CyberWire Daily - Deep dive into the 2024 Incident Response Report with Unit 42's Michael "Siko" Sikorski [Threat Vector]
Episode Date: July 5, 2024As our team is offline taking an extended break for the July 4th Independence Day holiday in the US, we thought you'd enjoy an episode from one of N2K Network shows, Threat Vector. This episode of Th...reat Vector outlines a conversation between host David Moulton, Director of Thought Leadership at Palo Alto Networks Unit 42, and Michael "Siko" Sikorski, Unit 42's CTO and VP of Engineering, discussing the Unit 42's 2024 Incident Response Report. They provide insights into key cyber threats and trends, including preferred attack vectors, the escalating use of AI by threat actors, software vulnerabilities, the concept of 'living off the land' attacks, and the importance of robust incident response strategies. They also address the rising trend of business disruption supply chain attacks and share recommendations for mitigating these cyber threats. Resources: Read the 2024 Unit 42 Incident Response report. Listen to Beyond the Breach: Strategies Against Ivanti Vulnerabilities. Join the conversation on our social media channels: Website: https://www.paloaltonetworks.com/unit42 Threat Research: https://unit42.paloaltonetworks.com/ Facebook: https://www.facebook.com/LifeatPaloAltoNetworks/ LinkedIn: https://www.linkedin.com/company/unit42/ YouTube: @PaloAltoNetworksUnit42 Twitter: https://twitter.com/PaloAltoNtwks About Threat Vector Unit 42 Threat Vector is the compass in the world of cyberthreats. Hear about Unit 42’s unique threat intelligence insights, new threat actor TTPs, real-world case studies, and learn how the team works together to discover these threats. Unit 42 will equip listeners with the knowledge and insight to proactively prepare and stay ahead in the ever-evolving threat landscape. Palo Alto Networks Palo Alto Networks enables your team to prevent successful cyberattacks with an automated approach that delivers consistent security across the cloud, network, and mobile. http://paloaltonetworks.com Learn more about your ad choices. Visit megaphone.fm/adchoices
Transcript
Discussion (0)
You're listening to the Cyber Wire Network, powered by N2K. of you, I was concerned about my data being sold by data brokers. So I decided to try Delete.me.
I have to say, Delete.me is a game changer. Within days of signing up, they started removing my
personal information from hundreds of data brokers. I finally have peace of mind knowing
my data privacy is protected. Delete.me's team does all the work for you with detailed reports
so you know exactly what's been done. Take control of your data and keep your private life Thank you. JoinDeleteMe.com slash N2K and use promo code N2K at checkout.
The only way to get 20% off is to go to JoinDeleteMe.com slash N2K and enter code N2K at checkout.
That's JoinDeleteMe.com slash N2K, code N2K.
Do you have a favorite cybersecurity joke that you're willing to tell?
No, I don't have a lot of cybersecurity jokes.
I got to work on that.
You want to hear one?
Yeah, sure.
My son's a drummer, and I was inspired the other day to change my banking password to the hi-hat.
But the bank rejected it and said no symbols.
Oh, that's pretty bad.
Welcome to Threat Factor, where Uni42 shares unique threat intelligence insights,
new threat actor TTPs, and real-world case studies.
Uni42 has a global team of threat intelligence experts, incident responders,
and proactive security consultants dedicated to safeguarding our digital world.
I'm your host, David Moulton, Director of Thought Leadership for Una 42. hot yoga. Too sweaty. We could go skating. Too icy. We could book a vacation. Like somewhere hot. Yeah, with pools.
And a spa. And endless snacks.
Yes! Yes! Yes!
With savings of up to 40% on
Transat South packages, it's easy to
say, so long to winter.
Visit Transat.com or contact your Marlin
travel professional for details. Conditions apply.
Air Transat. Travel moves us.
This week, I want to share a conversation I've had with Michael Sikorsky. Sikorsky is Uniforty2's CTO and VP of Engineering and Threat Intelligence.
He's an industry expert in reverse engineering and wrote the bestseller, Practical Malware Analysis, and teaches cybersecurity at Columbia University.
Sikho was the first guest we had on ThreatVector, and it's great to have him back.
into the new 2024 Incident Response Report from Unit 42 and talked about emerging cyber threats and novel tactics that the team has uncovered as we worked matters with clients around the world.
Sickle highlights the importance of managing vulnerabilities and shared his thoughts on
best practices to mitigate these risks. We also discussed how leveraging AI, automated responses,
and threat intelligence can bolster cybersecurity. You can read the report or download a copy from our website.
Here's our conversation.
So there were a couple of big themes that emerged from this edition of the report.
First, speed matters.
No big shock there, but we'll get into it in a second.
Software vulnerabilities still matter.
And I think that
given some of the news that we've seen recently, that's certainly the case. And then lastly,
threat actors are becoming far more sophisticated. Let's start with that first theme about speed.
In the incident response report, the speed of data exfiltration seems like it's ramping up.
The median time between compromise and exfiltration was two days in 2023, down from nine days in 2021.
And nearly half of all breaches in 2023
led to data theft in under 24 hours.
When I read that, it shocked me a bit.
What's the biggest takeaway for organizations
trying to shore up their defenses
against these quick strike attacks?
Yeah, I think it's really becoming challenging for organizations that they need to make sense of this really quickly, right?
If they're going to get data off your network and exfiltrate it in a day,
that's really fast.
I remember when I started doing incident response a long time ago,
I'd go in and the threat actor had been there for a year
and they still hadn't exfiltrated or even figured out where the thing is that they wanted to exfiltrate.
So the time before the threat actor got access to the things
they wanted just could take a really long time. But now what's happened
is people are really starting to centralize their data like never before, right?
Cloud came out, people started unifying in one place. They don't have networks
that are kind of messy from the perspective of the data isifying in one place. They don't have networks that are kind of messy from
the perspective of the data is all over the place.
It's more easily accessed
across the network to the customers
and more scalable.
But in doing so, that kind of centralized everything
and made it a lot easier for attackers to
once they get access to one thing, they're able
to get out with everything they need.
And in a ransomware case, we worked
this past year,
in less than 14 hours, the attackers
gained access to the org,
exfiltrated terabytes of data,
and then deployed ransomware to 10,000
endpoints, all in 14 hours.
I mean, the amount of time you have
when you're talking about that, this is a large
customer. You've got to realize
what's happening very quickly
and realize when you need to pull the siren
and start executing and defending yourself.
And I think the fact that there's just so many alerts
and people are so buried by the amount of data
they're getting from security providers,
it's really important to start including things like AI
and automation and orchestration
to make sure that you're able to sift through the noise,
figure out what's important,
so you can respond super quickly to lock things down.
I also think it's really important to figure out
what are your crown jewels?
What are the things the attacker is going to go after, right?
Like when I look at ransomware extortion cases that we've worked,
a large amount of them,
it's all about that data that they're after, right?
Because if they can get your data, steal it,
and if they encrypt it, you're going to want it back.
If you don't have proper backups,
let's say you do have proper backups,
well, they're going to then threaten you
because they took it off the network
and they're going to say,
we're going to release this data
and you're not going to want that to happen
because your customers, your patients, your employees are going to want that to happen because your customers your patients your
employees are going to get their information leaked and that's going to be a problem for
your business what are you willing to pay for that so what you need to do is really hyper focus around
protecting the things that matter most right because you you at the end of the day everybody
gets hacked your day if it hasn't come yet, it will come.
It's a matter of when that day is going to come, and you need to be prepared.
Which means you also need to set up a defense on your crown jewels, the things that matter most, which is typically your data.
And so how are you protecting that?
How are you monitoring it at a level that is above and beyond anything else you're doing anywhere else?
Because that is going to enable you to know when something has gone awry.
So you mentioned AI and automation, and I'm wondering, are you noticing in our clients a difference between the haves and the have-nots when it comes to AI and automation?
Maybe those that are leveraging AI and automation having smaller impacts or much faster response times?
Absolutely. I think the organizations that are more mature and have adopted this more quickly,
instead of just dumping piles of alerts to a single place and having individuals sift through them to a point that they'll never make it through,
it's definitely running to that time and time again.
When we're doing an incident response case, we come in and a lot of the information that
would have alerted them that there was a problem is there.
So it's not necessarily like, hey, they don't have the information they need to know that
something bad was happening.
A lot of times that information's there. We're able to see it once we go in and really sift through it at a much lower level
like you would do as an incident response team, which means that they didn't have time for it,
they dismissed it thinking it wasn't that important, or they didn't stitch things together.
So that's another thing we really focus on with our technology is like, how do you stitch things
together? Like what you see on the network versus what you see on the host? Are those one and the same? You stitch them together into an instance, it's a lot easier for you to review, figure out what's really going on and make sense of it. Versus if you just see those things by themselves, you're just clicking through like, is this important or not? You know, it's harder to make sense of. So absolutely, we're seeing a big difference in sort of the haves and have-nots
when it comes to cybersecurity in general.
Let's talk about investigations where Unit 42 was involved
and we saw payment was made.
In cases investigated by Unit 42 where payment was made,
82% involved data theft
and harassment was involved in 27% of the matters.
With these realities, how should organizations cope with the evolution of data threats and harassment?
Yeah, and that's actually up from the year before.
So last year, we put out a report where that trend started, and now it's just gotten really heavy, right? Like you mentioned, 82% of the times where we see ransomware extortion happening, data theft is included.
Meaning, in the early days of ransomware, they came in, encrypted everything, and then asked you to pay for the key to get your data back.
Now, 82% of those times, they're stealing your data first before they do the encryption.
And sometimes we're not even seeing them even bother with the encryption at all.
They just steal the data and then start threatening you with what they're going to do with that data.
And if your whole business is data, which is very common, especially when we look at the top industries hit,
one of the top industries is high technology, which means data is a huge part of that.
And so they're going after these entities where data is very critically important, and they're stealing it.
And the real reason they're doing that is because people have gotten better at having backups than ever before
because they realize that, hey, I need to actually be backed up.
They need to be backed up so they can recover from a ransomware attack, of course, but it's also because they're not going to get insurance.
They're not going to get a good policy written to them if they're not proving that they can recover
from an attack of a ransomware attack. So this forced the threat actors to pivot and start saying,
well, how can I still get paid? Well, I can still get paid even if they don't pay me on encryption if I steal the data.
And then what happened is that even became a thing
where people weren't paying on.
And that's where they've started on what I describe as a dark place
where they started harassing people.
And it's gotten pretty nasty out there where harassment is up.
It's up to 27% of the time of cases.
Harassment is almost every single week.
We're seeing some sort of harassment.
This could be anything from the CEO is getting harassed directly.
We've seen spouses of C-level executives get text messages from threat actors, flowers sent to their house.
I mean, that level of harassment.
We've seen employees get harassed.
We've seen customers get harassed where they're pretending to be the company.
And we've seen people say, hey, if I'd known this harassment was going to be at this level, I would have paid a long time ago.
We even had a healthcare organization get a hit and ransomed.
And the threat actor actually reached out to the patients and said, you can pay us $3 to see what data we have and then $50 to get
it removed before this all gets leaked. While at the same time, they were asking the healthcare
entity to pay millions. So they're really stooping to a low level where they're willing to go after
schools, hospitals, and others like never before. And then that level of harassment,
like I said, year over year has gone up and we don't sense that's going to stop anytime soon.
Do you have any recommendations for how to deal with the harassment, best practices to put in place, ways to add this to your playbook?
I think it's really being prepared, right? Like taking the time to think about what happens to this data?
If it is stolen and somebody has it in their hands,
what is our playbook to deal with that?
Like, what is the value of it to us?
What happens if they leak it?
What could they do with our customer data?
What could they do with our patient data?
What could they do with our employee data?
Thinking about all those different scenarios and being ready to what to do there. And I think
another is making sure you have a good partner who knows the threat actors really well to the
point of like, I mean, I'll talk about us. It makes sense is we actually have ransomware negotiators
on staff in unit 42 who understand what the threat actors are willing to do um and if they're going
to keep their promises right if they're actually going to follow through and do what they said
they're going to do and because we are involved with them a lot of the time they know that they
might see us again in another negotiation and we know what to expect from them right we know if
they're just going to leak your data anyway. In which case, that advice, knowing that the threat actor is going to leak it anyway,
means that you can prepare when that day inevitably comes.
Obviously, it's about stalling them at that point if you know they're going to do it anyway.
And then how to make sense of it.
And one of the things we're actually able to analyze with this incident response report we're putting out
is how often do they keep their promises?
So in 68% of the time, they kept their promise, which when I saw that stat, I actually thought to myself, I thought that was pretty low. Because when we looked at it, 21% of the time, they did
not keep their promises. And meaning that even though they said they weren't going to leak the
data, they still did after the ransom was paid. And these threat actors, specifically the ransomware gangs, they have a reputation
uphold on multiple fronts to stay in business. We saw 25 new ransomware groups emerge in 2023.
And really, for them, it's really about their reputation, and when I see multiple angles of their reputation, one is, do they pay out for access?
So somebody might hack someone,
use a vulnerability to get in.
They then take that and they sell access
to the ransomware gang who then,
you know, gets the cryptocurrency payment
and actually executes the ransomware,
everything else.
But then they got to pay that person
for the access.
How often and how properly do they pay?
That's part of the reputation. The other angle of the reputation is when someone does pay them,
how often is it over? How often is I pay that ransomware gang, they stop right there. They
don't leak. They don't do anything else with it. And those two reputation scores really do dictate which of the ransomware gangs become the most popular.
Because as soon as you stray from that, it's like, why would you do business with them again, right?
Like, if somebody starts not keeping a promise, we immediately advise our customers to not pay them.
Because what's the point if they're not going to honor the terms, right?
Absolutely. If you know somebody's not going to honor their word,
especially in a high-stakes ransomware negotiation,
why would you continue to work with them?
So let me shift a little bit.
Sicko, Uniforty2 found that the use of wipers
and data destroyers are up 5x year over year.
How does this feed into the evolution
of the attacker methods that you've been talking about?
Yeah, I think a lot of the wiper activity we've seen,
so when we say it, it's up across
the board. So a lot of that is seen
through the threat actors
that are more nation-state
focused. And obviously
we're dealing with a lot of
wars and
geopolitical situations around
the world to a point
that we have virtual war rooms set up for at least
three to four of them right now that are just highly active. And we're seeing nation states
really be willing to deploy them in order to cause damage and impact others' ability
to do business. A lot of this is against critical infrastructure
or things they perceive as the equivalent of critical infrastructure
and really focusing there.
We've also seen these types of technologies deployed
when people just want to remove evidence of what they did.
So if they did something to get onto a network,
got the data off the systems,
and they're not actually going to deploy ransomware.
They might just run some wipers to kind of cover their tracks.
And if they already made out with the data,
they could still use that against the organization,
but then obscure the things that they did to on the network.
According to Unit 42 Research, software vulnerabilities are now the top initial access vector,
scooting ahead of compromised credentials and phishing attacks, which is really a game changer.
I'd like to hear your thoughts on what's driving this shift and how companies can stay one step ahead. we look back, it really was that year of this steady cadence of just massive vulnerabilities
that are exploited at an unprecedented scale. I think there's a few factors leading to that. I
think these vulnerabilities, the threat actors are able to latch onto them and leverage them
very quickly. We saw the Klopp ransomware gang jump onto the move at vulnerability and expose
thousands worldwide and implement ransomware against a ton of them, becoming one of the most
prolific gangs of 2023 just off that alone. We saw a lot of external-facing products that
had zero days and organizations did not patch. We saw the Citrix vulnerability, that was huge.
We saw the Cisco vulnerability.
Confluence was another big one.
We're talking tens of thousands of devices exposed.
And then most recently, we saw Avanti talk about four zero days in a row here
with upwards of 30,000 exposed devices to the point that the
U.S. government is saying, forget about that, just unplug it because we don't even know what's going
to come next there. So just unplug the technology and not even use it because we don't know what
more attacks could come against that. And an ability for attackers to take these vulnerabilities and scan the entire internet for them
and really have a good understanding
of what someone is vulnerable to very quickly
so that they can execute their attack as leading towards that.
So this steady cadence of just massive attacks
of externally facing technologies is a big reason why.
And some of these technologies are legacy.
So these aren't necessarily things that are new.
In the Cisco case, it was something that should have been patched
a very long time ago or not even really exposed to the internet at all.
So it's just a general inability for companies to patch these,
prioritize the patches, but to also pay attention to their actual hygiene
of what are the
things they have attached where people can get access and exploit. And that's what's really
important to continually perform an analysis of the attack surface that you have out there, right?
What is your actual footprint? What things are exposed? Are people standing things up in the
cloud that you didn't even know and exposing that to the outside world that makes you vulnerable?
Is there some old router that still has attached to the web with an admin interface that shouldn't be attached?
These types of things are really what organizations have to be hyper-focused.
A lot of times they're like, oh, we got to move to the cloud.
And then they forget about all this stuff they have plugged in that needs to also be looked over.
So I think prioritization of the vulnerabilities, patching them, and then constantly paying attention to what is actually exposed, especially as more and more vulnerabilities get released, means that you need to very quickly get in there and patch them.
But that's the other thing is making sure you know what the attackers are going after.
So as soon as the attackers jump on
to a certain vulnerability,
you need to know about that
and make that your highest priority
because that's the biggest risk, right?
Zero days are out there no matter what you do,
but knowing that the attacker is leveraging them
and that's why you need to prioritize it
or even take it offline until you fix it.
Like those are critical things that you need to focus on.
And back to the point of vulnerabilities actually displacing phishing
for the first time in years, I think that's going to be short-lived.
I really do.
I think my prediction is that this is going to be a one-year thing.
And that's despite of the Avanti Zero Day happening already.
I think the reason is
because of generative AI
and the ability of
attackers, their phishing techniques are going to
get so much better
because you're not going to be broken English
and things like that slowing them down. And instead
it's going to come
up and be the number one
again next year.
So Sicko, talk to me about the best practices that you recommend to mitigate risk from software
vulnerabilities.
And then if you've got a couple of ideas on what organizations should immediately do if
they find that their software has been compromised.
Yeah, I think you just need to make sure things are patched.
I think that's been a forever problem in our industry is like, how do you actually prioritize the patches? What is
actually exposed? And I think that's where you do attack surface reduction, right? You figure out
what is your attack surface? What are the places that they might come after you on? And make sure
that you have an ability to actually, you know, figure out which ones are the ones you need to
remediate as fast as possible based on what's being exposed.
Also, you can limit your exposure.
Why do you have an admin interface to your routers exposed to the internet?
You're just waiting for some zero data drop or something bad to happen, right?
Those should be taken down.
So realizing that those are up and out there are a big part of this, right? I think about it as
like, it's all about executing a plan, right? When we talked about, you know, the speed at which
they're able to exfiltrate data, it's like, are you ever going to eliminate all of the zero days
in all of your supply chain of everything you own? Probably not. But you could be prepared to figure out what to do,
what happens after the fact, right?
And I think that's where defense and depth come into play, right?
Thinking about the different protections you have across the board
so that as the attacker is moving laterally,
as they're logging into systems that they shouldn't,
how are you catching them along the way
in case they do use a zero day to get in
and you didn't have a chance to prioritize it, right?
And that's where things like zero trust also come in.
It's a way to limit the damage.
If they don't have the proper permissions
to get access to something,
they're going to then have to escalate
and be able to figure out a way around.
That's another angle in which you could catch them, right?
And that goes back to the point of AI and automation and orchestration, where you're
taking all this stuff that's coming in so that you can make sense of it quickly.
And I think the last thing is, what is your incident response plan?
So we talk about the Avanti Zero days that came out.
You probably know if you got hit or not. your incident response plan. So we talk about the Avanti Zero days that came out is,
you probably know if you got hit or not,
but what is your playbook after that?
What are the different things,
records you're going to pull?
What are the different logs you're going to pull?
What are the different things you're going to analyze?
Who are you going to talk to about it
to get their perspective
on what are they seeing in attacks
that are also going on?
We've worked numerous cases for the Avanti Zero Day.
Talk to people like us who can give you advice of like,
hey, we've seen this 10 other times.
We've worked all these cases.
This is what we're seeing in those cases.
These are other things you need to look for.
And I think that's where threat intelligence
really comes into play is if you're learning
from all these different incidents that you're seeing,
you can really make sense of like, well, what does the attacker do after they exploited the zero day, right? Because
just knowing that zero day, like you might already been hit with it by the time you figured out that
it's out there. So you need a plan to at least be able to dig in and leverage your relationships
and partnerships to make sense of what actually is going on there. So I also think that, you know,
thinking about how to protect your data to the best of your ability is going on there. So I also think that, you know, thinking about how to
protect your data to the best of your ability is critically important, right? So things that are
your crown jewels, be monitoring them, overly watching them to the point that you're going to
really understand when something's not right or abnormal actually happening. So there's some ideas
that come to mind when it comes to what I recommend people
thinking about when it comes to these vulnerabilities. SIGO, the report covers various
ways that threat actors are becoming more sophisticated. And we touched on that a little
earlier as one of the major themes. And this includes the evolution of living off the land
where attackers are not just using the tools in the environment, but building their own land via cloud instances and VMs.
What do you think of these tactics?
And how can organizations best defend against them?
Yeah, I think when you start to think about living off the land attacks,
you know, going back a few years now,
was the threat actor would show up.
A real popular one last year was full typhoon
uh where they'd show up and they they live off the land meaning they've used tools that are native on
the system so things like you know powershells installed in microsoft windows they can leverage
powershell to execute an attack rather than drop malware on a system which they might traditionally do
because power shell might be allowed to run the system but a piece of malware is not allowed to
run and so they would leverage different tools that are already on the system natively to execute
their attack and the other angle which you mentioned is sort of like setting up their own
infrastructure inside someone's environment, right?
With now the fact that the cloud has gotten so popular,
attackers are getting credentials to the cloud
and that enables them to spin up their own infrastructure,
their own VMs inside customer networks.
And essentially setting up the computer there that's running is actually inside being paid for by the person getting attacked.
So the attacker is coming in and they're saying, well, I'm just going to set up my own computer in your infrastructure and launch all my attacks for there.
And guess what? You're paying for the cloud bill on that.
So you're essentially playing a cloud bill for the attacker to attack you, which is kind of crazy to think
about. And that's where it's really important to figure out what is happening in your cloud
environments, right? Doing that discovery, doing the posture management, things that you need to
do to be able to catch when something unauthorized is happening very quickly and shutting it down and making sure it's gone.
Because people spinning up things inside your environment,
there's a cost to it, right?
Because they can also start mining for cryptocurrency
and everything else from that standpoint.
And also, these things that they're spinning up in your environment,
they might get access to systems across the network that they wouldn't otherwise have.
And most people's machines on your network, like your employee machines, are managed, right?
They have maybe an EDR product or antivirus and other things on it that are naturally logging back and reporting that things are all good.
logging back and reporting that things are all good.
But when they spin up these types of things in the environment,
that doesn't have any of that technology installed and can make it easier for them to fly under the radar.
It sounds like you're saying that the call is coming from inside the house.
What's your advice to listeners to deal with this level of sophistication?
I think it's all about realizing what is actually happening in your cloud environments. I think people are not doing that properly. They are not really paying attention to the cloud and implementing the level of protections in the cloud that they need to be.
of cloud incident responses that we're responding to continue to go up year over year. I think last year it was 6% of IRs we went to. Now it's already 16% of IRs. And that trend is just going
to keep going up and up as more environments and more IRs involve the cloud directly.
And I think when people are moving there, they're not really thinking through it. They're hiring,
you know, people don't often have a lot of experience with it they don't have a ton of people who know that the security they should be implementing there there's a lot of hard-coded
credentials that are being leveraged to to get into things that the attacker that could then go
after and then people are just not paying attention to the things that are the shadow IT
that's getting spun up in the cloud.
Yeah, it's getting the job done
to the employees who are spinning it up
and they're not necessarily
trying to cause damage by doing it.
But sometimes that leaves things vulnerable
because they're not patching them.
They're not monitoring those things.
They're getting spun up
and then it provides an access
for an attacker that wouldn't otherwise be there. And the same thing goes for, are you monitoring what's going
on in your cloud in case an attacker gets in there and starts spinning up things left and right?
Through all the changes in tactics, Unit 42 saw more than twice as many investigations involving
business disruption. 35% of the cases in 2023, and that's up from 16% in 2022.
Do you expect that trend is going to continue?
Absolutely.
I think that when we're seeing these extortion cases and the ability that, hey, we're going
to disrupt and take your data and then start harassing your customers, your patients, everything else.
That's very problematic, right?
And I think another thing we're seeing is they're extorting you.
We're talking about data theft extortion.
But another extortion technique that they could go after is,
well, what happens if I take down your website?
What happens if I take down your cloud environments?
Because I stole the credentials to all those things.
And how many days, how many hours it's going to take you?
And what is that actually going to be?
How costly is that going to be to your business?
And then also we're seeing like,
you know, a lot of these zero-day vulnerabilities we saw
and even patch vulnerabilities that they,
or, you know, end-day vulnerabilities that we've seen
where people haven't implemented the patch,
they're having to actually take systems offline.
And a lot of these are network connectivity systems, right?
VPN, software, routers, things like that, where they actually
could take those offline
to do an attack. And when you're
taking that offline, that means people can't connect to the
network, means they can't get their work done.
And that's why we're seeing those go up,
is because a combination of these
extortion techniques, a combination of
the types of vulnerabilities that we're seeing
out there being exploited.
I think you're absolutely right there, aso. As an attacker, you want to have leverage.
And it really doesn't matter if it's a threat to share your data or to turn off work processes.
It's leverage. And I think attackers, as nasty as it is, are willing to use it.
So let's shift gears real quick and talk about AI, everyone's favorite topic.
Given the significant role AI plays in cybersecurity, and this is something that's highlighted quite
a bit in the 2024 Incident Response Report, could you share your perspective on how AI
is reshaping the landscape of cybersecurity, defense, and threat detection?
Well, I think AI has been reshaping that landscape for a very long time. I think a lot of companies like ours have been investing in AI for well over a decade. And I think it's really, you know, focused on, you know, it's really coming to be in the popularity because of things like check GPT.
And I think that'll enable people to learn things more quickly.
I mentioned attackers will leverage it to make their phishing attacks better.
But I think the AI reshaping cybersecurity defense is a journey we've
been on. And the question is, how quick can we get there? Because we really
need to move faster. Because as fast as we're going to implement AI
in our defense, the attackers are going to be using AI for their attacks.
And so we have to stay ahead of the curve. And I do think there's
some promise there. There's some light at the end of the tunnel from the perspective of if we can use AI to find these vulnerabilities in our software as our developers are writing them, which we're starting to do, we can then patch them and not have don't exist then the ai on the other end uh isn't going to find them right
so i think there's really a lot of like thought of like could ai actually cause more benefit to
offense than it can or sorry to defense than it can to offense uh in which case it could be really
beneficial because there is at the end of the day there is time for us to fix all the problems before it goes out.
And so it's about how fast can we leverage that technology to make sense of things.
And then I think we invested a lot as a security industry, as CISOs of trying to implement these things.
We wanted all this cool technology out there.
cool technology out there.
But the problem with all the cool technologies,
it just fires tremendous amount of alerts that is just really problematic
for us to make sense of as humans.
And that's where AI really needs to come in
and clean things up.
Because, you know, we can't possibly
have a human respond to the billion alerts
that are coming in a day, right?
We need that summarized and turned into
just a few things they action and dig into
and actually try and figure out if there's something more to it.
Sicko, give me some insights on why the Unit 42 team spends the time and effort to produce these
types of threat reports. It's really important to take a look at the trends of what you're seeing
across periods of time so you know how the threat actor is adapting. And one of the big things we do in Unit 42 is we don't just go around doing
incident response one after another. We actually take time to examine what happened in those
incident responses. Sometimes that goes as far as staffing a threat analyst on an incident response
so that they're sitting there side by side with the incident response team digging in providing support of saying hey we saw this threat actor
you know three six months ago whatever it might be this is what they did so you should look for
these things and this is what what they're known to do after that uh and then also learning from
the experience so by by learning from our experiences as we do incident response over a
long period of time, we can really glean a lot of information about how the threat actors themselves
are evolving. And then when we come into the next incident response that hasn't even hit our
phone yet to call us in, it's almost like we know what to look for as soon as we come walking in the
door. And when you take it a step back even further than the lower level attacker level, you can say, what do the trends look like across all incident response?
And by doing so, you can say, well, let's take a look and figure out how are people breaking into these networks, right?
Because nowadays, we can actually take our time to do an incident response.
And during that, we could say, how did they get in?
What was the initial infection vector
that led to this intrusion?
Because of the fact that we're getting called in
so much faster than we ever were before,
we can figure out how the attacker got in.
And by looking at that across
all of the incident responses we've done,
we could say, oh, this is where we really need to focus our security.
We can use that information to find gaps in our own products,
gaps in what the customer owns and how they have their things configured.
And then we can best go into the new year
knowing what types of things to recommend to customers
based on what we've historically seen.
All right, Sicko, this has been a fascinating conversation. what types of things to recommend to customers based on what we've historically seen.
All right, Sicko.
This has been a fascinating conversation.
What's the most important thing a listener should take away from today's conversation?
I think the most important thing
is that the fact that if vulnerabilities
have become the number one way
that they're getting into a network,
I think that's a very hard thing to combat.
I think it's very hard thing to combat i think
it's a best effort i think it's focusing on your you know your attack surface that's out there but
inevitably a zero day by nature of it being a zero day there's only so much you can do
and that's why defensive depth and making sense of all those alerts which is really your defensive
depth right because you have all these point products that come together.
If you can make sense of all that noise and turn it into the one alert,
that's the really important one for you then to pivot and realize
that I need to dig in all these other places and action it in the right way,
I think is of the most importance.
And I think that comes together with AI, with threat intelligence,
and with really making sure that you're
protecting the things that matter most.
Sicko, thanks for taking us through your thoughts
on the new 2024 Incident Response Report from Unit 42.
We have a link to that report in our show notes,
or you can visit the Unit 42 site.
Before we end today, I want to share some of my own thoughts. Hosting the Threat Vector podcast
means I always learn something new from our guest, and I hope you do too. For me, talking to experts
is an incredible way to learn, and today I had three big takeaways from my conversation with
Sicko. My first takeaway happened when we were talking about vulnerabilities.
In this report, we noted that software vulnerabilities were the number one access point for threat actors and then recommended having a well-planned, well-practiced incident
response strategy. That second part, the IR strategy, really isn't a surprise. But for me,
the big takeaway I had was that this recommendation is great advice for anyone that needs to respond
to a security risk, podcast hosts included. As the person responsible for Threat Vector,
I didn't have a playbook for how to get an episode out when the Avanti Vulnerabilities
Rapid Response kicked off here at Unit 42 at the beginning of February. Thankfully,
I'm surrounded by incredibly dedicated professionals here at Unit 42, and we're able to respond and put out a great episode. In fact, if you've not heard it
and are concerned about the Avanti vulnerabilities, you should go listen to it. There's a link in our
show notes. Ingrid Parker and Sam Rubin did a fantastic job outlining the situation, the risks,
and then gave thoughtful guidance on what you should do. And as Sam pointed out, even if you're not impacted by these Avanti vulnerabilities,
use this moment as a reason to review your playbooks.
Or as he says,
Let's use this as an opportunity to make sure that we understand our attack surface.
Let's make sure it's an opportunity to make sure we have the right prevention,
detection, and response strategies and capabilities in place.
And if you need help with that, contact Unit 42.
The next thing I took away from the conversation was Sicko's prediction that vulnerabilities
being the number one access point for threat actors will be short-lived.
At first, this really surprised me, but I think he's right.
Threat actors will leverage any technology that gives them an edge.
And AI will certainly help threat actors with phishing.
As we update this report throughout the year, this will be something that we look out for.
I suspect this is a case of when, not if.
And my final takeaway was a reminder of just how relentless and adaptable and at times sophisticated threat actors can be.
and adaptable and at times sophisticated threat actors can be. The part of our conversation where Sicko explains how some threat actors are using the victim's own cloud environment for their
activities really was adding insult to injury. It's frustrating to know that some victims are
paying the bill to be attacked. I know my counterparts on our threat intelligence teams
and our consulting groups are helping clients deal with these realities all the time. If you need help dealing with a sophisticated threat actor, or maybe you're like me and have
recently been reminded that you should have an incident response playbook, you should talk to
the professionals in Unit 42. I want to thank CICO again for taking us through this report and its
findings here on Threat Vector. We'll be back in two weeks with Jacqueline Wodajka
where a deep conversation on the SEC's cyber rules.
Until then, stay secure, stay vigilant.
Goodbye for now.
Your business needs AI solutions
that are not only ambitious,
but also practical and adaptable.
That's where Domo's AI and data products platform comes in.
With Domo, you can channel AI and data into innovative uses that deliver measurable impact.
Secure AI agents connect, prepare, and automate your data workflows,
helping you gain insights, receive alerts, and act with ease
through guided apps tailored to your role. Data is hard. Domo is easy. Learn more at
ai.domo.com. That's ai.domo.com.