You're listening to the Cyberwire Network, powered by N2K. When it comes to ensuring your company has top-notch security practices, things can get complicated fast. Vanta automates compliance for SOC 2, ISO 27001, HIPAA, and more, saving you time and money. In Vanta, you can streamline security reviews by automating questionnaires and demonstrating your security posture with a customer-facing trust center. Over 7,000 global companies like Atlassian, Flow Health, and Quora use Vanta to manage risk and prove security in real time. Our listeners can claim a special offer of $1,000 off Vanta at vanta.com/cyber. That's V-A-N-T-A.com/cyber for $1,000 off Vanta. Do you have a favorite cybersecurity joke that you're willing to tell? No, I don't have a lot of cybersecurity jokes, I gotta work on that. You want to hear one? Yeah, sure. My son's a drummer, and I was inspired the other day to change my banking password to the hi-hat. But the bank rejected it and said no symbols. Ugh, that's pretty bad. Welcome to ThreatFector, where Unit 42 shares unique threat intelligence insights, new threat actor TTPs, and real world case studies. Unit 42 has a global team of threat intelligence experts, incident responders, and proactive security consultants dedicated to safeguarding our digital world. I'm your host, David Molten, Director of Thought Leadership for Unit 42. This episode is brought to you by Shopify. Forget the frustration of picking commerce platforms when you switch your business to Shopify. The global commerce platform that supercharges you're selling, wherever you sell. With Shopify, you'll harness the same intuitive features, trusted apps, and powerful analytics used by the world's leading brands. Sign up today for your $1 per month trial period at shopify.com/tech, all lowercase. That's Shopify.com/tech. This week I want to share a conversation I've had with Michael Sicko Sikorsky. Sicko is Unit 42's CTO and VP of Engineering and Threat Intelligence. He's an industry expert in reverse engineering and wrote the bestseller, Practical Malware Analysis and teaches cybersecurity at Columbia University. Sicko was the first guest we had on ThreatFector and it's great to have him back. In this conversation, we dove into the new 2024 incident response report from Unit 42 and talked about emerging cyber threats and novel tactics that the team has uncovered as we worked matters with clients around the world. Sicko highlights the importance of managing vulnerabilities and shared his thoughts on best practices to mitigate these risks. We also discussed how leveraging AI automated responses and threat intelligence can bolster cybersecurity. You can read the report or download a copy from our website. Here's our conversation. So there were a couple of big themes that emerged from this edition of the report. It's speed matters, no big shock there, but we'll get into it in a second. Software vulnerabilities still matter and I think that given some of the news that we've seen recently, that's certainly the case. And then lastly, threat actors are becoming far more sophisticated. Let's start with that first theme about speed. In the incident response report, the speed of data exfiltration seems like it's ramping up. The median time between compromise and exfiltration was two days in 2023, down from 9 days in 2021. And nearly half of all breaches in 2023 led to data theft in under 24 hours. But when I read that, it shocked me a bit. What's the biggest takeaway for organizations trying to shore up their defenses against these quick strike attacks? Yeah, I think it's really becoming challenging for organizations that they need to make sense of this really quickly, right? If they're going to get data off your network and exfiltrate in a day, that's really fast. I remember when I started doing incident response a long time ago, I'd go in and the threat actor had been there for a year and they still hadn't exfiltrated or even figured out where the thing is that they wanted to exfiltrate. So the time before the threat actor got access to the things they wanted just could take a really long time. But now what's happened is people are really starting to centralize their data like never before, right? The cloud came out, people started unifying in one place, they don't have networks that are kind of messy from the perspective of the data is all over the place. It's more easily accessed across the network to the customers and more scalable. But in doing so, that kind of centralized everything and made it a lot easier for attackers to once they get access to one thing, they're able to get out with everything they need. And in a ransomware case, we worked this past year, in less than 14 hours, the attackers gained access to the org, exfiltrated terabytes of data, and then deployed ransomware to 10,000 endpoints all in 14 hours. I mean, the amount of time you have when you're talking about that is a large customer. You've got to realize what's happening very quickly and realize when you need to pull a siren and start executing and defending yourself. And I think the fact that there's just so many alerts and people are so buried by the amount of data they're getting from security products, it's really important to start including things like AI and automation and orchestration to make sure that you're able to sift through the noise, figure out what's important so you could respond super quickly to lock things down. I also think it's really important to figure out what are your crown jewels, what are the things the attacker is going to go after, right? Like when I look at ransomware extortion cases that we've worked, a large amount of them, all about that data that they're after, right? Because if they can get your data, steal it, you're going to, and if they encrypt it, you're going to want it back. If you don't have proper backups, let's say you do have proper backups, well, they're going to then threaten you because they took it off the network and they're going to say, we're going to release this data and you're not going to want that to happen because your customers, your patients, your employees are going to get their information leaked and that's going to be a problem for your business. What are you willing to pay for that? So what you need to do is really hyper focus around protecting the things that matter most, right? Because at the end of the day, everybody gets hacked. Your day, if it hasn't come yet, it will come. It's a matter of when that day is going to come and you need to be prepared, which means you also need to set up a defense on your crown jewels, the things that matter most, which is typically your data. And so how are you protecting that? How are you monitoring it at a level that is above and beyond anything else you're doing anywhere else? Because that is going to enable you to know when something has gone awry. Sigo, you mentioned AI and automation and I'm wondering, are you noticing in our clients a difference between the haves and the have nots when it comes to AI and automation? Maybe those that are leveraging AI and automation having smaller impacts or much faster response times? Absolutely, I think the organizations that are more mature and have adopted this more quickly, right, instead of just dumping piles of alerts to a single place and having individuals sift through them to a point that they'll never make it through, it's definitely running for that time and time again, where we're doing incident response case, we come in and a lot of the information that would have alerted them that there was a problem is there. So it's not necessarily like, hey, they don't have the information they need to know that something bad was happening. A lot of times that information's there, we're able to see it once we go in and really sift through it at a much lower level like you would do as an incident response to you. Which means that they didn't have time for it, they dismissed it thinking it wasn't that important or they didn't stitch things together. So that's another thing we really focus on with our technology is like, how do you stitch things together, like what you see on the network, first what you see on the host, are those one in the same? You use them together into an instance, a lot easier for you to review, figure out what's really going on and make sense of it versus if you just see those things by themselves you're just clicking through like, is this important or not, it's harder to make sense of. So absolutely, we're seeing a big difference in sort of the haves and have nots when it comes to cyber security in general. Let's talk about investigations where Unit 42 was involved and we saw payment was made. In cases investigated by Unit 42 where payment was made, 82% involved data theft and harassment was involved in 27% of the matters. With these realities, how should organizations cope with the evolution of data threats and harassment? Yeah, and that's actually up from the year before. So last year we put out a report that where that trend started and now it's just gotten really heavy, right? If you mentioned 82% of the times where we see ransomware extortion happening, data theft is included. Meaning in the early days of ransomware they came in, encrypted everything, and then asked you to pay for the key to get your data back. Now 82% of those times they're stealing your data first before they do the encryption. And sometimes we're not even seeing them even bother with the encryption at all. They just steal the data and then start threatening you with what they're going to do with that data. And if your whole business is data, which is very common, especially when we look at like the top industries hit, one of the top industries is high technology, which means data is a huge part of that, right? And so they're going after these entities where data is very critically important and they're stealing it. And the real reason they're doing that is because people have gotten better at having backups than ever before, because they realize that, hey, I need to actually be backed up. They need to be backed up so that they can recover from a ransomware attack, of course, but it's also because they're not going to get insurance. They're not going to get a good policy written to them if they're not proving that they can recover from an attack of a ransomware attack. So this forced the threat actors to pivot and start saying, well, how can I still get paid? Well, I can still get paid, even if they don't pay me on the encryption, if I steal the data. And then what happened is that even became a thing where people weren't paying on. And that's where they started going. That's what I described in the dark place where they started harassing people. And it's gotten pretty nasty out there where harassment is up, it's up to 27% of the time of cases. And I said, for instance, like almost every single week, we're seeing some sort of harassment. This could be anything from the CEO is getting harassed directly. We've seen spouses of sea level executives get text messages from threat actors, flowers sent to their house. I mean, that level of harassment, we've seen employees get harassed, we've seen customers get harassed where they're pretending to be the company. And we've seen people say, hey, if I know this harassment was going to be at this level, I would have paid a long time ago. We even had a health care organization get a hit and ran some and they then the threat actor actually reached out to the patients and said, you could pay us $3 to see what data we have and then $50 to get it removed before this all gets leaked. Well, at the same time, they were asking the health care entity to pay millions. So they're really stooping to a low level where they're willing to go after schools, hospitals, and others, like never before, and then that level of harassment, like I said, year over year has gone up and we don't sense that's going to stop anytime soon. Do you have any recommendations for how to deal with the harassment, best practices to put in place ways to add this to your playbook? I think it's really being prepared, like taking the time to think about what happens to this data, if it is stolen and somebody has it in their hands, what is our playbook to deal with that? What is the value of it to us? What happens if they leak it? What can they do with our customer data? What can they do with our patient data? What can they do with our employee data? Thinking about all those different scenarios and being ready to what to do there. I think another is making sure you have a good partner who knows the threat actors really well to the point of like, I mean, I'll talk about it. That makes sense is we actually have ransomware negotiators on staff in unit 42 who understand what the threat actors are willing to do. If they're going to keep their promises, if they're actually going to follow through and do what they said they're going to do, and because we are involved with them a lot of the time, they know that they might see us again in another negotiation, and we know what to expect from them. We know if they're just going to leak your data anyway, in which case that advice, knowing that the threat actors going to leak it anyway means that you can repair one that day and that it becomes. Obviously, it's about stalling them at that point if you know they're going to do it anyway, and then how to make sense of it. One of the things we're actually able to analyze with this incident response report we're putting out is how often do they keep their promises. In 68% of the time, they kept their promise, which when I saw that stat, I actually thought to myself, I thought that was pretty low, because when we looked at it, 21% of the time, they did not keep their promises, and meaning that even though they said they weren't going to leak the data, they still did after the ransom was paid. These threat actors, specifically the ransomware gangs, they have a reputation uphold on multiple fronts to stay in business. We saw 25 new ransomware groups emerge in 2023, and really, for them, it's really about their reputation. When I see multiple angles of the reputation, one is, do they pay out for access? Somebody might hack someone and use a vulnerability to get in, they then take that, and they sell access to the ransomware gang who then gets the cryptocurrency payment and actually executes the ransomware or everything else, but then they got to pay that person for the access. How often and how properly do they pay? That's part of the reputation. The other angle of the reputation is, when someone does pay them, how often is it over? How often is I pay that ransomware gang, they stop right there. They don't leak, they don't do anything else with it, and those two reputation scores really do dictate which of the ransomware gangs become the most popular, because as soon as you stray from that, it's like, why would you do business with them again? If somebody starts not keeping a promise, we immediately advise our customers to not pay them, because what's the point if they're not going to honor the terms, right? Absolutely. If you know somebody's not going to honor their word, especially in a high-stakes ransomware negotiation, why would you continue to work with them? Let me shift a little bit. Sitko, Unit 42 found that the use of wipers and data destroyers were up 5x year over year. How does this feed into the evolution of the attacker methods that you've been talking about? Yeah, I think a lot of the wiper activity we've seen, so when we say it's up across the board, so a lot of that is seen through the threat actors that are more nation-state focused, and obviously we're dealing with a lot of wars and geopolitical situations around the world to a point that we have virtual war rooms set up for at least three to four of them right now that are just highly active, and we're seeing nation-states really be willing to deploy them in order to cause damage and impact others' ability to do business. A lot of this is against critical infrastructure or things they perceive as the equivalent of critical infrastructure and really focusing there. We've also seen these types of technologies deployed when people just want to remove evidence of what they did. So if they did something to get onto a network, got the data off the systems and they're not actually going to deploy ransomware, they might just run some wipers to kind of cover their tracks, and if they've already made out with the data, they can still use that against the organization but then obscure the things that they did to on the network. According to Unit 42 research, software vulnerabilities are now the top initial access vector, scooting ahead of compromised credentials and phishing attacks, which is really a game changer. I'd like to hear your thoughts on what's driving this shift and how companies can stay one step ahead. Yeah, I think in 2023 when we look back, it really was that year of this steady cadence of just massive vulnerabilities that are exploited at an unprecedented scale. I think there's a few factors leading to that. I think these vulnerabilities, the threat actors are able to latch onto them and leverage them very quickly. We saw the clock ransomware gang jump onto the move at vulnerability and expose thousands worldwide and implement ransomware against a ton of them becoming one of the most prolific gangs of 2023 just off that alone. We saw a lot of external facing products that had zero days and organizations did not patch. We saw the Citrix vulnerability, that was huge. We saw the Cisco vulnerability. Confluence was another big one. We're talking tens of thousands of devices exposed. And then most recently, we saw Avanti talk about four or zero days in a row here with upwards of 30,000 exposed devices to the point that the US government is saying, "Forget about that. Just unplug it because we don't even know what's going to come next there. So just unplug the technology and not even use it because we don't know what more attacks could come against that." Accountability for attackers to take these vulnerabilities and scan the entire internet for them and really have a good understanding of what someone is vulnerable to very quickly so that they could execute their attack is leading towards that. So this steady cadence of just massive attacks of externally facing technologies is a big reason why. And some of these technologies are legacy. So these aren't necessarily things that are new. In the Cisco case, it was something that should have been patched a very long time ago or not even really exposed to the internet at all. So it's just a general inability for companies to patch these, prioritize the patches, but to also pay attention to their actual hygiene of what are the things they have attached where people can get access and exploit. And that's what's really important to continually perform an analysis of the attack surface that you have out there. What is your actual footprint? What things are exposed? Are people spinning things up in the cloud that you didn't even know and exposing that to the outside world that makes you vulnerable? Is there some old router that still has attached the web with an admin interface that shouldn't be attached? These types of things are really what organizations have to be hyper focused. Like a lot of times they're like, "Oh, we got to move to the cloud," and then they forget about all this stuff they have plugged in that used to also be looked over. So I think prioritization of the vulnerabilities patching them and then constantly paying attention to what is actually exposed, especially as more and more vulnerabilities get released, it means that you need to very quickly get in there and patch them, and that's the other thing is making sure you know what the attackers are going after. So as soon as the attackers are jump onto a certain vulnerability, you need to know about that and make that your highest priority because that's the biggest risk, right? Other days are out there no matter what you do, but knowing that the attacker is leveraging them, and that's why you need to prioritize it or even take it offline until you fix it, like those are critical things that you need to focus on. And back to the point of vulnerabilities actually displacing phishing for the first time in years, I think that's going to be short-lived. I really do. I think my prediction is that this is going to be a one-year thing, and that's despite the advantage of the advantage of the other day happening already. I think the reason is because of a generative AI and the ability of attackers, their phishing techniques are going to get so much better because you're not going to be broken English and things like that slowing them down, and instead, it's going to come up and be the number one again next year. So Sicko, talking to me about the best practices that you recommend to mitigate risk from software vulnerabilities, and then if you've got a couple of ideas on what organizations should immediately do if they find that their software has been compromised. Yeah, I think you just need to make sure things are patched. I think that's enough forever problem in our industry is like, how do you actually prioritize the patches? What is actually exposed? And I think that's where you do attack surface reduction, right? Figure out what is your attack surface? What are the places that they might come after you on, and make sure that you have an ability to actually figure out which ones are the ones you need to remediate as fast as possible based on what's being exposed? Also, you can limit your exposure. Why do you have an admin interface to your routers exposed to the internet? You're just waiting for some zero-data drop or something bad to happen, right? Those should be taken down, so realizing that those are up and out there are a big part of this, right? But I think about it is like, it's all about executing a plan, right? When we talked about the speed at which they're able to actually treat data, it was like, are you ever going to eliminate all of the zero days and all of your supply chain of everything you own? Probably not, but you could be prepared to figure out what to do, what happens after the fact, right? And I think that's where defense and depth come into play, right? Talking about the different protections you have across the board so that as the attacker is moving laterally, as they're logging into systems that they shouldn't, how are you catching them along the way in case they do act to use a zero-data to get in? And you didn't have a chance to prioritize it, right? And that's where things like zero-trust also come in to limit the damage, if they don't have the proper permissions to get access to something, they're going to then have to escalate and be able to figure out a way around. That's another angle in which you could catch them, right? And that goes back to the point of AI and automation and orchestration where you're taking all this stuff that's coming in so that you can make sense of it quickly. And I think the other, the last thing is, what is your plant, your incident response plant? So we talk about the advantage zero days that came out is you probably know if you got hit or not, but what is your playbook after that? What are the different things, your records you're going to pull? What are the different logs you're going to pull? What are the different things you're going to analyze? Or are you going to talk to you about it to get their perspective on what are they seeing and attacks that are also going on? We've worked numerous cases for the advantage zero-day talk. Talk to people like us who can give you advice of like, hey, we've seen this 10 other times. We've worked all these cases. This is what we're seeing in those cases. These are other things you need to look for. And I think that's where threat intelligence really comes to the play is, if you learning from all these different incidents that you're seeing, you can really make sense of like, well, what does the attacker do after they exploited the zero-day, right? Because just knowing that zero-day, like you might already been hit with it by the time you figured out that it's out there. So you need a plan to at least be able to dig in and leverage your relationships and partnerships to make sense of what actually is going on there. So I also think that thinking about how to protect your data to the best of your ability is critically important, right? So things that are your crown jewels, be monitoring them, overly watching them to the point that you're going to really understand when something's not right or abnormal actually happening. So I think this is some ideas that come to mind when it comes to what I recommend people thinking about when it comes to these vulnerabilities. Together, the report covers various ways that threat actors are becoming more sophisticated. And we touched on that a little earlier as one of the major themes. And this includes an evolution of living off the land where attackers are not just using the tools in the environment, but building their own land via cloud instances and VMs. What do you think of these tactics and how can organizations best defend against them? Yeah, I think when you start to think about living off the land attacks, you know, going back a few years now, was the threat actor would show up. You were a popular one last year was full-type Finland where they'd show up and they live off the land, meaning they'd use tools that are native on the system. So things like, you know, power shells installed in Microsoft Windows, they'd be a leverage power shell to execute an attack rather than drop malware on a system, which they might traditionally do because power shell might be allowed to run on the system. But a piece of malware is not allowed to run. And so they would leverage different tools that are already on the system natively to execute their attack. And the other angle, which you mentioned is sort of like setting up their own infrastructure inside someone's environment, right? With now the fact that the cloud has gotten so popular, attackers are getting credentials to the cloud and that enables them to spin up their own infrastructure, their own VMs inside customer networks, and essentially setting up the computer there that's running is actually inside being paid for by the person getting attacked. So the attacker's coming in and they're saying, "Well, I'm just going to set up my own computer in your infrastructure and launch all my attacks for there." And guess what? You're paying for the cloud bill on that. So you're essentially playing a cloud bill for the attacker to attack you, which is kind of crazy to think about. And that's where it's really important to figure out, you know, what is happening in your cloud environments, right? Doing the discovery, doing the posture management things that you need to do and to be able to catch when something unauthorized is happening very quickly and shutting it down and making sure it's gone, because, you know, people spinning up things inside your environment is, yeah, but there's a cost to it, right, because they can also spin up, start mining for cryptocurrency and everything else from that standpoint. And also, these things that they're spinning up in your environment, they might get access to systems across the network that they wouldn't otherwise have. And most people's machines on your network, like your employee machines, are managed, right? The EDR product or antivirus and other things on it that are naturally logging back and reporting that things are all good. But when they spin up these types of things in the environment, that doesn't have any of that technology installed and can make it easier for them to fly under the radar. It sounds like you're saying that the call is coming from inside the house. What's your advice to listeners to deal with this level of sophistication? I think it's all about realizing what is actually happening in your cloud environments, right? I think people are not doing that properly. They are not really paying attention to the cloud and implementing the level of protection in the cloud that they need to be. The amount of cloud incident responses that we're responding to continue to go up year over year. Last year it was 6% of IRs we went to, now it's already 16% of IRs, and that trend is just going to keep going up and up as more environments and more IRs involve the cloud directly. And I think when people are moving there, they're not really thinking through it. They're hiring, you know, people don't often have a lot of experience with it. They don't have a ton of people who know the security to be implementing there. There's a lot of hard-coded credentials that are being leveraged to get into things that the attacker that could then go after. And then people are just not paying attention to the things that are the shadow IT that's getting spun up in the cloud. Yeah, it's getting the job done to the employees who are spinning it up, and they're not necessarily trying to cause damage by doing it. But sometimes that leaves things vulnerable because they're not touching them. They're not monitoring those things. They're getting spun up and then it provides an access for an attacker that wouldn't otherwise be there. And the same thing goes for, are you monitoring what's going on in your cloud in case an attacker gets in there and starts spinning up things left and right? Through all the changes in tactics, Unit 42 saw more than twice as many investigations involving business disruption, 35% of the cases in 2023, and that's up from 16% in 2022. Do you expect that trend is going to continue? Absolutely. I think that when we're seeing these extortion cases and the ability that, "Hey, we're going to disrupt and take your data and then start harassing your customers, your patients, everything else," that's very problematic, right? And I think another thing we're seeing is they're extorting you. And we're talking about data theft extortion, but another extortion technique that they could go after is, "Well, what happens if I take down your website? What happens if I take down your cloud environments because I stole the credentials to all those things? And how many days, how many hours it's going to take you and what is that actually going to be? How costly is that going to be to your business?" And then, also, we're seeing a lot of these zero-day vulnerabilities we saw and they even patch vulnerabilities or end-day vulnerabilities that we've seen where people haven't implemented the patch, they're having to actually take systems offline, and a lot of these are network connectivity systems, VPN, software, routers, things like that, where they actually could take those offline to do an attack, and when you're taking that offline, it means people can't connect to their network, means they can't get their work done. And that's why we're seeing those go up, is because a combination of these extortion techniques, a combination of the types of vulnerabilities that we're seeing out there being exploited. I think you're absolutely right there, Sicko. As an attacker, you want to have leverage, and it really doesn't matter if it's a threat to shared data or to turn off work processes, it's leverage. And I think attackers, as nasty as it is, are willing to use it. So let's shift gears real quick and talk about AI, everyone's favorite topic. Given the significant role AI plays in cybersecurity, and this is something that's highlighted quite a bit in the 2024 incident's response report, could you share your perspective on how AI is reshaping the landscape of cybersecurity, defense, and threat detection? Well, I think AI has been reshaping that landscape for a very long time. And I think a lot of companies like ours have been investing in AI for quite some time. And I've personally been doing research for the detection and classification of malware using AI for well over a decade. And I think it's really focused on, it's really coming to be in the popularity because of things like check GPT, and I think that'll enable people to learn things more quickly. I mentioned attackers will leverage it to make your phishing attacks better. But I think the AI reshaping cybersecurity defense is a journey we've been on. And the question is, is how quick can we get there, because we really need to move faster. Because as fast as we're going to implement AI in our defense, the attackers are going to be using AI for their attacks. And so we have to stay ahead of the curve. And I do think there's some promise there, there's some late at the end of the tone from the perspective of if we can use AI to find these vulnerabilities in our software, other developers are writing them, which we're starting to do. We can then patch them and not have them even exist, right? And if they don't exist, then the AI on the other end isn't going to find them, right? So I think there's really a lot of thought of like, could AI actually cause more benefit to defense than it can to offense, in which case it could be really beneficial, because at the end of the day, there is time for us to fix all the problems before it goes out. And so it's about how fast can we leverage that technology to make sense of things. And then I think we have invested a lot as a security industry as CISOs of trying to implement these things. We wanted all this cool technology out there. But the problem with all the cool technologies, it just fires tremendous amount of alerts that is just really problematic for us to make sense of as humans. And that's where AI really needs to come in and clean things up, because we can't possibly have a human respond to a billion alerts that are coming in a day, right? We need that summarized and turned it to just a few things they action and dig into, and actually try and figure out if there's something more to it. >> Sicko, give me some insights on why the Unit 42 team spends the time and effort to produce these types of threat reports. >> It's really important to take a look at the trends of what you're seeing across periods of time so you know how the threat actor is adapting. And one of the big things we do in Unit 42 is we don't just go around doing incident response one after another. We actually take time to examine what happened in those incident responses. Sometimes that goes as far as staffing a threat analyst on an incident response so that they're sitting there side by side with the incident response team digging in, providing support of saying, hey, we saw this threat after three, six months ago, whatever it might be, this is what they did. So we usually look for these things, and this is what they're known to do after that. And then also learning from the experience. So by learning from our experiences as we do incident response over a long period of time, we could really clean a lot of information about how the threat actors themselves are evolving. And then when we come into the next incident response that hasn't even hit our phone yet to call us in, it's almost like we know what to look for as soon as we come walking in the door. And when you take it a step back even further than the lower level attacker level, you can say, what does this look, what do the trends look like across all incident response? And by doing so, you could say, well, let's take a look and figure out how are people breaking into these networks, right? Because nowadays we can actually take our time to do an incident response. And during that, we could say, how did they get in? What was the initial infection factor that led to this intrusion? This is the fact that we're getting called in so much faster than we ever were before. We can figure out how the attacker got in and by looking at that across all of the incident responses we've done, we could say, oh, this is where we really need to focus our security. We can use that information to find gaps in our own products, gaps in what the customer owns and how they have their things configured. And then we can best go into the new year knowing what types of things to recommend to customers based on what we've historically seen. All right, Sicko, this has been a fascinating conversation. What's the most important thing a listener should take away from today's conversation? I think the most important thing is that the fact that if vulnerabilities have become the number one way that they're getting into a network, I think that's a very hard thing to combat. I think it's a best effort, I think it's focusing on your tax surface that's out there. But inevitably, as zero day, by nature of it being a zero day, there's only so much you can do. And that's why defense and depth and making sense of all those alerts, which is really your defense and depth, right, because you have all these point products that come together. If you can make sense of all that noise and turn it into the one alert, that's the really important one for the view then to pivot and realize that I need to dig in all these other places and action it in the right way. I think it is of the most importance. And I think that comes together with AI, with threat intelligence, and with really making sure that you're protecting the things that matter most. Sicko, thanks for taking us through your thoughts on the new 2024 incident response report from Unit 42. We have a link to that report in our show notes or you can visit the Unit 42 site. Before we end today, I want to share some of my own thoughts. Hosting the threat vector podcast means I always learned something new from our guest and I hope you do too. For me, talking to experts is an incredible way to learn and today I had three big take My first takeaway happened when we were talking about vulnerabilities. In this report, we noted that software vulnerabilities were the number one access point for threat actors and then recommended having a well planned, well practice incident response strategy. The second part, the IR strategy really is on a surprise, but for me, the big takeaway I had was that this recommendation is great advice for anyone that needs to respond to a security risk. Podcast hosts included. As the person responsible for threat vector, I didn't have a playbook for how to get an episode out when the Yvonte vulnerabilities rapid response kicked off here at Unit 42 at the beginning of February. Thankfully, I'm surrounded by incredibly dedicated professionals here at Unit 42 and we were able to respond and put out a great episode. In fact, if you've not heard it and are concerned about the Yvonte vulnerabilities, you should go listen to it. There's a link in our show notes. Ingrid Parker and Sam Rubin did a fantastic job outlining the situation, the risks, and then gave thoughtful guidance on what you should do and as Sam pointed out, even if you're not impacted by these Yvonte vulnerabilities, use this moment as a reason to review your playbooks or as he says, let's use this as an opportunity to make sure that we understand our attack surface, let's make sure it's an opportunity to make sure we have the right prevention, detection, and response strategies and capabilities in place. And if you need help with that, contact Unit 42. The next thing I took away from the conversation was sicko's prediction that vulnerabilities being the number one access point for threat actors will be short-lived. At first, this really surprised me, but I think he's right, threat actors will leverage any technology that gives them an edge, and AI will certainly help threat actors with fishing. As we update this report throughout the year, this will be something that we look out for. I suspect this is a case of when not if. And my final takeaway was a reminder of just how relentless and adaptable and at times sophisticated threat actors can be. The part of our conversation where sicko explains how some threat actors are using the victim's own cloud environment for their activities really was adding insult to injury. It's frustrating to know that some victims are paying the bill to be attacked. I know my counterparts on our threat intelligence teams and our consulting groups are helping clients deal with these realities all the time. If you need help dealing with a sophisticated threat actor, or maybe you're like me and have recently been reminded that you should have an incident response playbook, you should talk to the professionals in Unit 42. I want to thank sicko again for taking us through this report and its findings here on threat vector. We'll be back in two weeks with Jacqueline Woodaika for a deep conversation on the SEC's cyber rules. Until then, stay secure, stay vigilant, goodbye for now. This September 18th and 19th in Denver, a tight community of leading experts is gathering to tackle the toughest cybersecurity challenges we face. It's happening at M-WISE, the unique conference built by practitioners for practitioners. Brought to you by Mandiant, now part of Google Cloud, M-WISE features one-to-one access with industry experts and fresh insights into the topics that matter most right now to frontline practitioners. Register early and save at M-WISE.io/Cyberwire. That's M-WISE.io/Cyberwire. [MUSIC] (gentle music)
