantern on Halloween night!
AWS Lambda now supports AWS Fault Injection Service (FIS) actions — AWS Lambda now supports AWS Fault Injection Simulator (FIS) actions, enabling developers to test resilience by injecting controlled faults like latency and execution errors. This helps simulate real-world failures without code changes, improving monitoring and operational readiness. Great for testing that old candy dispenser!
AWS CodeBuild now supports retrying builds automatically — AWS CodeBuild now offers automatic build retries, allowing developers to set a retry limit for failed builds. This reduces manual intervention by automatically retrying builds up to the specified limit, tackling those pesky, intermittent failures like a ghostbuster clearing a haunted pipeline!
Amazon Virtual Private Cloud launches new security group sharing features — Amazon VPC now supports sharing security groups across multiple VPCs within the same account and with participant accounts in shared VPCs. This streamlines security management and ensures consistent traffic filtering across your organization. Now, keeping your network secure is as seamless as warding off digital goblins!
Generative AI Amazon Q and Amazon Bedrock continue to make generative AI seem like magic. Here are some releases from last week.
Amazon Q Developer inline chat — Amazon Q Developer has introduced inline chat support, allowing developers to engage directly within their code editor for actions like optimization, commenting, and test generation. Real-time inline diffs make it simple to review changes, available in Visual Studio Code and JetBrains IDEs. It’s practically code magic – no witch’s cauldron needed!
Meta’s Llama 3.1 8B and 70B models are now available for fine-tuning in Amazon Bedrock — Amazon Bedrock now supports fine-tuning for Meta’s Llama 3.1 8B and 70B models, allowing developers to customize these AI models with their own data. With a 128K context length, Llama 3.1 processes large text volumes efficiently, making it perfect for domain-specific applications. Now, your AI won’t be scared of handling monstrous amounts of data—even on a dark, stormy night!
Cost Planning, Saving, and Tracking Here are some new releases that can help you stay on top of your budget and keep an eye on the amount of candy that you buy.
AWS now accepts partial card payments — AWS now supports partial payments with credit or debit cards, letting users split monthly bills across multiple cards. This flexibility makes managing your budget as smooth as a ghost gliding through a haunted house!
Amazon Bedrock now supports cost allocation tags on inference profiles — Amazon Bedrock now supports cost allocation tags for inference profiles, allowing customers to track and manage generative AI costs by department or application. This makes financial management a treat, not a trick!
AWS Deadline Cloud now adds budget-related events — AWS Deadline Cloud, a service used for rendering and managing visual effects and animation workloads, now sends budget-related events via Amazon EventBridge, enabling real-time spending updates and automated notifications. This helps keep project costs under control without any unexpected scares!
And the busiest team of the week award goes to…Amazon Redshift! Clearly, the Amazon Redshift team loves Halloween and decided to celebrate in big style with many releases! Here are the highlights:
Amazon Redshift integration with Amazon Bedrock for generative AI — Amazon Redshift now integrates with Amazon Bedrock for generative AI tasks using SQL, adding AI capabilities like text generation directly in your data warehouse. Now, you can conjure up rich insights without the need for complicated spells!
Announcing general availability of auto-copy for Amazon Redshift — Auto-copy for continuous data ingestion from Amazon S3 into Amazon Redshift is now generally available. This streamlines workflows, making data integration as smooth as carving a soft pumpkin!
CSV result format support for Amazon Redshift Data API — Amazon Redshift Data API now supports CSV output for SQL query results, enhancing data processing flexibility. This makes handling data as smooth as a ghost’s whisper!
Halloween week contest runner-up…Amazon CloudWatch! The Amazon CloudWatch team has also been busy giving out candy this Halloween! Let’s check it out.
New Amazon CloudWatch metrics for monitoring I/O latency of Amazon EBS volumes — Amazon CloudWatch now offers metrics for average read and write I/O latency of Amazon EBS volumes, aiding in identifying performance issues. These insights are available per minute at no extra cost. This should help you prevent latency from sneaking up on you like a Halloween ghost!
Conclusion And that’s a wrap on Halloween 2024. I don’t know about you, but this is my favorite time of the year, followed by News Year’s. Both carry an element of unpredictability that I very much enjoy. With Halloween, you can get excited about what costume you’re going to wear, whereas New Year’s is all about new possibilities and conquering new horizons.
Luckily, you don’t have to wait for the new year to unlock new frontiers with AWS as we bring excitement and innovation throughout the year. And what better way to see this in action than at AWS re:Invent 2024!
I wonder what kinds of spells and surprises we’ll be conjuring up come Halloween 2025. Until next time, keep your eyes on the horizon—and your broomsticks at the ready!
Businesses and organizations today struggle to effectively communicate with their customers, employees, or other stakeholders across the diverse range of digital channels they now use. One common problem arises when the requirement to exchange information quickly and reliably extends beyond traditional email. This issue challenges organizations where recipients lack immediate access to email. This applies to field workers, remote teams, or customers who prefer to communicate via text messages. It is vital to bridge this gap between email and SMS communication for timely updates, urgent notifications, and seamless collaboration. However, separate management of these disparate channels independently proves cumbersome and leads to inefficiencies.
To address this challenge, one approach is to leverage Amazon Simple Email Service (SES) and Amazon End User Messaging services to create a robust, scalable, and cost-effective messaging system. This system seamlessly bridges the gap between email and SMS, enhances the reach and delivery of your messages and streamlines your communication workflows. Ultimately, this approach delivers a superior experience for your audience, ensuring that critical information reaches recipients through their preferred channels in a timely and efficient manner.
This blog post will delve into the step-by-step process of building a solution that enables both Email-to-SMS and SMS-to-Email communication. This solution allows you to send SMS messages using email and receive any SMS replies on the same email address you used to send the original message. Furthermore, you can continue the conversation by replying to the email you receive in response. By the end, you’ll have the knowledge and tools necessary to revolutionize your communication strategy and deliver a superior experience to your audience.
Here are some of the use cases for this solution:
Real estate agents can use this solution to send listing updates to clients via SMS, and then receive client inquiries and responses as emails.
Customer service team can leverage the Email to SMS functionality to proactively reach out to customers with important notifications. Customers are able to respond directly via SMS.
Retailers can use this solution to send order confirmations, shipping updates, and promotional offers to customers via SMS. Customers are able to respond with inquiries or feedback that are then received as emails.
Medical practices and hospitals can leverage the Email to SMS functionality to quickly notify patients of appointment reminders, prescription refills, or other time-sensitive information. Patients can then respond via SMS, which gets converted to an email that the healthcare staff can access.
Solution Overview
The following figure shows the high level architecture for this solution.
Email Users send an email to the email address formatted as “mobile-number@verified-domain”. Amazon SES email receiving receives the email and triggers a receipt rule.
The email is published to Amazon Simple Notification Service (SNS) topic (EmailToSMS) based on the receipt rule action, which triggers an AWS Lambda function (ConvertEmailToSMS). The ConvertEmailToSMS Lambda function performs the following actions:
Receives the event from SNS and constructs a text message using the email body content.
The SMS message ID and source email address are stored as items in the Amazon DynamoDB table (MessageTrackingTable). This tracks email addresses for replies from SMS users.
Mobile Users receive the SMS, and they have the option to reply to the phone number with two-way SMS messaging
AWS End User Messaging receives the incoming SMS message from the Mobile Users. It then publishes this message to a SNS topic (SMSToEmail) for two-way SMS integration, which triggers a Lambda function (ConvertSMSToEmail). The ConvertSMSToEmail Lambda function performs the following actions:
Retrieves the item from “MessageTrackingTable” using “previousPublishedMessageId” (SMS message ID) from the SNS event, and locate the corresponding email address.
Sends the SMS message body to the Email Users using SES. This step uses “mobile-number@verified-domain” as the source email address, and the email address retrieved from the previous step as the destination.
Email Users receive the email, and they have the option to reply to the email to continue the conversation. Mobile Users will receive the latest reply from Email Users.
Walkthrough
This section will dive into the step-by step process for the deployment. There are 4 steps to deploy this solution:
Note: the Lambda code for this solution is developed based on phone numbers and long code as the supported origination identity in Australia. You need to adjust the Lambda code (“format_phone_number” function) accordingly for this to work in your country.
Follow the steps outlined in Creating a domain identity to create a verified identity for your domain in your AWS account. Confirm your domain identity is in the “Verified” status before proceeding to the next step:
Step 2: Deploy Email to SMS functionality
The following steps create a CloudFormation stack to deploy the required components for Email to SMS functionality:
Choose Create stack, and then choose With new resources (standard).
Choose Upload a template file and upload the CloudFormation template that you downloaded earlier: email-to-sms.yaml. Then choose Next.
Enter the stack name Email-To-SMS.
Enter the following values for the parameters:
RuleName: The name of your SES Rule Set and receipt rule.
Recipient1: Domain name used for recipient condition in the SES Rule Set.
Recipient2: Domain name used for recipient condition in the SES Rule Set if you need additional recipients.
PhoneNumberId: Phone number ID of the phone number to send SMS messages.
Choose Next, and then optionally enter tags and choose Submit. Wait for the stack creation to finish.
Now you have the required components to convert email to text, and sending it as SMS to a phone number using AWS End User Messaging SMS.
Note: if required, modify the following code in email-to-sms.yaml to format your phone numbers accordingly:
def format_phone_number(email_address):
# Extract the local part of the email address (before @)
local_part = email_address.split('@')[0]
# Remove the leading '0' and add '+61' for phone number (Australia)
if local_part.startswith('0'):
formatted_number = '+61' + local_part[1:]
return formatted_number
Step 3: Deploy SMS to Email functionality
The following steps create a CloudFormation stack to deploy the required components for SMS to Email functionality:
Choose Create stack, and then choose With new resources (standard).
Choose Upload a template file and upload the CloudFormation template that you downloaded earlier: sms-to-email.yaml. Then choose Next.
Enter the stack name SMS-To-Email.
Enter the following values for the parameters:
EmailDomain: The email domain to use for the SMS-to-Email function
Choose Next, and then optionally enter tags and choose Submit. Wait for the stack creation to finish.
Note: if required, modify the following code in sms-to-email.yaml to format your phone numbers accordingly:
def format_phone_number(phone_number):
# Replace the '+61' with '0' from the phone number (Australia)
formatted_number = f"0{mobile_number[3:]}"
return formatted_number
Step 4: Set up Two-Way Messaging in AWS End User Messaging SMS
For Incoming messages destination, choose the SNS topic created from Step 3 (default topic name is SMSToEmailTopic).
For Two-way channel role, choose Use SNS topic policies.
Choose Save changes.
This allows your origination identity (phone number) to receive incoming messages, which is then published to an SNS topic and converted into emails by Lambda.
Testing
To test the solution, send an email with the destination address of “mobile-number@verified-domain”. You should receive a SMS on your mobile with the following information:
Note: AWS End User Messaging SMS has character limit for SMS messages depending on the type of characters the message contains. This solution takes the first 160 characters of the email body by default, you can adjust the EmailToSMS Lambda function as required.
Reply directly to the SMS, you should receive an email at the same email address that sent the original email, with the following information:
If you require Email to SMS, but not SMS-to-Email, consider using Sender IDs where this option is available. Not all countries support SenderID, and SenderID doesn’t support 2-way SMS (inbound).
This blog has explored how organizations can leverage AWS services to build a flexible, two-way communication solution bridging the gap between email and SMS channels. By integrating Amazon SES and Amazon End User Messaging, businesses can reach their audience through multiple channels, ensuring timely and effective delivery of critical messages.
The detailed guide provided the knowledge to create a scalable, cost-effective system tailored to evolving communication needs – whether facilitating email-to-SMS or SMS-to-email exchanges. This unified approach to email and SMS capabilities empowers companies to address the common challenge of managing disparate communication platforms, streamlining workflows and enhancing responsiveness.
If you run into issues or want to submit a feature request, use the New issue button under the issues tab in the GitHub repository.
Depending on which LLM you ask, we live in a world with somewhere between 25k and 80k AI startups. It’s a growing, highly competitive market where small startups with a big idea can find themselves toe-to-toe with the goliaths of tech—fighting for money, chips, talent, even raw electrical power.
How does any company differentiate themselves in an explosive burst of technological change, one that requires a lot of investment in talent and infrastructure, where even the richest tech platforms on the planet don’t always succeed? Today we’re sharing the story of Decart—an AI startup that used Backblaze B2 Cloud Storage to leverage a successful launch with an impressive new model that provides an order of magnitude improvement in both the training and inferencing of the largest generative models.
Backblaze is an amazing solution for AI training data. We looked at a number of options and Backblaze is seriously the best.
—Dean Leitersdorf, Co-Founder and CEO, Decart
First, the news
Decart is an AI research lab that came out of stealth on October 31 with an incredible new model:
1/ We are excited to introduce Oasis, the world's first real-time AI world model, developed in collaboration with @Etched. Imagine a video game entirely generated by AI, or a video you can interact with—constantly rendered at 20 fps, in real-time, with zero latency pic.twitter.com/WAJFRyfTzS
While this might look like Minecraft, every pixel you see here and all of the gameplay is being generated by Decart’s Oasis model. It’s like Minecraft in every way you’d expect, except that the entire experience is being generated by AI and you can creatively prompt the model to build beyond the confines of the game. The mindblowing part? Decart says Oasis can perform more than 10 times more efficiently than competitors such as OpenAI’s Sora, which hasn’t been publicly released.
Don’t let the game distract you though—the Minecraft simulation is just an expression of the power of their model. According to the Decart team, this isn’t even version 1.0 of what their approach is capable of generating—more like version 0.01. Given the broad coverage they’ve already received for their launch, we’re excited to see what’s next.
How to break out in the AI market
For Decart, the strategy to pull ahead of the crowd was simple: Disrupt the market on inference speed to deliver game changing models, and do that by building the most high-performance multi-cloud model training infrastructure possible. Then, iterate on that innovation.
We crafted state of the art infrastructure that allows us to train models that other people simply can’t train.
—Dean Leitersdorf, Co-Founder and CEO, Decart
Before we met Dean and the team at Decart, most of the hard work was done: the multi-cloud AI stack for training was dialed in and the models were going through the paces. They just had one simple, but big, problem holding them back:
The price and the logistics of moving and storing training data were going to limit their growth.
They were burning through free data storage credits from a traditional cloud provider and had data spread across a range of other cloud providers and GPU clusters. Their training data needed to scale from 100s of thousands of hours of video data to 100s of millions of hours, and they needed a storage solution that could handle that scale in three key areas:
Reliably high performance: Decart needed to know that when they got time on a cluster, they could move data in as fast as possible the second that they were able to.
GPU interoperability: They needed to be sure that whatever storage platform they chose, it would work well with a multi-cluster training approach. Being able to shop jobs between different GPU clouds and disperse training was essential for Dean’s team.
Efficiency: Every dollar an AI startup spends on anything other than training time is a competitive disadvantage, so ensuring that storage costs were low without any surprise fees for data retention or download was key.
Decart discovered Backblaze while researching storage alternatives. After a quick call and two fast months of testing Backblaze in a wide variety of usage patterns, it was clear to the team that they had found the storage foundation they needed.
We chose Backblaze because everything works. It’s super stable, and we had zero problems. That’s number one.
—Dean Leitersdorf, Co-Founder and CEO, Decart
When it came time to start moving data from Backblaze to GPU clusters, they had no problem with transferring petabyte-scale datasets. The only minor challenge was ensuring that the compute provider’s pipe could take the volume of data streaming in.
Here’s where things ended up working for Decart:
Performance: They were blown away by the performance they achieved with Backblaze (more to come on that later).
Price: With pricing at one-fifth the cost of traditional cloud providers, Backblaze unlocked a significant amount of budget.
Free egress: The true game changer. Decart, for a number of reasons, trains their models on multiple different GPU clusters at the same time. With Backblaze, they can egress their full dataset to up to three training sites with zero additional cost.
B2 Cloud Storage was literally the only technical thing we used in training these models that didn’t crash the first time we tried it. We’re in an industry where everything fails, but Backblaze didn’t.
—Dean Leitersdorf, Co-Founder and CEO, Decart
Looking forward
With performance, flexibility, and affordability squared away in their data storage approach, the Decart team is now in position to rotate out of this impressive first model and build whatever is next. With all the fundamentals working on the level that Backblaze always provides and Decart is happy with, the two teams are now working together to find even more efficiency and optimization and truly stand up the best infrastructure for training AI models.
OpenWrt is, despite its relatively low
profile, one of our community’s most important distributions; it runs
untold numbers of network routers and has served as the base on which a lot
of network-oriented development (including the bufferbloat-reduction
work) has been done. At the beginning of 2024, a few members of the
project announced
a plan to design and produce a router device specifically designed to run
OpenWrt. This device, dubbed the “OpenWrt One”, is now becoming available;
the kind folks at the Software Freedom
Conservancy were kind enough to ship one to LWN, where the desire to
play with a new toy is never lacking.
Security is a shared responsibility between Amazon Web Services (AWS) and you, the customer. As a customer, the services you choose, how you connect them, and how you run your solutions can impact your security posture.
As part of our work, the AWS Customer Incident Response Team (AWS CIRT) observes tactics and techniques used by various threat actors that leverage unintended customer configurations. Understanding these tactics can help inform your design decisions, help improve your response plans, and help you detect these situations if they occur in your environment.
This blog post dives into some of the recent techniques used by threat actors that leverage specific customer configurations or design to make unauthorized use of resources within an AWS account. We’ll explain the techniques, the customer configurations that created the opportunity, and the AWS features and services you can use to help mitigate the impact of the tactics.
Technique overview
Identity federation is a system of trust between two parties for the purpose of authenticating users and conveying the information needed to authorize their access to resources. In simpler terms, this optional feature allows you to use one central system (an identity store) for all of your users and groups (note that it is possible to configure more than one identity provider for a given AWS account at one time if you wish to do so). You can then grant those identities permissions to your AWS resources by using that trust relationship.
Prerequisites for the event
In order for a threat actor to gain initial access into an AWS account during this type of security event, a third-party IdP must be configured to manage access to an AWS account (or a series of AWS accounts in an organization) through federation. The threat actor must also have gained the ability to write to the customer’s identity store with the third-party IdP (for example, they can create a user, have compromised a sufficiently privileged user, and so on).
When an IdP is configured to access an AWS account, permissions to access resources within that AWS account can be granted to users that have been authenticated by the IdP. This means that AWS uses the preconfigured trust with the IdP when it comes to performing the user identification (such as username, password, and multi-factor authentication (MFA)). With this technique, the threat actor uses the third-party IdP user’s access to obtain authenticated access to modify and create resources in the customer’s linked AWS accounts. This scenario is possible if, for example, the threat actor can create a user in the IdP’s identity store, or if they have obtained access to a privileged user’s credentials already in the identity store.
Detection and analysis opportunities
There are multiple ways that you may be able to find evidence of threat actors’ activities in this type of scenario. The challenge for customers is differentiating between the actions taken by a threat actor, and actions taken in the course of normal operations. The primary source of evidence for customer actions and threat actor activities is AWS CloudTrail, though Amazon GuardDuty and AWS Config also have detections that may be of assistance.
AWS CloudTrail
Your investigation should start by reviewing the CloudTrail event history for specific API calls. The following is a list of some calls (including various request parameters and field values) that have been associated with this tactic.
Remember, during security events there may be other API calls present that could indicate potential threat actor activity. In this post, we’re focusing only on the API calls related to this initial access tactic.
In the organization management account, threat actors leverage actions such as the following:
UpdateTrail – This action is used to update CloudTrail trail settings, such as what events you are logging, and which bucket is to be used for log delivery. Threat actors use this API endpoint to change or reduce the logging of subsequent API calls.
PutEventSelectors – This API call is used to configure which events are selected for a specific CloudTrail trail. AWS CIRT has observed this situation in cases where event selections were configured to deactivate logging for management events for trails configured in some accounts, and to only log read-only events in others (as opposed to write events such as DeleteBucket and RunInstances). The requestParameters field in the event record outlines which selectors were requested for configuration, as shown in Figure 1.
Figure 1: Event selectors set to ReadOnly
Figure 2 displays a CloudTrail event record for the PutEventSelectors action where the includeManagementEvents parameter is set to false.
Figure 2: Event selectors with the includeManagementEvents parameter set to false
StartSSO – This action is recorded when IAM Identity Center is initialized by the threat actor to expand their access into the organization. This event is significant, because this is an uncommon action and can raise awareness of potential malicious activity if this event was not authorized earlier.
CreateUser – This API call is logged when the threat actor creates a user. While the CreateUser action can use an eventSource of iam.amazonaws.com, when the CreateUser API is issued by an identity store, the eventSource will be listed as sso-directory.amazonaws.com. The record for this event, shown in Figure 3, does not actually contain the name of the user created. However, it does contain elements that you can use to determine the username for the user created.
Figure 3: CloudTrail event record for CreateUser event
Using the AWS CLI, you can retrieve the actual username requested by the CreateUser action by using the identityStoreId and the userId in the following command:
Figure 4: Determining an identity store username from UserId
Use this username to filter the CloudTrail event history in the member accounts. That will reduce the events shown to just those taken by this specific user, making it easier to map out the actions taken during this event.
CreateGroup and AddMemberToGroup – The first action creates a group within a specified identity store, and the second action adds members to it (note that these two specific actions use an event source of sso-directory.amazonaws.com).
CreatePermissionSet – This action creates a set of permissions within a specified IAM Identity Center instance that can be applied to a member account in an organization to enable access to resources in that member account. The duration of sessions authorized by the permission set is indicated by the sessionDuration value (in the example in Figure 5, this is set to the maximum duration of 12 hours).
Figure 5: CloudTrail event record for CreatePermissionSet action
To find out specifically what policies were assigned during the permission set creation, you can look for the permission set in the AWS Management Console, or use the AWS CLI command aws sso-admin list-managed-policies-in-permission-set, using the IAM Identity Center instance ARN and permission set ARN as parameters. (This CLI command displays only AWS managed policies. To see customer managed policies or inline policies, use the aws sso-admin get-inline-policy-for-permission-set or the aws sso-admin list-customer-managed-policy-references-in-permission-set CLI commands). Figure 6 shows the output of this command.
Figure 6: Determining policy for permission set
CreateAccountAssignment – This API call assigns access to a principal for an AWS member account that uses a specified permission set, usually the permission set created in the previous action. The request parameters for this action, shown in Figure 7, include the member account ID in the targetId field, the permissionSetArn, and the principalType – either a USER or GROUP. This activity was logged multiple times—each one for a different target member account.
Figure 7: CloudTrail event for CreateAccountAssignment
When the threat actor calls the CreateAccountAssignment action in the organization’s management account, the following actions are automatically taken in the organization’s member accounts:
CreateSAMLProvider – Creates an identity provider that supports SAML 2.0.
AttachRolePolicy – Attaches the specified managed policy to the specified IAM role.
CreateRole – Creates a new role in your AWS account.
CreateAccessKey – This action was used to create an access key for a user under the control of the threat actor.
GetFederationToken – The threat actor assumed the identity of the user referenced in the previous step for which access keys were created, then called the GetFederationToken API action to create temporary credentials. These temporary credentials were then used by the threat actor to continue making unauthorized actions under a new name as identified by the –name parameter specified in the GetFederationToken event that is logged in CloudTrail (see Figure 8). The GetFederationToken event also includes other details, such as the policy that was assigned to the session, the duration of the session, and the accessKeyID generated from the GetFederationToken invocation.
Authenticate – This API call is associated with the IAM Identity Center sign-in procedure and indicates which user is authenticated by the event in the userIdentity.userName field in the CloudTrail event record, as shown in Figure 8.
Figure 9: Name of user being authenticated
Federate – This API call is logged in CloudTrail when a user signs in with the IAM Identity Center AWS Access Portal and selects the Management console option, as shown in Figure 9. (A Federate event is not recorded if the Command line or programmatic access option is selected.)
Figure 10: Signing in through the AWS Access Portal
Additionally, you may see the following actions associated with this tactic in an organization’s member accounts:
AssumeRoleWithSAML – This event record is related to the CreateSAMLProvider action taken in step 7a. It returns a set of temporary security credentials for users who have been authenticated through a SAML authentication response.
ConsoleLogin – This action is recorded by CloudTrail when a user signs in to the AWS Management Console.
Amazon GuardDuty
If Amazon GuardDuty is turned on, a finding of Stealth:IAMUser/CloudTrailLoggingDisabled will be triggered when a CloudTrail trail is configured to stop logging. GuardDuty can also inform you of anomalous API requests observed in your account with the InitialAccess:IAMUser/AnomalousBehavior finding type. For more information on finding types, see Understanding Amazon GuardDuty findings.
AWS Config
You can configure AWS Config rules to monitor and evaluate the compliance of specific AWS configurations. For example, the cloudtrail-security-trail-enabledrule will check for CloudTrail trails that are defined according to security best practices, such as recording both read and write events, and recording management events. You can then configure these rules with an Amazon Simple Notification Service (Amazon SNS) topic to deliver notifications in the event of non-compliance. It is also possible to create custom rules in AWS Config to monitor and evaluate additional configurations. For further information on how to create AWS Config Custom rules, see AWS Config Custom Rules.
Mitigating the impact of the event
If the threat actor has an ability to write to your identity store, whether through a compromised third-party provider, a compromised identity store, or because the threat actor created the identity store, you need to make sure that you are in control of privileged actions. It’s your top priority to establish authority over your AWS Organizations organization before attempting to remove the federated access vector. The threat actor can undermine any remediation you perform if they persist in your organization’s management account.
The actions that are aligned with these top priorities are the following:
Control of the organization’s management account root user: If you do not have control of the password and the MFA token (or tokens) for the management account root user, contact AWS support.
If you do have control of the management account root user, make sure that you are in control of all enabled MFA devices for the root user, remove any and all access keys, and immediately rotate the password. See the IAM User Guide for current root user recommendations.
Enforcement of control over an environment that is using AWS Organizations: The level of enforcement you apply in the early stages of your mitigation efforts will be determined by your business continuity plans, because these enforcement actions can disrupt your workloads.
If you can tolerate the prevention of new, mutating actions from being taken within your organization, you can apply the following service control policy (SCP) to your organizational root. An important point to note is that SCPs do not apply to the management account, which is why our recommendations state, “use the management account only for tasks that require the management account.” This SCP enforces its constraints only for the child organizational units (OUs) and accounts of the organizational root, which is why the first step in this impact mitigation process was making sure that you control the root user for the management account.
Within this SCP, you can see an exemption made for two break-glass roles. Where break-glass access is needed, these roles will need to be created before the SCP is applied. Break-glass access refers to a quick means for a person who does not have access privileges to certain AWS accounts to gain access in exceptional circumstances by using an approved process. (For more information on creating break-glass access for your organization, see this AWS whitepaper).
If you only have tolerance for a partial disruption of non-critical or production workloads, you can reduce and adjust the scope of the SCP to your tolerance level. Apply the same SCP only to those non-production, non-critical organizational units, or even only on individual AWS accounts, as shown in Figure 10.
Figure 11: AWS Organizations levels for service control policies
Regardless of your business continuity tolerance, at a minimum, apply an SCP similar to the following one to your organization root, in order to invalidate sessions and temporary tokens. (Make sure that the value of the aws:TokenIssueTime parameter in the SCP is set to the current date and time and uses the ISO 8601 format.) Consider that this SCP includes any and all sessions and tokens in the organization in its scope, and consider the impact if there are dependencies on sessions or tokens that are not auto-renewing.
The following example SCP denies all actions, on all resources, for any session authenticating with a token issued before 2024-06-20 21:55:34 UTC..
This blog post explains how to revoke federated users’ active AWS sessions.
Removing the federated access vector: Once you’ve recovered some control over your organization by using the preceding actions, you can mitigate two of the federated access vector scenarios with the same action. If the access vector is a threat actor–created identity store, it is a non-disruptive choice to remove that identity store.
If instead your identity store was compromised, and this identity store is the primary or sole method for authorization, deleting it from your AWS account could impact your production environments and business continuity.
Deletion of a threat actor–created identity store: This is a permanent action that cannot be undone. User and group data associated with the deleted identity store is permanently removed. This includes user profiles, group memberships, and any other user- or group-related information. Any users or groups that were previously granted access to AWS resources or services through the deleted identity store will lose that access. Any permissions or roles assigned to users or groups from the deleted identity store will be revoked.
You should be aware that in this scenario where a third-party IdP is compromised, if the identity store that the third-party IdP is connected to is the sole method for authorization, then deleting the third-party IdP configuration could impact your production environments and business continuity.
Removal of the third-party IdP from your federation configuration: When you remove a third-party IdP from your IAM Identity Center instance, any authentication and authorization flows that were using the third-party IdP for federated access to AWS resources will be disrupted. All user and group data that was previously synchronized from the third-party IdP to IAM Identity Center is removed. Any user profiles, group memberships, and other user- or group-related information from the third-party IdP will no longer be available in IAM Identity Center.
You can perform the removal of the third-party IdP by changing your identity source in IAM Identity Center from an external IdP to IAM Identity Center itself. For instructions, see Change your identity source in the IAM Identity Center User Guide.
Regardless of your previous decisions, you should make sure that there are no other methods of federation enablement within your environment. There are three other limited methods of federation into AWS. These methods don’t provide account access or privileges like the vectors mentioned earlier, but you should still review for them. One method is with an Amazon Connect instance, as described in this blog post. A second method is through an account instance of IAM Identity Center, as described in this blog post. The third method is to create an identity provider by using IAM within an individual account, which a threat actor can do by using OIDC federation or SAML 2.0 federation (look for the event names CreateOpenIDConnectProvider, CreateSAMLProvider or CreateInstance in your account’s CloudTrail event history to identify whether this has occurred).
If you don’t want to disconnect IAM Identity Center entirely, another option is to remove permission sets that are assigned individually to each member. See this IAM Identity Center guidance for instructions on removing permission sets. Figure 11 depicts how this action appears in the AWS Management Console.
Figure 12: Permission set removal in IAM Identity Center
At an even less disruptive level, you can remove the policies attached to the permission sets within IAM Identity Center, using the following steps:
Under Multi-account permissions, choose Permission sets.
In the table on the Permission sets page, select the permission set from which you wish to detach the policies.
On the Permissions tab, select the policies you wish to detach, then choose Detach. A pop-up window will appear (see Figure 12). Choose Detach once more to confirm the detachment of the policy from the permission set.
Figure 13: Managed policy removal from a permission set
Eradication
Regardless of what methods you chose for containment, you want to eradicate the threat actor’s persistent access vectors. The following list outlines the actions that customers can take to perform eradication in their environments:
Identify and methodically remove any additional forms of access or persistence within your accounts which you did not create or authorize. Generate an IAM credential report for each account and review the results for forms of access to remove.
If IAM Access Analyzer is enabled, review Access Analyzer for any externally shared resources. During this process, at a minimum, make sure that all static access keys in all accounts are revoked. Also make sure that all IAM users which had static access keys have an inline policy applied that denies access based on the aws:TokenIssueTime, where the value of the aws:TokenIssueTime parameter is set to the current time using the ISO 8601 format.
Make sure that all non-service-linked roles have their sessions revoked. It isn’t possible to revoke sessions of service-linked roles. Revoking sessions for each role invalidates any credentials a threat actor might have obtained by previously assuming the role. (For instructions on how to perform this programmatically in your account, see the section titled Revoking session permissions before a specified time in the topic Revoking IAM role temporary security credentials.)
Make sure that you have control of root users for all remaining AWS accounts. As described previously, the results from the IAM credential report will help you quickly identify any unknown MFA devices or access keys. This item is third in this list because it might be a long process if you’ve lost control of the root users. Remember that as long as you have an appropriate SCP applied, actions by the organization member account root users are blocked.
Figure 14: IAM Credential Report sample
We can see in Figure 13 that the root account user does not have an MFA device assigned.
Before you begin to delete, stop, or terminate workloads, consider taking the opportunity to isolate and perform forensics on any threat actor–created or modified resources and workloads. Although forensics on AWS is beyond the scope of this post, it is described in the AWS Security Incident Response Guide.
Conclusion
The sections in this post can help you mitigate, detect, and prepare to respond to events of this type where threat actors leverage specific customer configurations or designs.
As always, you should measure the guidance provided here against your own security policies and procedures, and should take the business requirements of your organization into consideration.
Additionally, you may want to check your environment to confirm the following:
You have removed or limited long-term access key usage.
You have deployed SCPs that prevent unauthorized manipulation of GuardDuty and prevent unauthorized addition of IdPs.
You have created or updated playbooks that incorporate incident response actions that were performed to recover from the compromise of your IdP.
You have reviewed permissions to verify that your identities adhere to the principle of least privilege. (This blog post provides further information on how to limit permissions.)
Finally, if you want to learn how you can detect and respond to other types of security issues, such as unauthorized IAM credential use, ransomware on Amazon Simple Storage Service (Amazon S3), and cryptomining, head on over to the AWS CIRT publicly available workshops. (You will need an AWS account to use the workshops.)
Thanks for reading, and stay secure!
If you have feedback about this post, submit comments in the Comments section below. If you have questions about this post, contact AWS Support.
With 2024 rapidly coming to a close, many of us here at Rapid7 are taking a step back, reflecting upon the successes and learnings of the last 12 months, and looking ahead to the challenges and opportunities we could jointly face in the year ahead. Of course, we are doing the same for our customers.
For cybersecurity practitioners, 2024 has been nothing short of a rollercoaster ride. As organizations continue to embrace digital transformation at an accelerated pace, the security landscape has shifted, forcing security teams to confront new threats on top of the old and adjust their strategies in real-time.
This year, more than any other, it feels like we’ve witnessed the perfect storm that will forever reshape our industry. Supply chain incidents, sophisticated ransomware attacks, and a global IT outage disrupted critical infrastructure and affected organizations across all sectors and geographies. That’s on top of the backdrop of some of the biggest public data breaches we’ve ever seen. It’s a stark reminder of the ongoing vulnerability of sensitive data and the escalating cost of breaches.
Beyond these headline-grabbing incidents, cybersecurity teams have contended with a growing attack surface driven by the proliferation of IoT devices, an uptick in cloud adoption, and the increasing interconnectivity of systems. Threat actors have capitalized on this complexity, launching more sophisticated, multi-stage attacks that challenge even the most mature security operations centers (SOCs). The sheer volume and diversity of attacks have made it clear: This is not a game of adding more tools to the stack but of refining strategies, fortifying defenses, and focusing on cybersecurity fundamentals.
The Year of Operational Strain and Strategic Reassessment
As cyber threats grew more pervasive and intricate, the demands on security teams reached a breaking point. The year was marked by operational strain, with SecOps teams pushed to their limits to defend against an onslaught of increasingly complex threats. For many organizations, resource constraints — both in terms of personnel and budgets — further compounded the issue, leading to a reactive stance rather than a proactive one. This environment has necessitated a strategic reassessment of how we approach security.
The reality is stark: In 2024, many security professionals found themselves spending more time chasing alerts and parsing through logs than addressing core security challenges. This operational burden has impacted efficiency, morale, and ultimately, the effectiveness of security measures.
Yet, amidst these challenges lies a critical insight. Empowering teams with the right knowledge, tools, and support can dramatically transform outcomes. Security leaders must take command, refocusing on strategies that foster collaboration and transparency while building resilience against a dynamic threat landscape.
Empowering Teams: A New Approach for 2025
Heading into 2025, the need for a shift in approach has never been clearer. This is not merely about layering more technology into an already complex environment. It’s about establishing a partnership that empowers teams to confidently anticipate, pinpoint, and act against threats with precision and clarity. When security professionals are equipped with the right data and expertise, they can reduce the noise, eliminate inefficiencies, and spend more time addressing the strategic priorities that truly matter to their organizations.
Central to this strategy is fostering a culture of trust and collaboration between security teams and other business units. By breaking down silos and establishing shared goals, security leaders can ensure that everyone — from technical stakeholders to the C-Suite — is aligned on what success looks like and how it will be measured. This unified approach, underpinned by reliable data and transparent communication, is key to mitigating risk and optimizing security operations.
Join Us for the 2025 Security Predictions Webinar
To help the security community navigate these evolving challenges and prepare for what’s ahead, Rapid7 is once again hosting its annual 2025 Security Predictions webinar. Featuring our Chief Scientist, Raj Samani, and Vice President of Global Government Affairs and Public Policy, Sabeen Malik, this webinar will explore some of the most pressing issues facing the security community and provide valuable insights into how organizations can better position themselves for the future.
Reflecting on past discussions, we’ve tackled critical themes like talent shortages, public versus private information sharing, and the operationalization of security.
Plan for 2025 with Confidence
Our retrospective on 2024 might feel laden with challenges, yet there is an undeniable silver lining: A unified cybersecurity strategy is within reach. By breaking down organizational silos, fostering a shared vision, and empowering security teams to act with precision and clarity, organizations can take command of their security posture.
At Rapid7, we believe that clarity is power. As we look toward 2025, our mission is to provide that clarity and support, enabling organizations to anticipate, pinpoint, and act on threats with confidence. The lessons of 2024 have taught us that resilience and adaptability are paramount. Now is the time to capitalize on these learnings and put them into practice.
Register Now
Register today and save your seat. Let’s make 2025 the year we take command of the attack surface, reduce operational risk, and set the standard for proactive, efficient, and effective cybersecurity.
To provide the best experiences, we use technologies like cookies to store and/or access device information. Consenting to these technologies will allow us to process data such as browsing behavior or unique IDs on this site. Not consenting or withdrawing consent, may adversely affect certain features and functions.
Functional
Always active
The technical storage or access is strictly necessary for the legitimate purpose of enabling the use of a specific service explicitly requested by the subscriber or user, or for the sole purpose of carrying out the transmission of a communication over an electronic communications network.
Preferences
The technical storage or access is necessary for the legitimate purpose of storing preferences that are not requested by the subscriber or user.
Statistics
The technical storage or access that is used exclusively for statistical purposes.The technical storage or access that is used exclusively for anonymous statistical purposes. Without a subpoena, voluntary compliance on the part of your Internet Service Provider, or additional records from a third party, information stored or retrieved for this purpose alone cannot usually be used to identify you.
Marketing
The technical storage or access is required to create user profiles to send advertising, or to track the user on a website or across several websites for similar marketing purposes.
