February 11, 2025 • 42 mins
Discover the world of cybersecurity through the eyes of Tim Peck, the Senior Security Researcher at Securonix, as he shares his journey from a sysadmin role to a leading figure in threat research and incident response. Learn how Securonix integrates advanced threat intelligence into its products to outsmart cyber adversaries and enhance detection capabilities, offering unparalleled value to both the industry and their customers. Tim reveals how timely advisories can disrupt the plans of threat actors, highlighting the proactive nature of modern cybersecurity.
Join us as we unravel the complexities of modern cyber warfare, focusing on the tactics of high-profile APT groups and the innovative challenges posed by malware like STEEP#MAVERICK. Understand the necessity of a layered security approach and how pairing technologies can close potential gaps in detection, particularly through SIEM systems. This episode sheds light on the evolving strategies of cyber adversaries and explores how organizations can bolster their defenses against sophisticated threats.
Explore the dual impact of AI on cybersecurity, where it serves as both an ally and a threat. While AI enhances our capabilities, it also empowers malicious actors to deploy threats at unprecedented speed and scale. Despite these challenges, threat intelligence remains a cornerstone of cybersecurity, transforming into actionable insights that fortify defenses. By understanding threat actors' methodologies, organizations can not only react to known threats but also anticipate and mitigate future risks, proving that informed strategies are key to securing the digital frontier.
Mark as Played
Transcript
Episode Transcript
Available transcripts are automatically generated. Complete accuracy is not guaranteed.
Speaker 1 (00:06):
Hello and welcome to another episode of the Simple
Talks from Securonix.
I am your host, augusto Barros.
In this episode we have ourfirst Securonix employee guest.
I have here with me Tim Pack,senior Security Researcher with
Securonics.
Tim is really in charge of alot of the very interesting
(00:29):
threat research that Securonicsput out there, so I'm really
excited to have him as the firstSecuronics guest here at the
podcast.
So, tim, hello, nice to haveyou here.
Why don't you introduceyourself and talk a little about
kind of where did you come fromand how did you end up here
(00:49):
doing threat research forSecuronics?
Speaker 2 (00:53):
Absolutely.
Thanks, augusto, thanks forhaving me.
So I've been in thecybersecurity space for more
than 10 years, Started out evenbefore that doing sysadmin work
Linux sysadmin, windows sysadminkind of morphed into the
cybersecurity space as a threatanalyst, then eventually got
(01:14):
into consulting and incidentresponse and that led into, I
guess, my desire to understandthreats even more, taking things
apart, understanding malwaresystems, how those run, you know
what the ATP, what the bad guysare using and how those systems
are designed.
(01:34):
And you know even more complexcampaigns like ransomware
campaigns.
You know how they start, howthey end.
You know those type of things,kind of the whole life cycle,
and it kind of just led into.
You know my role here as asenior threat researcher at
Securonix and that's what I dohere and not only you know we
kind of start to finish right,you know, start with threat
(01:56):
intel, get information on how todetect threats and then you
know build these detections todetect them and we try to stay
ahead of the game too.
Speaker 1 (02:10):
But that's me as kind of a threat researcher and how
it all started and what I dohere and love it Right, and
that's something that wasinteresting when I joined
Securonics back in 2020, youknow, that's something that was
interesting when I joinedSecuronics back in 2020, I think
Securonics was one of the fewpure play SIM vendors that
(02:31):
actually kind of was putting outthreat research and at least
for me, that was a veryimportant factor to consider
Securonics as a company to join,right.
So.
And I think today kind of whenyou look at the market, I think
kind of things have evolved sosay, most of our competitors are
also doing some level right so,and I think today kind of, when
you look at the market, I thinkkind of things have evolved so
say, most of our competitors arealso doing some level right of
threat research.
So on that sense, right, why doyou think it's important, right
(02:56):
kind of, for a SIEM vendor tohave its own threat research
team?
Speaker 2 (03:01):
I think it's critical , especially SIEM, or, if you're
in the cybersecurity space ingeneral, especially SIEM,
because you know what's the goalof SIEM.
We're taking that logaggregation to the next level
and turning it into somethingthat can produce actionable
alerts.
Right, we already know that thebad guys are out there.
(03:25):
They don't stop, they don'tslow down, they innovate very
well, having a threat researchteam for a SYN vendor is
critical because it allows us toget ahead of that or stay
current with that, with thelatest tactics and techniques
that those bad guys are using,and integrate that knowledge
into a product.
So SYN especially, I thinkthat's incredibly important.
(03:47):
But if you're going to be acybersecurity player, you kind
of have to have that threatresearch baked into your product
to stay current.
But that's kind of myphilosophy as to the why, and I
think we do a pretty good job atstaying ahead and catching some
(04:07):
of these threats quickly andbaking that into the product.
Speaker 1 (04:11):
Right, and the output of that research.
How do you think it is morevaluable to the vendor?
If you look only into ourSecuronics realm here, right?
Where do you think we get mostvalue from this research?
Is that by seeing things thatwe are probably kind of
(04:33):
currently not able to detect andhaving to to improve the
product to catch up with that?
Or is it about contentproduction, right?
Kind of essentially kind ofhaving material to create more
unique rules, for example, if weuse a more simple language
related to the same space, in away that the customers wouldn't
(04:55):
have to do that on their own?
Where do you think it's theheaviest weight for the value of
the research that you'reproducing?
Speaker 2 (05:03):
It's certainly both.
But you know a lot of customersthey're not going to have
dedicated threat research teamwith resources as far as
acquiring like the latest threatintel, and so that is where we
step in and we're able to bepretty rapid with some of these.
You know, for instance, if wetake our advisories, if you go
out on the Securonics blog, wehave quite a few that we've put
(05:26):
out.
The nice thing about those isnot only are we helping the
industry as a whole, we'rehelping, you know, the
Securonics customers in general.
By the time those advisorieshit, the news hit the media, you
know we've already baked allthese detections into the
product already.
So it allows us to positionourselves kind of a step ahead
(05:48):
of just the industry in general,but also kind of shake up the
bad guys too as well.
So a lot of times when we'redeveloping detections for
unpublished threats, we have tobe quick, and a lot of times
it's funny, unpublished threats.
We have to be quick and a lotof times it's funny.
Sometimes we'll put out anadvisory.
You know where C2 servers atthe time are live, and as soon
(06:10):
as we publish the advisorythey'll go down, you know.
So we're kind of shaking up thebad guys too, as well, as you
know, helping out the industryat the same time.
So it allows us to be a bitmore rapid in that aspect.
Speaker 1 (06:23):
Right and kind of.
When I look at kind of some ofthe research that we produce and
probably not only kind of we,but kind of from the entire
community in general sometimes Ihave the impression there is a
lot of more of the same right,Like, oh, there is this group
here that we see them doing thisand that, and now there's a
(06:43):
small variation in their malware.
Now, instead of sending theirattachments an email, instead of
an LNK file, now it is a zipfile.
We see this small variations inthe attacks.
But that gives me theimpression that we see these
small changes, but we don't seehuge evolutionary steps in the
(07:09):
way that the threat actorsoperate.
Is that because they really donot need to do that and they
just tweak their methods andtheir practices, their TTPs
essentially right, Kind of tofind the next one that it will
work, or are they kind ofslowing down in terms of
innovation?
Or are we just kind of from athreat researcher, kind of
(07:32):
effective in this point of view,just finding those small
variations and maybe for somereason, we may be missing the
big changes that are happeningkind of from the threat side.
So for first, I think probablyI end up kind of going too long
in the question.
First, kind of why is therethis impression of more of the
same and is that kind of fromkind of the research side?
(07:53):
Is that from the threat actorsway right of evolving kind of
their practice?
So why do you think thatsometimes that impression exists
?
Yeah, no, absolutely thatimpression exists.
Speaker 2 (08:03):
Yeah, no, absolutely.
Those small variations are waymore common, but they're worth
tracking.
A lot of times, you know,they'll take the path of least
resistance.
You know, right, If they canjust make a small tweak that you
know bypasses a certain AVvendor, if they know their
target, well, that's all theyneed to do versus completely
retooling.
We do see both.
(08:25):
But to your point, yeah, we dosee a lot more subtle variations
and maybe you know an earlystage loader or, like you said,
an LNK file.
You know, maybe they adapted toa you know a different
execution method or a phishingemail tactic.
So it's definitely going downthe path of least resistance.
A lot of times you'll seecertain trends with certain
(08:46):
threat actors.
They favor this particularmalware dropper loader or
initial infection method andthey kind of stick to that.
And a lot of times it reallyhelps with attribution because
it's like oh, this is a classicAPT37 or APT39 initial infection
.
So a lot of that data is useful, whether we're building
(09:08):
detections or not.
Like other aspects, like I said, attribution is another one and
identifying, but every now andthen we do come across some
pretty novel changes where weare able to attribute the either
malware or attack campaign to acertain group and it's totally
out of left field.
But then again, yeah, sometimesyou see those small changes and
(09:31):
those are all great to track tobecause you know when we're
building detections and we'retagging them for particular
groups or variants of malware,ransomware, you know we're able
to stay accurate on that aspect.
Speaker 1 (09:46):
Oh yeah, on that sense, right, you end up
connecting to kind of anotherquestion that I wanted to ask
you right, what are the mostinteresting findings?
Right, you've seen right kindof doing in your research, kind
of what is the thing that youfound and said, wow, these guys
are doing this or that rightkind of, or that wasn't expected
, right.
Speaker 2 (10:10):
Kind of, what are the most exciting findings?
Oh yeah, there's been a few,yeah, and those are always the
best.
Honestly, when you discover abrand new tact or a new strain
of malware, um, I'd have to saythe couple that stand out the
most.
Um, we, we published ourfindings on.
It was either last year, thethe year before on Stark Vortex,
which was kind of in light ofthe Russia-Ukraine war.
This was an incredibly targetedpiece of malware to the Ukraine
(10:34):
military, and what made ittargeted was the way it would
propagate through systemsTraditional malware, ransomware.
It typically propagates throughnetwork protocols, right, smb,
you know, you name it.
It'll have built-in networkscanning.
This didn't do any of that.
It propagated purely throughUSB drives.
(10:57):
It's Stuxnet style, right?
Exactly, yeah, so it wouldbasically just put some dropper
lure on USBs Anytime it ran.
It would persist in the systemreally well.
But if you kind of step back andthink about how the Ukraine
military operates, it's a verydistributed system, right.
There's not some centralizednetwork.
(11:17):
When you're out in the field,you know USB drives, if you
think about it, would be theprimary source for sharing or
distributing information, and soit was kind of an interesting
finding and there wasn't a lotof research at the time around
that it seems to be getting alittle bit more common now.
But it was pretty novel at thetime and pretty interesting.
(11:38):
But it just kind of goes toshow that when it know, when it
comes from a threat actorstandpoint, you know
understanding your target, youknow and that's something that a
lot of these high profile APTgroups do really, really well,
right, that's kind of witnessingcyber war going live, right,
totally, that's certainlyexciting right from a research
(11:59):
point of view.
Yeah, it's like cyber war overthe top of an actual physical
war.
So yeah, really interesting.
It's like cyber war over thetop of an actual physical war.
So, yeah, really interesting,I'd say.
The other one you asked for acouple, so I'd say Steep
Maverick was another fun one.
This one was just layers.
Maybe to me it was more fun,but it was just layers and
(12:21):
layers of the malware.
I mean, its obfuscation levelwas absolutely insane.
It.
It took forever to analyze butit was rewarding because it was
really interesting.
There's probably like 13 layersto that, but you know it
embedded in the system anddropped a custom payload at the
very end and you know it waskind of cool seeing this brand
(12:42):
new tactic.
I couldn't I can't remember thelure off the top of my head
whether keeping it came inthrough fishing or not, but
generally we don't see that manyobfuscation layers coming in
through the malware.
But it had a lot of new ways ofhiding code and I like that too
(13:02):
, because I kind of see it as apuzzle where if you're able to
get something to execute thatshouldn't execute because it
would normally be blocked byantivirus, but that particular
campaign just had a lot of that.
So that was more of a, for me,fun to analyze.
Obviously, you know, to kind ofrope it back to your question
it was very new for the industry.
(13:24):
This was something we hadn'tseen before.
Speaker 1 (13:26):
So it kind of fits both of those pretty well and I
remember reading that specificpiece of research, the layers
and layers of obfuscation, andwhat came to me when I was going
through it was well, there'sreally a lot of effort to bypass
primarily endpoint detectionright.
(13:47):
So it really looked like whatwas probably the biggest pain
for the threat actor in thatscenario was being detected on
the endpoint right or by anendpoint security solution.
And when we look at the entirethreat chain right for many of
these cases there are so manyother opportunities for
detection that sometimes I havethe impression that the actors
(14:11):
are just not trying to improvein being more stealthy or harder
to detect in some of thoselayers, like the identity side
kind of, in the way that theyare trying to elevate privileges
, or sometimes even the commandand control side, because so
many organizations today put somuch emphasis on kind of their
(14:32):
EDR capabilities, for example,or their endpoint security.
Then we even see the outcomeright of that kind of on the
threat actor side right, kind ofthey're putting so much effort
to bypass right or to avoiddetection from those security
components, while the kind ofthe defense side could, looking
at those other points and underother steps in the attack,
(14:55):
probably kind of avoid having tobe so much involved or it's
kind of putting so much efforton that end point, because there
are other places that thethreat actors are not evolving
as fast or as constantly thatare also kind of very good
opportunities for detection.
Am I right with that impressionKind of?
What do you think?
Speaker 2 (15:13):
Oh, absolutely no.
You know, detection in generalis a huge net and I kind of like
to run with the philosophy of.
You know it's a very basiccybersecurity principle that I
think a lot of times we overlookand you've, I'm sure you've
heard this before networkdefense, everything valuable
(15:40):
products, especially when youpair it with a SIM right.
Edr bypass is a thing.
In fact there's a MITRE tacticaround it.
Threat actors are very good atunderstanding EDR and how to
bypass them.
You know it'd be foolish tothink that they probably don't
have some form of oh man, Idon't know how you would phrase
(16:01):
this but a way of sandboxingtheir malware and running it
against some EDR platforms.
You know these, especially APTgroups, these state sponsored
groups.
They're very resourceful, so ifthey know a target is running,
you know EDR vendor X right.
You can iterate and experimentright, so they have an
opportunity right.
(16:22):
Exactly.
And so it's a thing you know andit's I wouldn't say it's easy
to do, but it's certainlypossible and with the amount of
resources that they have it canbe done.
And so when you pair yourtechnologies, you know EDR plus
SIM or NIDS, you know whateverit's going to be your odds of
catching something, go throughthe roof, right, you know, in
(16:44):
the sake of Steep Maverick, youknow it did generate a lot of
noise.
However, it was very good atbypassing AV.
So you know, and when wepublished this detection, you
know, obviously, you know, like,like I mentioned before, we
published some detections forthe product that can catch this
as well.
So it's all about kind ofoverlapping, spreading out your
(17:08):
detections as much as youpossibly can, and, you know,
obviously, fine-tuning them.
At that point it's a process,but it certainly can be done.
So so the interesting aspectwith SIEM is that, compared to
EDR bypassing, edr bypassing ispretty well documented.
Bypassing a SIEM is kind of awild card because you don't
really know what thecapabilities of the product are,
(17:30):
kind of jumping into it.
Speaker 1 (17:32):
What telemetry you're collecting right, so you don't
know, what signals you'regenerating, right, so it's hard
for the attacker right kind ofto make sure that they're not
leaving anything behind that thesim is looking for, right,
exactly.
Speaker 2 (17:47):
so I mean you could use your sim as like an ultimate
weapon, right, because I meanit's it's hard, you know,
whether you're doing red teamsimulation or you are concerned
about legitimate threat actorsin your network.
You know you can dial in thesedetections really really well to
catch these guys because, yeah,they, unless they have somehow
access to your product, whichyou know that I I can't think of
(18:12):
a single campaign where that'shappened but you know they don't
know what you're, they don'tknow what to know at that point,
so it makes it a bit moredifficult for them, right, but
in the end, you know it's allabout adding those layers, right
.
Speaker 1 (18:26):
That's right.
And I think one thing that weprobably do not do as well as an
industry sometimes we end upkind of putting, on the defense
side we put many layers on thesame place, so the attacker's
kind of their behavior is themost expected one right.
They'll just avoid that placeright when there are no other
layers.
So defense in depth right Isnot about kind of having three
(18:47):
endpoints, secured solutionsrunning on your endpoints, right
, but kind of covering kind ofmany, many places where you have
the detection and even kind ofthe attack disruption
opportunities.
So if right, kind of the attackdisruption opportunities, so if
for some reason your end pointcapabilities are not performing
or not doing their job, you'llbe able to find something on the
(19:08):
identity and credentials level.
You'll see someone kind ofusing permissions or kind of
receiving privileges that theyshould not have, and so on.
You have visibility acrossmultiple places.
I think the defense in that Iremember having discussions and
there was a time when we weretalking about putting firewalls
(19:30):
from different vendors.
You have two layers of firewallin front of a network, one from
Cisco and another fromCheckpoint.
It was such a silly thing to bedone because the attackers were
just going to do somethingdifferent, right?
Or just go to the internalsystems directly or, as you
mentioned, kind of in one ofthose cases, use a USB drive,
(19:50):
right, and then the firewalldoesn't matter anymore, right,
it doesn't matter if you haveone or three.
So I think kind of, when youlook at the defense in that
aspect, that's something thatreally needs to be well thought
right.
Kind of the you're putting thelayers where it matters more and
not duplicating efforts in aplace that can be easily
bypassed.
Exactly, of course, kind of youalready mentioned kind of the
(20:12):
value that research has for us,right, kind of as a security
provider Now for our, for theend-user organizations, either
our customers or not, how do youthink that they should be using
the output of threat research?
I call it threat intel.
So you're essentially producingthreat intelligence.
So how the organizations thatcould be targets or victims of
(20:37):
all those threat actors, howthey should be using the
research that you put out there?
Speaker 2 (20:44):
Oh, man, I'd say, you know, don't rely just on our
research.
There's a lot of really goodresearch out there.
I think the stuff that we putout, you know not to toot our
team's own horn, but it's good,um, and fortunately, you know,
you know being part of theproduct, we kind of have the
opportunity to kind of bake itin there.
(21:07):
But, you know, aside from justthe direct research and our
publications, you know we dofeed in direct threat intel into
, like a product, autonomousthreat sweeper, things like that
.
So that's probably a verydirect and easy way to get some
of this threat intel that we do.
(21:27):
Other than that, if you want totake a proactive approach, I
tell everyone this run your ownhoneypot, see what you can find.
And a lot of times that canhelp with detections because
you'll understand who'stargeting you, what ports are
open, what bots are activelytrying to scrape your content.
And if you want to take that aneven further step further, go
(21:53):
down the cyber deception route.
That is where, in my opinion,any SIM technology can
absolutely shine.
It would require work on yourend, but create a Honey Domain
Admin, create canary lures allover your network and then tie
in specific SIM rules into those.
Speaker 1 (22:14):
Oh, you're touching on my favorite topic.
Don't even start it.
Speaker 2 (22:18):
I mean, the great thing about canaries and cyber
deception is that they don'tfalse positive.
And so somebody on a networkshare touched passwords, dot
text, right, that's always goingto be weird.
Who did that, you know?
Or if you have a, like like Isaid, a honey domain admin,
that's not allowed to log in,but somebody is trying to log in
(22:39):
as that user, that would alwaysbe weird, you know.
That could either be it's avery high fidelity signal
exactly yeah.
so that that's like generatingyour own threat intel and also
is just a really easy way tocatch some of that low-hanging.
Those canary rules are usuallypretty good because your threat
(23:02):
actor is not going to know thatthey're there and anytime
something triggers it's going tobe suspicious.
So generating your own threatintel through cyber deception, I
think would probably be mynumber one.
Speaker 1 (23:15):
Yeah, cool.
Yeah, there is kind of aninteresting piece of forgotten
history here, right, youmentioned kind of the honey
accounts, honey domain accountsor canary right.
Many times I refer to it ashoney tokens right, and I
accidentally created that termback in 2002 in a Focus IDS mail
(23:39):
list discussion.
That was kind of a fun piece ofhistory.
Oh nice, that's awesome.
We're also kind of looking atsome of this threat intel and
what I see very often is peoplefrom the SOC.
They very quickly they focus onthe indicators they're
(23:59):
associated.
For example, when you put anadvisory out there, right, you
have all the explanation aboutwhat you found, what kind of
it's the apparent motivation onthat case, what they were trying
to achieve, kind of theirmethods, et cetera, and then in
the end, right, you have allthese indicators.
Sometimes my impression is thepeople from SOX will very often
(24:20):
directly go to that list ofindicators and throw those into
their tools, into either theirSIM or kind of whatever kind of
they have that can look forthose indicators, right, Kind of
either kind of retroactively asour autonomous threat sweeper,
or kind of kind of in a morekind of online detection mode,
but they jump over all the textthat you have on that research
(24:41):
right, and my impression is thatthey are missing the most
valuable part, right?
How do you think these groupsshould use right Kind of the
long explanation about thethreat that you have in those
advisories, as opposed to whatthey normally do with the
indicators?
Speaker 2 (24:59):
Well, definitely use the indicators, but I feel like
a lot of times our advisoriesyeah, they can probably be a
little technical.
I think our team is just verytechnical, so that's what it
translates to, and I don't thinkit's us, it's probably just the
whole industry.
Some of those can be20-something pages.
So I won't take personaloffense, but I think sitting
(25:22):
down and reading them, if youcan take the time, it should get
you into a threat actor's heada little bit more.
Um, especially with kind of theearly stage and late stage, um
the middle.
You know how they obfuscate,how they are able to bypass.
You know from a attack defense,attack defense standpoint.
I think that's important.
But if you take a look at ouradvisories, you know where.
(25:45):
Where do most of these start?
You know it's probably onthrough some phishing email.
Phishing's still incrediblycommon, tried and tested.
It still works.
Um, we read about new campaigns.
Or you know exploitations thathappen across.
You know all these breachesthrough companies.
And how did it start?
You know phishing email,probably, um so um, yeah, pay
(26:07):
attention especially to howthings start, because I think
that should help you understand,like, how these threat actors
are getting into your systemsand how they're able to execute
code from an early stage, howthey're able to lure or trick,
use social engineering to getyou to run whatever file that is
.
(26:27):
They're getting more and morecreative and clever, especially
going down the route ofmalvertising and things like
that Masquerading is alegitimate product or service
and you end up installingmalware on your system the early
stage.
I would always encourage you toread through any security
(26:48):
advisory just to understand, toget into those threat actors
head.
And I think the more you getinto those threat actors head,
the more you start translatingthat into your real life
practices.
So if you're a cybersecurityleader, anybody in the
cybersecurity space likethinking like your opponent is
how you beat your opponent inthe end.
Right, so it's probably just amore of the more you understand,
(27:10):
the more you know, the morethat'll translate into your
productive work life to build inthose habits or those systems
or those technologies, whateverit takes to be able to stop and
catch those bad guys.
Speaker 1 (27:25):
Yeah, I think that there's sometimes kind of the
they lack the organizations lackthe ability to look into these
advisors with a more tacticalinstead of operational approach.
I could even say strategic, butI think maybe that's kind of an
exaggeration sometimes.
But from a tactical approach,right, you were mentioning kind
of the phishing pieces and inmany of these cases there are
(27:45):
attachments involved, right, andyou look at the type of
attachments and then there'sthat question okay, kind of what
would be the impact if we blockcertain types of attachments?
They are very connected to someof these campaigns, right,
connected to some of thesecampaigns, right.
And just by doing a quicksearch in your environment you
see that, oh, you almost neverreceived the type of extension
(28:06):
in an attachment.
So what would be the impact onyour operation if you block it
versus kind of the immediatebenefit, right of not receiving
kind of those emails kind ofthat are related to the threat
activity anymore, right?
So that's a kind of a tacticalstep that many organizations can
take by really reading throughthis research that can really
(28:26):
improve their chances to resistagainst certain threats, that
they're really missing theopportunity, some kind of basic
steps of security hygiene thatthey can justify better if they
use these types of research.
Right Kind of.
I remember kind of wanting tochange, sometimes, settings in
email systems or kind ofremoving privileges for certain
(28:48):
groups of users, and getting alot of resistance right Within
the IT team or kind of thedeveloper's team.
And when you have the threatresearch to back up the reason,
right kind of, okay, we aredoing this, we want to do this
because the attackers areactually exploiting these
weaknesses, that really kind ofmakes kind of the lives of the
security team easier.
(29:08):
So kind of when I ask rightnormally kind of about how
organizations are using threatresearch apart from the
indicators, it's really relatedto that type of activity right
Kind of taking using them asright Kind of as the rationale
and kind of the source of ideasto other changes to the
environment that will be beyondjust looking for the indicators.
Speaker 2 (29:31):
Absolutely, yeah, definitely.
Feel free to take these and usethem as either a system or
practice hardening guide.
You know whether that, like yousaid, is through email, this
can be translated into the cloud, you know, like with access
tokens, those type of things,but it definitely applies to,
like, any research out there.
Yeah, no, the advice would bejust to read and apply, you know
(29:52):
, because generally, I meananytime you see any
cybersecurity publication, right, they're a result of something,
right, and so you don't want tobe the one that has that
cybersecurity publicationwritten about you.
Yeah, that's true.
Right, there's a victimsomewhere, right?
Speaker 1 (30:10):
Exactly Yep, and we are past 30 minutes.
So now my self-imposed rule ofnot talking about AI in the
first 30 minutes of the podcast,right.
So now I am authorized to bringthe word in.
So will AI change how you dothreat research, or is it
(30:30):
changing, or has it changed italready?
Speaker 2 (30:32):
Oh, yeah, absolutely.
It absolutely already has, Ithink, for the sake of
automation.
It's been great, whether we'reusing it to analyze obfuscated
code or get some feedback as towhat a piece of malware is doing
.
You know, we saw theseindicators.
We can dump it into AI and getsome ideas and output.
(30:55):
It's great at saving time.
I think that's probably wherewe use it most.
So, yeah, no, it's definitelygoing to shake up the industry
and it's going to on both sidesright, good and bad.
But you know, it's definitelysomething we haven't like
officially baked into, likeworkflows and things like that.
(31:16):
But it's baked into workflows,I guess you could say, and
things like that, but it's bakedinto workflows, I guess you
could say I think it's one ofthose systems that's not systems
, but I guess one of thoseentities that's just, whatever
industry you're in, you knowit's-.
Speaker 1 (31:30):
You're going to start using it, right, you're going
to start using it.
It is a tool that is useful formany things, right?
So we're going to just startnaturally using what they make
most sense Absolutely, and thatwe're going to just start
naturally using what they makemost sense Absolutely.
That brings the other side.
As you mentioned, what are weseeing in terms of threat actors
using AI and what do you thinkthey will start doing with AI in
(31:54):
the near future?
Speaker 2 (31:56):
It's tricky because it's hard to identify.
You know, if we're talkingmaybe malware, right, code
that's generated by AI or thosetype of things, and you know we
always kind of go down thatroute first of like, oh AI
generated malware, right, can bea thing, and it probably is a
thing.
(32:17):
What it's going to do, I thinknow, and what it's probably
already doing, is allowingthreat actors to be a bit more
rapid in their deployments Rightor their campaigns, for
instance, I mean, ai can betricked to do evil things.
If you try hard enough.
Whether you're going to buildransomware, perform benign
(32:43):
functions, you know within afile that it doesn't understand
that what the scope of the wholeproduct is, but it allows them
to deploy quickly.
You know if they're building,say, like a rat or something you
know that allows remote accessonto a system, you know they're
able to generate these at a muchquicker rate.
So how that'll shake up theindustry is right is on our
(33:04):
reaction side, like, wow, we'reseeing, say, oh, pick your
favorite rat Remcos.
You know we're seeing a lot ofdifferent new variations within
Remcos or more functionalitywithin Remcos Right At a more
increased rate, and so that byitself makes it a bit more of a
concern because we're gonna seeanytime we see rapid life cycle
(33:27):
increases with malware.
That makes things either moredifficult or it's more
disruptive to the industry as awhole, whether you're on the
antivirus side, whether you'reon the SIM side.
So just that rapid productionof just code in general.
Speaker 1 (33:44):
Yeah, I think speed and scale right, I think kind of
we.
I think there is a lot offantasy around right, kind of
very crazy ways that they canuse AI, but in the end, right or
immediately, kind of in theshort term, what do affect us
mostly is the speed and scaleright.
Speaker 2 (33:59):
Exactly.
So, yeah, I mean, while it'slike I mentioned earlier, it's
going to allow us to be morerapid with our analysis and our
you know just detections ingeneral.
It's going to do the same there.
So I think we're just going tosee this snowball of constant
changes now because of it, react, reaction, those types of
(34:22):
things, Interesting time to bein the field right.
Really is yeah, no, it'sabsolutely a shakeup, but it
comes with the territory.
I mean, you've been in theindustry long enough.
The cybersecurity industry justdoesn't ever really slow down
anyways.
So I think we're picking upspeed a little bit more, but you
can't get comfortable in thisindustry, it seems.
Speaker 1 (34:43):
Right, and you touched kind of the point that I
also kind of I like to bring upin all episodes here as an
industry what do you think we dowell?
Like we are very good incriticizing right, and say, oh,
we're not detecting fast enough,we are not covering everything
that we want, et.
Etc.
But I always like to ask peoplewhat are we doing well in this
(35:05):
space?
Speaker 2 (35:09):
I think that thread intel is fantastic.
I think we are very good atgathering and then turning that
thread intel into somethingtangible, that threat intel into
something tangible and fromwhat I do here is it bakes into
many different aspects.
Right, whether we're takingthat threat intel and we're
(35:32):
turning it into a detection thatour product can now use or
we're publishing it, I think asa threat researcher, I think
we're in a position where we canleverage our product first and
all of our capabilities and turnall of that threat intel into
things that just help everybody,whether those are our customers
directly, whether that's thecybersecurity space in general,
(35:56):
and I think that's probably whatI get most out of it, and I
think that's probably what I getmost out of it.
So I guess you could say theproduction and categorization is
probably not the right word,but what we do with that threat
intel, I think is very, verygood.
Speaker 1 (36:12):
You make it actionable right and using it as
well.
That's true, right, and youknow that's a very good point,
because one thing that kind ofsome of the probably kind of the
more pessimistic people in thespace like to mention is kind of
the amount of unknown, unknownsout there Again, kind of the
famous Rumsfeld kind of quote,and it seems there's a lot of
(36:35):
activity going on that kind ofwe're not even aware that that
type of activity, etc.
But from your answer I wouldsay it's probably not that much,
because the amount ofvisibility that we have, with
all the threat researchersaround the world doing such a
great job, that unknown may notbe as significant as some of
(36:56):
these people think of right.
Speaker 2 (36:58):
Oh, absolutely, I think we absolutely know more
than we don't know.
But you know, it's thediscovery of those unknowns, you
know what we do with them, Ithink is great and that's, you
know, as a threat researcher, Ithink that's what makes this job
fantastic, you know, is thatwhole discovery aspect and then
taking that discovery andturning it into something
(37:20):
helpful and you know which couldend up saving an industry at
some point.
The discovery aspect, thethreat intel aspect, yeah, I
think that's.
Speaker 1 (37:35):
It is what makes us keep doing.
It's cool.
I think most people end upgetting into this space because
it's fun, and I think one thingthat I really like is we keep
having fun Sometimes after youdo all the fun work and you have
to write a report.
You may say, oh, this is notfun, but in essence, if you look
at everything that you do overtime, it is fun.
(37:57):
I still really enjoy the fieldand I'm really happy that I've
been, uh, working on this for solong absolutely.
Speaker 2 (38:07):
Oh, no, yeah, I, I find fun in it every day.
I mean the, the reporting.
It is a lot of work, but youknow, I think, uh, sitting down,
building them, building detect,you know, while there's always
the administrative side ofanything you do, yeah, no, it's
great overall.
Speaker 1 (38:28):
Yeah, I always like to tease my friends that are
working on the identity andaccess management space, right,
Unless you work with identity,that's boring right.
Speaker 2 (38:36):
It's very important.
My auditing friends yeah,auditors Same with my auditing
friends.
Speaker 1 (38:39):
Yeah, auditors identity GRC compliance oh my
Compliance.
Speaker 2 (38:46):
there's the word.
Speaker 1 (38:47):
Yeah, it is all important.
Right, it's boring, but it'simportant.
Speaker 2 (38:50):
Oh yeah, they like to joke about it too.
They love to say things likethere's a fine line between
cybersecurity and compliance.
Speaker 1 (39:01):
Right, okay, tim, we are kind of hitting our time
here.
I wanted to drop just the lastquestion for you, for someone
that is just starting now andthey want to do threat research.
What would be your singleadvice for them?
Speaker 2 (39:20):
Ooh, never stop learning.
I mean, it's man.
The skill sets involved, Ithink, are pretty broad.
So understanding, programmingknowledge, understanding even
things like diving into, likeassembly language and things
like that.
I think it's basically gonna bejust a matter of gathering as
(39:42):
many skills as you can, whetheryou're going down official
certifications there's a lot ofgreat ones out there or you're
self-studying.
I'd say just never stop soakingup that knowledge because
that's gonna help you.
Because when it comes toprobably any research position,
it's like you discover somethingand you don't know where it's
(40:03):
going to lead Right, and whatskill sets you have are kind of
going to determine your successwith understanding that thing
you found.
Better, as dynamic as youpossibly can.
In regards to, like the entirecybersecurity scope as a whole,
(40:24):
I think those are going to begreat.
You know tooling is going to bea huge one.
You know, play around with likeopen source frameworks, like
Havoc or Sliver or things likethat, understanding how bad guys
get into systems and how theymove laterally you know it's
such a massive field but it canbe done.
I honestly I could tell youright now I definitely don't
(40:48):
know everything.
It's a very humbling field alot of times because you end up
like Googling more than you feelcomfortable doing it.
Speaker 1 (40:58):
How many tabs you have open right.
Speaker 2 (41:01):
Absolutely.
I think the other thing is tostart a hack lab or a cyber
range, Whether that's on asingle host or a server.
Stand up some hosts and just gocrazy.
Whether you're starting downmalware analysis, you know
that's kind of the only way todo.
It is just getting hands-ondirty and uh, just google like
(41:27):
crazy.
But you know it can be, learnedit's and put into practice.
It's just it's.
It can be a daunting field, butyou know it's the reward in the
end is always worth it.
Speaker 1 (41:39):
cool, perfect tim.
We we're hitting the time limithere, so really kind of
appreciate you coming to talk tous right about the trash
research and everything you'vebeen doing here with Securonix.
Thank you for doing all thisfor Securonix.
It really makes my life easieron the product marketing side, I
should say, and really canappreciate all that work.
And for you listeners, thankyou for listening to one more
(42:04):
episode of the podcast and staytuned.
You're going to have more veryentertaining conversations in
the next few episodes that arealready coming out.
Thank you and have a good one.
Thanks, tim.
Thank you.
Hello and welcome to another episode of the Simple
Talks from Securonix.
I am your host, augusto Barros.
In this episode we have ourfirst Securonix employee guest.
I have here with me Tim Pack,senior Security Researcher with
Securonics.
Tim is really in charge of alot of the very interesting
(00:29):
threat research that Securonicsput out there, so I'm really
excited to have him as the firstSecuronics guest here at the
podcast.
So, tim, hello, nice to haveyou here.
Why don't you introduceyourself and talk a little about
kind of where did you come fromand how did you end up here
(00:49):
doing threat research forSecuronics?
Speaker 2 (00:53):
Absolutely.
Thanks, augusto, thanks forhaving me.
So I've been in thecybersecurity space for more
than 10 years, Started out evenbefore that doing sysadmin work
Linux sysadmin, windows sysadminkind of morphed into the
cybersecurity space as a threatanalyst, then eventually got
(01:14):
into consulting and incidentresponse and that led into, I
guess, my desire to understandthreats even more, taking things
apart, understanding malwaresystems, how those run, you know
what the ATP, what the bad guysare using and how those systems
are designed.
(01:34):
And you know even more complexcampaigns like ransomware
campaigns.
You know how they start, howthey end.
You know those type of things,kind of the whole life cycle,
and it kind of just led into.
You know my role here as asenior threat researcher at
Securonix and that's what I dohere and not only you know we
kind of start to finish right,you know, start with threat
(01:56):
intel, get information on how todetect threats and then you
know build these detections todetect them and we try to stay
ahead of the game too.
Speaker 1 (02:10):
But that's me as kind of a threat researcher and how
it all started and what I dohere and love it Right, and
that's something that wasinteresting when I joined
Securonics back in 2020, youknow, that's something that was
interesting when I joinedSecuronics back in 2020, I think
Securonics was one of the fewpure play SIM vendors that
(02:31):
actually kind of was putting outthreat research and at least
for me, that was a veryimportant factor to consider
Securonics as a company to join,right.
So.
And I think today kind of whenyou look at the market, I think
kind of things have evolved sosay, most of our competitors are
also doing some level right so,and I think today kind of, when
you look at the market, I thinkkind of things have evolved so
say, most of our competitors arealso doing some level right of
threat research.
So on that sense, right, why doyou think it's important, right
(02:56):
kind of, for a SIEM vendor tohave its own threat research
team?
Speaker 2 (03:01):
I think it's critical , especially SIEM, or, if you're
in the cybersecurity space ingeneral, especially SIEM,
because you know what's the goalof SIEM.
We're taking that logaggregation to the next level
and turning it into somethingthat can produce actionable
alerts.
Right, we already know that thebad guys are out there.
(03:25):
They don't stop, they don'tslow down, they innovate very
well, having a threat researchteam for a SYN vendor is
critical because it allows us toget ahead of that or stay
current with that, with thelatest tactics and techniques
that those bad guys are using,and integrate that knowledge
into a product.
So SYN especially, I thinkthat's incredibly important.
(03:47):
But if you're going to be acybersecurity player, you kind
of have to have that threatresearch baked into your product
to stay current.
But that's kind of myphilosophy as to the why, and I
think we do a pretty good job atstaying ahead and catching some
(04:07):
of these threats quickly andbaking that into the product.
Speaker 1 (04:11):
Right, and the output of that research.
How do you think it is morevaluable to the vendor?
If you look only into ourSecuronics realm here, right?
Where do you think we get mostvalue from this research?
Is that by seeing things thatwe are probably kind of
(04:33):
currently not able to detect andhaving to to improve the
product to catch up with that?
Or is it about contentproduction, right?
Kind of essentially kind ofhaving material to create more
unique rules, for example, if weuse a more simple language
related to the same space, in away that the customers wouldn't
(04:55):
have to do that on their own?
Where do you think it's theheaviest weight for the value of
the research that you'reproducing?
Speaker 2 (05:03):
It's certainly both.
But you know a lot of customersthey're not going to have
dedicated threat research teamwith resources as far as
acquiring like the latest threatintel, and so that is where we
step in and we're able to bepretty rapid with some of these.
You know, for instance, if wetake our advisories, if you go
out on the Securonics blog, wehave quite a few that we've put
(05:26):
out.
The nice thing about those isnot only are we helping the
industry as a whole, we'rehelping, you know, the
Securonics customers in general.
By the time those advisorieshit, the news hit the media, you
know we've already baked allthese detections into the
product already.
So it allows us to positionourselves kind of a step ahead
(05:48):
of just the industry in general,but also kind of shake up the
bad guys too as well.
So a lot of times when we'redeveloping detections for
unpublished threats, we have tobe quick, and a lot of times
it's funny, unpublished threats.
We have to be quick and a lotof times it's funny.
Sometimes we'll put out anadvisory.
You know where C2 servers atthe time are live, and as soon
(06:10):
as we publish the advisorythey'll go down, you know.
So we're kind of shaking up thebad guys too, as well, as you
know, helping out the industryat the same time.
So it allows us to be a bitmore rapid in that aspect.
Speaker 1 (06:23):
Right and kind of.
When I look at kind of some ofthe research that we produce and
probably not only kind of we,but kind of from the entire
community in general sometimes Ihave the impression there is a
lot of more of the same right,Like, oh, there is this group
here that we see them doing thisand that, and now there's a
(06:43):
small variation in their malware.
Now, instead of sending theirattachments an email, instead of
an LNK file, now it is a zipfile.
We see this small variations inthe attacks.
But that gives me theimpression that we see these
small changes, but we don't seehuge evolutionary steps in the
(07:09):
way that the threat actorsoperate.
Is that because they really donot need to do that and they
just tweak their methods andtheir practices, their TTPs
essentially right, Kind of tofind the next one that it will
work, or are they kind ofslowing down in terms of
innovation?
Or are we just kind of from athreat researcher, kind of
(07:32):
effective in this point of view,just finding those small
variations and maybe for somereason, we may be missing the
big changes that are happeningkind of from the threat side.
So for first, I think probablyI end up kind of going too long
in the question.
First, kind of why is therethis impression of more of the
same and is that kind of fromkind of the research side?
(07:53):
Is that from the threat actorsway right of evolving kind of
their practice?
So why do you think thatsometimes that impression exists
?
Yeah, no, absolutely thatimpression exists.
Speaker 2 (08:03):
Yeah, no, absolutely.
Those small variations are waymore common, but they're worth
tracking.
A lot of times, you know,they'll take the path of least
resistance.
You know, right, If they canjust make a small tweak that you
know bypasses a certain AVvendor, if they know their
target, well, that's all theyneed to do versus completely
retooling.
We do see both.
(08:25):
But to your point, yeah, we dosee a lot more subtle variations
and maybe you know an earlystage loader or, like you said,
an LNK file.
You know, maybe they adapted toa you know a different
execution method or a phishingemail tactic.
So it's definitely going downthe path of least resistance.
A lot of times you'll seecertain trends with certain
(08:46):
threat actors.
They favor this particularmalware dropper loader or
initial infection method andthey kind of stick to that.
And a lot of times it reallyhelps with attribution because
it's like oh, this is a classicAPT37 or APT39 initial infection
.
So a lot of that data is useful, whether we're building
(09:08):
detections or not.
Like other aspects, like I said, attribution is another one and
identifying, but every now andthen we do come across some
pretty novel changes where weare able to attribute the either
malware or attack campaign to acertain group and it's totally
out of left field.
But then again, yeah, sometimesyou see those small changes and
(09:31):
those are all great to track tobecause you know when we're
building detections and we'retagging them for particular
groups or variants of malware,ransomware, you know we're able
to stay accurate on that aspect.
Speaker 1 (09:46):
Oh yeah, on that sense, right, you end up
connecting to kind of anotherquestion that I wanted to ask
you right, what are the mostinteresting findings?
Right, you've seen right kindof doing in your research, kind
of what is the thing that youfound and said, wow, these guys
are doing this or that rightkind of, or that wasn't expected
, right.
Speaker 2 (10:10):
Kind of, what are the most exciting findings?
Oh yeah, there's been a few,yeah, and those are always the
best.
Honestly, when you discover abrand new tact or a new strain
of malware, um, I'd have to saythe couple that stand out the
most.
Um, we, we published ourfindings on.
It was either last year, thethe year before on Stark Vortex,
which was kind of in light ofthe Russia-Ukraine war.
This was an incredibly targetedpiece of malware to the Ukraine
(10:34):
military, and what made ittargeted was the way it would
propagate through systemsTraditional malware, ransomware.
It typically propagates throughnetwork protocols, right, smb,
you know, you name it.
It'll have built-in networkscanning.
This didn't do any of that.
It propagated purely throughUSB drives.
(10:57):
It's Stuxnet style, right?
Exactly, yeah, so it wouldbasically just put some dropper
lure on USBs Anytime it ran.
It would persist in the systemreally well.
But if you kind of step back andthink about how the Ukraine
military operates, it's a verydistributed system, right.
There's not some centralizednetwork.
(11:17):
When you're out in the field,you know USB drives, if you
think about it, would be theprimary source for sharing or
distributing information, and soit was kind of an interesting
finding and there wasn't a lotof research at the time around
that it seems to be getting alittle bit more common now.
But it was pretty novel at thetime and pretty interesting.
(11:38):
But it just kind of goes toshow that when it know, when it
comes from a threat actorstandpoint, you know
understanding your target, youknow and that's something that a
lot of these high profile APTgroups do really, really well,
right, that's kind of witnessingcyber war going live, right,
totally, that's certainlyexciting right from a research
(11:59):
point of view.
Yeah, it's like cyber war overthe top of an actual physical
war.
So yeah, really interesting.
It's like cyber war over thetop of an actual physical war.
So, yeah, really interesting,I'd say.
The other one you asked for acouple, so I'd say Steep
Maverick was another fun one.
This one was just layers.
Maybe to me it was more fun,but it was just layers and
(12:21):
layers of the malware.
I mean, its obfuscation levelwas absolutely insane.
It.
It took forever to analyze butit was rewarding because it was
really interesting.
There's probably like 13 layersto that, but you know it
embedded in the system anddropped a custom payload at the
very end and you know it waskind of cool seeing this brand
(12:42):
new tactic.
I couldn't I can't remember thelure off the top of my head
whether keeping it came inthrough fishing or not, but
generally we don't see that manyobfuscation layers coming in
through the malware.
But it had a lot of new ways ofhiding code and I like that too
(13:02):
, because I kind of see it as apuzzle where if you're able to
get something to execute thatshouldn't execute because it
would normally be blocked byantivirus, but that particular
campaign just had a lot of that.
So that was more of a, for me,fun to analyze.
Obviously, you know, to kind ofrope it back to your question
it was very new for the industry.
(13:24):
This was something we hadn'tseen before.
Speaker 1 (13:26):
So it kind of fits both of those pretty well and I
remember reading that specificpiece of research, the layers
and layers of obfuscation, andwhat came to me when I was going
through it was well, there'sreally a lot of effort to bypass
primarily endpoint detectionright.
(13:47):
So it really looked like whatwas probably the biggest pain
for the threat actor in thatscenario was being detected on
the endpoint right or by anendpoint security solution.
And when we look at the entirethreat chain right for many of
these cases there are so manyother opportunities for
detection that sometimes I havethe impression that the actors
(14:11):
are just not trying to improvein being more stealthy or harder
to detect in some of thoselayers, like the identity side
kind of, in the way that theyare trying to elevate privileges
, or sometimes even the commandand control side, because so
many organizations today put somuch emphasis on kind of their
(14:32):
EDR capabilities, for example,or their endpoint security.
Then we even see the outcomeright of that kind of on the
threat actor side right, kind ofthey're putting so much effort
to bypass right or to avoiddetection from those security
components, while the kind ofthe defense side could, looking
at those other points and underother steps in the attack,
(14:55):
probably kind of avoid having tobe so much involved or it's
kind of putting so much efforton that end point, because there
are other places that thethreat actors are not evolving
as fast or as constantly thatare also kind of very good
opportunities for detection.
Am I right with that impressionKind of?
What do you think?
Speaker 2 (15:13):
Oh, absolutely no.
You know, detection in generalis a huge net and I kind of like
to run with the philosophy of.
You know it's a very basiccybersecurity principle that I
think a lot of times we overlookand you've, I'm sure you've
heard this before networkdefense, everything valuable
(15:40):
products, especially when youpair it with a SIM right.
Edr bypass is a thing.
In fact there's a MITRE tacticaround it.
Threat actors are very good atunderstanding EDR and how to
bypass them.
You know it'd be foolish tothink that they probably don't
have some form of oh man, Idon't know how you would phrase
(16:01):
this but a way of sandboxingtheir malware and running it
against some EDR platforms.
You know these, especially APTgroups, these state sponsored
groups.
They're very resourceful, so ifthey know a target is running,
you know EDR vendor X right.
You can iterate and experimentright, so they have an
opportunity right.
(16:22):
Exactly.
And so it's a thing you know andit's I wouldn't say it's easy
to do, but it's certainlypossible and with the amount of
resources that they have it canbe done.
And so when you pair yourtechnologies, you know EDR plus
SIM or NIDS, you know whateverit's going to be your odds of
catching something, go throughthe roof, right, you know, in
(16:44):
the sake of Steep Maverick, youknow it did generate a lot of
noise.
However, it was very good atbypassing AV.
So you know, and when wepublished this detection, you
know, obviously, you know, like,like I mentioned before, we
published some detections forthe product that can catch this
as well.
So it's all about kind ofoverlapping, spreading out your
(17:08):
detections as much as youpossibly can, and, you know,
obviously, fine-tuning them.
At that point it's a process,but it certainly can be done.
So so the interesting aspectwith SIEM is that, compared to
EDR bypassing, edr bypassing ispretty well documented.
Bypassing a SIEM is kind of awild card because you don't
really know what thecapabilities of the product are,
(17:30):
kind of jumping into it.
Speaker 1 (17:32):
What telemetry you're collecting right, so you don't
know, what signals you'regenerating, right, so it's hard
for the attacker right kind ofto make sure that they're not
leaving anything behind that thesim is looking for, right,
exactly.
Speaker 2 (17:47):
so I mean you could use your sim as like an ultimate
weapon, right, because I meanit's it's hard, you know,
whether you're doing red teamsimulation or you are concerned
about legitimate threat actorsin your network.
You know you can dial in thesedetections really really well to
catch these guys because, yeah,they, unless they have somehow
access to your product, whichyou know that I I can't think of
(18:12):
a single campaign where that'shappened but you know they don't
know what you're, they don'tknow what to know at that point,
so it makes it a bit moredifficult for them, right, but
in the end, you know it's allabout adding those layers, right
.
Speaker 1 (18:26):
That's right.
And I think one thing that weprobably do not do as well as an
industry sometimes we end upkind of putting, on the defense
side we put many layers on thesame place, so the attacker's
kind of their behavior is themost expected one right.
They'll just avoid that placeright when there are no other
layers.
So defense in depth right Isnot about kind of having three
(18:47):
endpoints, secured solutionsrunning on your endpoints, right
, but kind of covering kind ofmany, many places where you have
the detection and even kind ofthe attack disruption
opportunities.
So if right, kind of the attackdisruption opportunities, so if
for some reason your end pointcapabilities are not performing
or not doing their job, you'llbe able to find something on the
(19:08):
identity and credentials level.
You'll see someone kind ofusing permissions or kind of
receiving privileges that theyshould not have, and so on.
You have visibility acrossmultiple places.
I think the defense in that Iremember having discussions and
there was a time when we weretalking about putting firewalls
(19:30):
from different vendors.
You have two layers of firewallin front of a network, one from
Cisco and another fromCheckpoint.
It was such a silly thing to bedone because the attackers were
just going to do somethingdifferent, right?
Or just go to the internalsystems directly or, as you
mentioned, kind of in one ofthose cases, use a USB drive,
(19:50):
right, and then the firewalldoesn't matter anymore, right,
it doesn't matter if you haveone or three.
So I think kind of, when youlook at the defense in that
aspect, that's something thatreally needs to be well thought
right.
Kind of the you're putting thelayers where it matters more and
not duplicating efforts in aplace that can be easily
bypassed.
Exactly, of course, kind of youalready mentioned kind of the
(20:12):
value that research has for us,right, kind of as a security
provider Now for our, for theend-user organizations, either
our customers or not, how do youthink that they should be using
the output of threat research?
I call it threat intel.
So you're essentially producingthreat intelligence.
So how the organizations thatcould be targets or victims of
(20:37):
all those threat actors, howthey should be using the
research that you put out there?
Speaker 2 (20:44):
Oh, man, I'd say, you know, don't rely just on our
research.
There's a lot of really goodresearch out there.
I think the stuff that we putout, you know not to toot our
team's own horn, but it's good,um, and fortunately, you know,
you know being part of theproduct, we kind of have the
opportunity to kind of bake itin there.
(21:07):
But, you know, aside from justthe direct research and our
publications, you know we dofeed in direct threat intel into
, like a product, autonomousthreat sweeper, things like that
.
So that's probably a verydirect and easy way to get some
of this threat intel that we do.
(21:27):
Other than that, if you want totake a proactive approach, I
tell everyone this run your ownhoneypot, see what you can find.
And a lot of times that canhelp with detections because
you'll understand who'stargeting you, what ports are
open, what bots are activelytrying to scrape your content.
And if you want to take that aneven further step further, go
(21:53):
down the cyber deception route.
That is where, in my opinion,any SIM technology can
absolutely shine.
It would require work on yourend, but create a Honey Domain
Admin, create canary lures allover your network and then tie
in specific SIM rules into those.
Speaker 1 (22:14):
Oh, you're touching on my favorite topic.
Don't even start it.
Speaker 2 (22:18):
I mean, the great thing about canaries and cyber
deception is that they don'tfalse positive.
And so somebody on a networkshare touched passwords, dot
text, right, that's always goingto be weird.
Who did that, you know?
Or if you have a, like like Isaid, a honey domain admin,
that's not allowed to log in,but somebody is trying to log in
(22:39):
as that user, that would alwaysbe weird, you know.
That could either be it's avery high fidelity signal
exactly yeah.
so that that's like generatingyour own threat intel and also
is just a really easy way tocatch some of that low-hanging.
Those canary rules are usuallypretty good because your threat
(23:02):
actor is not going to know thatthey're there and anytime
something triggers it's going tobe suspicious.
So generating your own threatintel through cyber deception, I
think would probably be mynumber one.
Speaker 1 (23:15):
Yeah, cool.
Yeah, there is kind of aninteresting piece of forgotten
history here, right, youmentioned kind of the honey
accounts, honey domain accountsor canary right.
Many times I refer to it ashoney tokens right, and I
accidentally created that termback in 2002 in a Focus IDS mail
(23:39):
list discussion.
That was kind of a fun piece ofhistory.
Oh nice, that's awesome.
We're also kind of looking atsome of this threat intel and
what I see very often is peoplefrom the SOC.
They very quickly they focus onthe indicators they're
(23:59):
associated.
For example, when you put anadvisory out there, right, you
have all the explanation aboutwhat you found, what kind of
it's the apparent motivation onthat case, what they were trying
to achieve, kind of theirmethods, et cetera, and then in
the end, right, you have allthese indicators.
Sometimes my impression is thepeople from SOX will very often
(24:20):
directly go to that list ofindicators and throw those into
their tools, into either theirSIM or kind of whatever kind of
they have that can look forthose indicators, right, Kind of
either kind of retroactively asour autonomous threat sweeper,
or kind of kind of in a morekind of online detection mode,
but they jump over all the textthat you have on that research
(24:41):
right, and my impression is thatthey are missing the most
valuable part, right?
How do you think these groupsshould use right Kind of the
long explanation about thethreat that you have in those
advisories, as opposed to whatthey normally do with the
indicators?
Speaker 2 (24:59):
Well, definitely use the indicators, but I feel like
a lot of times our advisoriesyeah, they can probably be a
little technical.
I think our team is just verytechnical, so that's what it
translates to, and I don't thinkit's us, it's probably just the
whole industry.
Some of those can be20-something pages.
So I won't take personaloffense, but I think sitting
(25:22):
down and reading them, if youcan take the time, it should get
you into a threat actor's heada little bit more.
Um, especially with kind of theearly stage and late stage, um
the middle.
You know how they obfuscate,how they are able to bypass.
You know from a attack defense,attack defense standpoint.
I think that's important.
But if you take a look at ouradvisories, you know where.
(25:45):
Where do most of these start?
You know it's probably onthrough some phishing email.
Phishing's still incrediblycommon, tried and tested.
It still works.
Um, we read about new campaigns.
Or you know exploitations thathappen across.
You know all these breachesthrough companies.
And how did it start?
You know phishing email,probably, um so um, yeah, pay
(26:07):
attention especially to howthings start, because I think
that should help you understand,like, how these threat actors
are getting into your systemsand how they're able to execute
code from an early stage, howthey're able to lure or trick,
use social engineering to getyou to run whatever file that is
.
(26:27):
They're getting more and morecreative and clever, especially
going down the route ofmalvertising and things like
that Masquerading is alegitimate product or service
and you end up installingmalware on your system the early
stage.
I would always encourage you toread through any security
(26:48):
advisory just to understand, toget into those threat actors
head.
And I think the more you getinto those threat actors head,
the more you start translatingthat into your real life
practices.
So if you're a cybersecurityleader, anybody in the
cybersecurity space likethinking like your opponent is
how you beat your opponent inthe end.
Right, so it's probably just amore of the more you understand,
(27:10):
the more you know, the morethat'll translate into your
productive work life to build inthose habits or those systems
or those technologies, whateverit takes to be able to stop and
catch those bad guys.
Speaker 1 (27:25):
Yeah, I think that there's sometimes kind of the
they lack the organizations lackthe ability to look into these
advisors with a more tacticalinstead of operational approach.
I could even say strategic, butI think maybe that's kind of an
exaggeration sometimes.
But from a tactical approach,right, you were mentioning kind
of the phishing pieces and inmany of these cases there are
(27:45):
attachments involved, right, andyou look at the type of
attachments and then there'sthat question okay, kind of what
would be the impact if we blockcertain types of attachments?
They are very connected to someof these campaigns, right,
connected to some of thesecampaigns, right.
And just by doing a quicksearch in your environment you
see that, oh, you almost neverreceived the type of extension
(28:06):
in an attachment.
So what would be the impact onyour operation if you block it
versus kind of the immediatebenefit, right of not receiving
kind of those emails kind ofthat are related to the threat
activity anymore, right?
So that's a kind of a tacticalstep that many organizations can
take by really reading throughthis research that can really
(28:26):
improve their chances to resistagainst certain threats, that
they're really missing theopportunity, some kind of basic
steps of security hygiene thatthey can justify better if they
use these types of research.
Right Kind of.
I remember kind of wanting tochange, sometimes, settings in
email systems or kind ofremoving privileges for certain
(28:48):
groups of users, and getting alot of resistance right Within
the IT team or kind of thedeveloper's team.
And when you have the threatresearch to back up the reason,
right kind of, okay, we aredoing this, we want to do this
because the attackers areactually exploiting these
weaknesses, that really kind ofmakes kind of the lives of the
security team easier.
(29:08):
So kind of when I ask rightnormally kind of about how
organizations are using threatresearch apart from the
indicators, it's really relatedto that type of activity right
Kind of taking using them asright Kind of as the rationale
and kind of the source of ideasto other changes to the
environment that will be beyondjust looking for the indicators.
Speaker 2 (29:31):
Absolutely, yeah, definitely.
Feel free to take these and usethem as either a system or
practice hardening guide.
You know whether that, like yousaid, is through email, this
can be translated into the cloud, you know, like with access
tokens, those type of things,but it definitely applies to,
like, any research out there.
Yeah, no, the advice would bejust to read and apply, you know
(29:52):
, because generally, I meananytime you see any
cybersecurity publication, right, they're a result of something,
right, and so you don't want tobe the one that has that
cybersecurity publicationwritten about you.
Yeah, that's true.
Right, there's a victimsomewhere, right?
Speaker 1 (30:10):
Exactly Yep, and we are past 30 minutes.
So now my self-imposed rule ofnot talking about AI in the
first 30 minutes of the podcast,right.
So now I am authorized to bringthe word in.
So will AI change how you dothreat research, or is it
(30:30):
changing, or has it changed italready?
Speaker 2 (30:32):
Oh, yeah, absolutely.
It absolutely already has, Ithink, for the sake of
automation.
It's been great, whether we'reusing it to analyze obfuscated
code or get some feedback as towhat a piece of malware is doing
.
You know, we saw theseindicators.
We can dump it into AI and getsome ideas and output.
(30:55):
It's great at saving time.
I think that's probably wherewe use it most.
So, yeah, no, it's definitelygoing to shake up the industry
and it's going to on both sidesright, good and bad.
But you know, it's definitelysomething we haven't like
officially baked into, likeworkflows and things like that.
(31:16):
But it's baked into workflows,I guess you could say, and
things like that, but it's bakedinto workflows, I guess you
could say I think it's one ofthose systems that's not systems
, but I guess one of thoseentities that's just, whatever
industry you're in, you knowit's-.
Speaker 1 (31:30):
You're going to start using it, right, you're going
to start using it.
It is a tool that is useful formany things, right?
So we're going to just startnaturally using what they make
most sense Absolutely, and thatwe're going to just start
naturally using what they makemost sense Absolutely.
That brings the other side.
As you mentioned, what are weseeing in terms of threat actors
using AI and what do you thinkthey will start doing with AI in
(31:54):
the near future?
Speaker 2 (31:56):
It's tricky because it's hard to identify.
You know, if we're talkingmaybe malware, right, code
that's generated by AI or thosetype of things, and you know we
always kind of go down thatroute first of like, oh AI
generated malware, right, can bea thing, and it probably is a
thing.
(32:17):
What it's going to do, I thinknow, and what it's probably
already doing, is allowingthreat actors to be a bit more
rapid in their deployments Rightor their campaigns, for
instance, I mean, ai can betricked to do evil things.
If you try hard enough.
Whether you're going to buildransomware, perform benign
(32:43):
functions, you know within afile that it doesn't understand
that what the scope of the wholeproduct is, but it allows them
to deploy quickly.
You know if they're building,say, like a rat or something you
know that allows remote accessonto a system, you know they're
able to generate these at a muchquicker rate.
So how that'll shake up theindustry is right is on our
(33:04):
reaction side, like, wow, we'reseeing, say, oh, pick your
favorite rat Remcos.
You know we're seeing a lot ofdifferent new variations within
Remcos or more functionalitywithin Remcos Right At a more
increased rate, and so that byitself makes it a bit more of a
concern because we're gonna seeanytime we see rapid life cycle
(33:27):
increases with malware.
That makes things either moredifficult or it's more
disruptive to the industry as awhole, whether you're on the
antivirus side, whether you'reon the SIM side.
So just that rapid productionof just code in general.
Speaker 1 (33:44):
Yeah, I think speed and scale right, I think kind of
we.
I think there is a lot offantasy around right, kind of
very crazy ways that they canuse AI, but in the end, right or
immediately, kind of in theshort term, what do affect us
mostly is the speed and scaleright.
Speaker 2 (33:59):
Exactly.
So, yeah, I mean, while it'slike I mentioned earlier, it's
going to allow us to be morerapid with our analysis and our
you know just detections ingeneral.
It's going to do the same there.
So I think we're just going tosee this snowball of constant
changes now because of it, react, reaction, those types of
(34:22):
things, Interesting time to bein the field right.
Really is yeah, no, it'sabsolutely a shakeup, but it
comes with the territory.
I mean, you've been in theindustry long enough.
The cybersecurity industry justdoesn't ever really slow down
anyways.
So I think we're picking upspeed a little bit more, but you
can't get comfortable in thisindustry, it seems.
Speaker 1 (34:43):
Right, and you touched kind of the point that I
also kind of I like to bring upin all episodes here as an
industry what do you think we dowell?
Like we are very good incriticizing right, and say, oh,
we're not detecting fast enough,we are not covering everything
that we want, et.
Etc.
But I always like to ask peoplewhat are we doing well in this
(35:05):
space?
Speaker 2 (35:09):
I think that thread intel is fantastic.
I think we are very good atgathering and then turning that
thread intel into somethingtangible, that threat intel into
something tangible and fromwhat I do here is it bakes into
many different aspects.
Right, whether we're takingthat threat intel and we're
(35:32):
turning it into a detection thatour product can now use or
we're publishing it, I think asa threat researcher, I think
we're in a position where we canleverage our product first and
all of our capabilities and turnall of that threat intel into
things that just help everybody,whether those are our customers
directly, whether that's thecybersecurity space in general,
(35:56):
and I think that's probably whatI get most out of it, and I
think that's probably what I getmost out of it.
So I guess you could say theproduction and categorization is
probably not the right word,but what we do with that threat
intel, I think is very, verygood.
Speaker 1 (36:12):
You make it actionable right and using it as
well.
That's true, right, and youknow that's a very good point,
because one thing that kind ofsome of the probably kind of the
more pessimistic people in thespace like to mention is kind of
the amount of unknown, unknownsout there Again, kind of the
famous Rumsfeld kind of quote,and it seems there's a lot of
(36:35):
activity going on that kind ofwe're not even aware that that
type of activity, etc.
But from your answer I wouldsay it's probably not that much,
because the amount ofvisibility that we have, with
all the threat researchersaround the world doing such a
great job, that unknown may notbe as significant as some of
(36:56):
these people think of right.
Speaker 2 (36:58):
Oh, absolutely, I think we absolutely know more
than we don't know.
But you know, it's thediscovery of those unknowns, you
know what we do with them, Ithink is great and that's, you
know, as a threat researcher, Ithink that's what makes this job
fantastic, you know, is thatwhole discovery aspect and then
taking that discovery andturning it into something
(37:20):
helpful and you know which couldend up saving an industry at
some point.
The discovery aspect, thethreat intel aspect, yeah, I
think that's.
Speaker 1 (37:35):
It is what makes us keep doing.
It's cool.
I think most people end upgetting into this space because
it's fun, and I think one thingthat I really like is we keep
having fun Sometimes after youdo all the fun work and you have
to write a report.
You may say, oh, this is notfun, but in essence, if you look
at everything that you do overtime, it is fun.
(37:57):
I still really enjoy the fieldand I'm really happy that I've
been, uh, working on this for solong absolutely.
Speaker 2 (38:07):
Oh, no, yeah, I, I find fun in it every day.
I mean the, the reporting.
It is a lot of work, but youknow, I think, uh, sitting down,
building them, building detect,you know, while there's always
the administrative side ofanything you do, yeah, no, it's
great overall.
Speaker 1 (38:28):
Yeah, I always like to tease my friends that are
working on the identity andaccess management space, right,
Unless you work with identity,that's boring right.
Speaker 2 (38:36):
It's very important.
My auditing friends yeah,auditors Same with my auditing
friends.
Speaker 1 (38:39):
Yeah, auditors identity GRC compliance oh my
Compliance.
Speaker 2 (38:46):
there's the word.
Speaker 1 (38:47):
Yeah, it is all important.
Right, it's boring, but it'simportant.
Speaker 2 (38:50):
Oh yeah, they like to joke about it too.
They love to say things likethere's a fine line between
cybersecurity and compliance.
Speaker 1 (39:01):
Right, okay, tim, we are kind of hitting our time
here.
I wanted to drop just the lastquestion for you, for someone
that is just starting now andthey want to do threat research.
What would be your singleadvice for them?
Speaker 2 (39:20):
Ooh, never stop learning.
I mean, it's man.
The skill sets involved, Ithink, are pretty broad.
So understanding, programmingknowledge, understanding even
things like diving into, likeassembly language and things
like that.
I think it's basically gonna bejust a matter of gathering as
(39:42):
many skills as you can, whetheryou're going down official
certifications there's a lot ofgreat ones out there or you're
self-studying.
I'd say just never stop soakingup that knowledge because
that's gonna help you.
Because when it comes toprobably any research position,
it's like you discover somethingand you don't know where it's
(40:03):
going to lead Right, and whatskill sets you have are kind of
going to determine your successwith understanding that thing
you found.
Better, as dynamic as youpossibly can.
In regards to, like the entirecybersecurity scope as a whole,
(40:24):
I think those are going to begreat.
You know tooling is going to bea huge one.
You know, play around with likeopen source frameworks, like
Havoc or Sliver or things likethat, understanding how bad guys
get into systems and how theymove laterally you know it's
such a massive field but it canbe done.
I honestly I could tell youright now I definitely don't
(40:48):
know everything.
It's a very humbling field alot of times because you end up
like Googling more than you feelcomfortable doing it.
Speaker 1 (40:58):
How many tabs you have open right.
Speaker 2 (41:01):
Absolutely.
I think the other thing is tostart a hack lab or a cyber
range, Whether that's on asingle host or a server.
Stand up some hosts and just gocrazy.
Whether you're starting downmalware analysis, you know
that's kind of the only way todo.
It is just getting hands-ondirty and uh, just google like
(41:27):
crazy.
But you know it can be, learnedit's and put into practice.
It's just it's.
It can be a daunting field, butyou know it's the reward in the
end is always worth it.
Speaker 1 (41:39):
cool, perfect tim.
We we're hitting the time limithere, so really kind of
appreciate you coming to talk tous right about the trash
research and everything you'vebeen doing here with Securonix.
Thank you for doing all thisfor Securonix.
It really makes my life easieron the product marketing side, I
should say, and really canappreciate all that work.
And for you listeners, thankyou for listening to one more
(42:04):
episode of the podcast and staytuned.
You're going to have more veryentertaining conversations in
the next few episodes that arealready coming out.
Thank you and have a good one.
Thanks, tim.
Thank you.
Popular Podcasts
Bookmarked by Reese's Book Club
Welcome to Bookmarked by Reese’s Book Club — the podcast where great stories, bold women, and irresistible conversations collide! Hosted by award-winning journalist Danielle Robay, each week new episodes balance thoughtful literary insight with the fervor of buzzy book trends, pop culture and more. Bookmarked brings together celebrities, tastemakers, influencers and authors from Reese's Book Club and beyond to share stories that transcend the page. Pull up a chair. You’re not just listening — you’re part of the conversation.
Dateline NBC
Current and classic episodes, featuring compelling true-crime mysteries, powerful documentaries and in-depth investigations. Follow now to get the latest episodes of Dateline NBC completely free, or subscribe to Dateline Premium for ad-free listening and exclusive bonus content: DatelinePremium.com
Stuff You Should Know
If you've ever wanted to know about champagne, satanism, the Stonewall Uprising, chaos theory, LSD, El Nino, true crime and Rosa Parks, then look no further. Josh and Chuck have you covered.