Risky Business - Risky Business #753 – Congress and vuln researchers maul Microsoft
Episode Date: June 19, 2024On this week’s retreat special, the entire Risky Business team is together in a tropical paradise for the first time. The team takes a break from the infinity pool to ...discuss the week’s security news: Microsoft recalls Recall, but why did it have to be such a mess And a Windows kernel wifi code-exec, really? Passkeys and identity are hard Scattered Spider bigwig arrested in Spain The pentagon runs a deeply flawed info-op Is it time E2E crypto nerds accept their place in the world? And much, much more. This week’s show is brought to you by Corelight… Corelight’s CEO Brian Dye will be along in this week’s sponsor interview to make a really compelling case for something that shouldn’t exist… which is NDR in cloud environments. Show notes Microsoft shelves Recall feature release after security uproar Microsoft’s Recall puts the Biden administration’s cyber credibility on the line | CyberScoop Microsoft’s cybersecurity vulnerabilities endanger America US lawmakers grill Microsoft president over China ties, hacks | Reuters Microsoft Refused to Fix Flaw Years Before SolarWinds Hack — ProPublica CVE-2024-30078 - Security Update Guide - Microsoft - Windows Wi-Fi Driver Remote Code Execution Vulnerability Security bug allows anyone to spoof Microsoft employee emails | TechCrunch Patrick Gray on X: "I was wrong about some things I said about iCloud accounts in this week’s show and I’ll tell you all exactly how I was wrong in next week’s show" Passkeys in Microsoft Authenticator and Entra ID Hackers Detail How They Allegedly Stole Ticketmaster Data From Snowflake | WIRED MFA plays a rising role in major attacks, research finds | Cybersecurity Dive Luke Jennings on LinkedIn: saas-attacks/techniques/ghost_logins/description.md at main ·… Alleged Boss of ‘Scattered Spider’ Hacking Group Arrested – Krebs on Security EXPOSED: Identities of Iranian Hackers Targeting Israel and Other Countries Revealed | Matzav.com Ransomware attackers quickly weaponize PHP vulnerability with 9.8 severity rating | Ars Technica Windows flaw may have been exploited with Black Basta ransomware before it was patched Crown Equipment Corporation victim of a Ransomware attack | Born's Tech and Windows World City governments in Michigan, New York face shutdowns after ransomware attacks Cleveland confirms ransomware attack as City Hall remains closed Authorities investigating extended ‘network outage’ at organization that runs TheBus Pentagon ran secret anti-vax campaign to incite fear of China vaccines Shashank Joshi on X: "Just finished “Information Operations”, a new book by @TathamSteve. Includes this anecdote on a British effort to stop children throwing stones at a base in Afghanistan. “LRGR was the abbreviation for the Long-Range Gonad Reducer.” https://t.co/zmoxb45Cgz" Dmitri Alperovitch on X: "@shashj They also allegedly hacked the email of the lieutenant leading the medical service of the 960th unit and retrieved the medical certificates of 150 officers and enlisted personnel" Signal president Meredith Whittaker criticizes EU attempts to tackle child abuse material
Transcript
Discussion (0)
Hi everyone and welcome to Risky Business. This is an IRL edition coming to you from our first ever Risky Business company get-together in a warm and beautiful place.
My name's Patrick Gray and we're going to get into the news in just a moment with Adam Boileau and also Tom Uren and Katalin Kimpanu.
They're chiming in this week too because they're here and why not?
This week's show is brought to you by Corelight and Corelight's chief executive, Brian Dye,
will be along in this week's sponsor interview
to make a really compelling case
for something that I kind of used to think shouldn't exist,
which is NDR in cloud environments.
And it's funny because Adam actually heard this interview
and went on the same journey as me with it,
which is to be upset by how much sense Brian makes when he advocates for cloud NDR. That is a journey, that one,
and it is coming up after this week's news, which starts now. And Adam, I want to start off this
week by, I guess, re-examining some of the stuff we said about, you know, Apple products and the
iOS release and the new, you know, Mac OS release last week. Because it turns out, you know apple products and the and the ios release uh and the new you
know mac os release last week because it turns out you know i mean we got some stuff i guess a
little bit wrong at the time there was some reporting that that indicated that this iphone
screen mirroring thing might have been a cloud service it looks like it's more
akin to like carplay for Mac OS, right?
Yeah, that seems to be the case.
We still don't have a whole bunch of specifics about how the kind of pairing and setup process works.
And I think our criticisms of not really understanding
Apple's ideas of a threat model was still valid.
But yeah, it seems to be a little less crazy than we thought.
But that's what you expect with Apple.
They do these things well.
We just wanted a little more understanding.
Yeah, yeah.
So, I mean, I think it is a little less alarming, right,
once you realise that it's, you know, yeah,
it is just a pairing between that computer and the iPhone.
I think, though, yeah, the thing that still stands
is this question that we had for Apple,
which is, is there a security boundary
between a mac OS device and an
iPhone in an iCloud tenant? That still stands, right? So yeah, you know, having had a bit of
time to think about it more, I've got other questions, right? Which is, is there any point at
which your screen mirroring an iPhone in Mac OS, is there any point at which you're going to need to type in your passphrase
or key or pin into a virtual representation of that device on the screen? Or has Apple decided
to block all sort of secure text entry, right? This is the stuff we don't know, which will really
kind of make a big difference in the end, because it's the difference between some malware
on your Mac OS device being able to see your device pin or not.
Yeah, exactly.
And given how important that is to many other scenarios we care about, like law enforcement, legal access to your devices, how it deals with crossing the border and all those sort of nuanced situations where we need to mentally model what the security properties of our devices
and now also our iCloud means to us. So yeah, hopefully we will see more information. But yeah,
the stuff is really hard to do at scale. So I'm not surprised that we have questions.
Yeah, I had a really interesting chat over the last week with someone who is intimately familiar
with Apple products, let's just say that, and talked through some iCloud to prevent that from happening. So you can authenticate
to an iCloud account, but not get keychain info that requires you to have additional information.
But this is what makes this question about whether or not you can see that virtual entry,
like even more pertinent, right? So ultimately, all of that stuff is fishable. Some of the more
interesting protections Apple has built in things like if you try to access sensitive information like keychain stuff because you've lost all of your devices, Apple will only enable that process if none of your previous devices have connected at all over 30 days.
So that's a really interesting protection.
So I think they've gone about as far as they can to protect this sort of information from being accessed by attackers however this is still a fishable process if you are able to obtain a pin or password for a device
or a computer that is that that has access to the keychain right yeah like it's a complicated
ecosystem and there's quite a lot of moving parts in here and you know even things like you know I've got a home pod it's joined to my iCloud what does that mean in terms of credential sharing
in terms of acts like does physical access to my home pod which is like a glorified Apple TV
underneath like what does that mean so you know there are just a lot of questions and it is really
complicated and by and large Apple you know someone was contrasting on social media the amount of trust we were willing to give apple in like
good faith probably doing a good job versus the literally anyone else versus literally anyone else
probably the other exception there is google i think really the the the technology company that
we're contrasting this with is microsoft well there's microsoft and there's meta as well which
has a terrible track record for this
sort of thing you know you just look at their instagram reset flows and stuff and it's a
nightmare yeah and also like with google it varies by product team you know like some teams are really
good and some teams are you know under so much pressure to ship you stuff that is a bit yolo or
it takes a while but you know we're willing we were willing to give apple the benefit of the doubt and
i think you know the extra stuff that you've learned over the last couple of weeks justifies that choice a bit.
Like they do think about this stuff.
They do spend the money to engineer it right.
But that doesn't mean they're always going to be perfect.
Well, there's always going to be trade-offs when you're operating at scale, right?
And I think the fact that, you know, having spoken to this person, they're like, well, here are all the protections.
And I'm like, okay, but you can still fish that stuff.
Yes.
Right? person they're like well here are all the protections and i'm like okay but you can still fish that stuff yes right so ultimately when you're using and this connects back to the pass
key conversation that i had with the ubico coo last week and someone wrote in and said a couple
couple of things to address there because the coo of ubico said well currently you can't use
pass keys that aren't like icloud or google pass keys and then someone wrote in and said well
actually microsoft authenticator supports pass keys now and that someone wrote in and said, well, actually Microsoft Authenticator supports passkeys now.
And that's true in that that's a feature in preview,
but they're not syncable currently, right?
So they haven't addressed that whole sync fabric issue.
And is that going to sync,
like, are they going to sync the passkeys
through some sort of Microsoft service
or is that integrated with iCloud?
So I don't really know.
So I don't think Microsoft pass keys are necessarily there yet. But you know, this is a
much bigger conversation about iCloud accounts, access to root of trust when it comes to keychain
information, which now includes things like pass keys, and whether or not enterprises should trust that so-called sync fabric for
yeah root of trust information into consumer accounts i don't know so i think you know
basically last week i think we were a little bit sloppy on the details let's put it that way but i
think fundamentally yeah all the concerns remain they're just a little bit less scary yeah i i
think i think you're right and. And it'll be interesting to see
how Microsoft deals with this
in the Entra ID world
because introducing pass keys
that store an authenticator,
there is a bunch of interesting trade-offs
to be made there as well.
And what are the default reset policies for that?
And is that even configurable within Entra?
And I've got so many questions.
I looked at some videos of how Microsoft has implemented passkeys on like iPhone and through Authenticator.
It actually looks really, really good and definitely better than what people are using now.
Like you can use your device-bound passkey to log in via your browser and, you know, all of that good stuff.
And it's a pretty straightforward enrollment process and and stuff but again when i started hitting google and you were sitting next to me
when i was doing this i started hitting google with a bunch of questions that i just couldn't
answer right and that's you know i'm like well how are they doing sync is it on the roadmap how
does this work like how does it interact with with the underlying device like it's it's almost
like identity and authentication and doing so in a giant planet
scale distributed system is a hard problem yeah and one that you know we don't have all the answers
for we the industry full stop don't have great answers for and we're still learning but still
better than passwords right it's better than password 123 on the internet single factor
yeah well i just think for passkeys to be an acceptable thing to be used in enterprise,
you need to be able to set the reset flows yourself.
Yes.
That's the one thing, right?
And I just don't think it's entirely clear
from what we've seen out of Microsoft.
Anyway, let's move on
because we've got a whole bunch of stuff to talk about this week.
And thanks to everyone who yelled at us
over our sloppiness last week on all of that.
We appreciate it.
We appreciate a good yelling.
Yeah, we do.
We do.
So I can't believe we're talking about it still.
I know.
I know.
Last week we spoke about how Microsoft had decided
to turn recall off by default in Windows 11,
and we thought that would be the end of it
and we would never have to talk about it again.
They have since binned it by the looks of things entirely well
at least they've postponed it there is not going to be any recall anytime soon yes i guess they
have recalled recall is the obvious joke but they've basically said that it's going to go into
preview for a while for nox majors off and if you want to try it you can but they are not going to
just turn it on by default for the entire planet and let all of the hackers in the world use it as a built-in key logger forever.
So I guess thanks, Microsoft.
I'm not sure if thanks, to be honest.
Yes, so kicked down, relegated to being a preview feature.
So yes, farewell, recall.
We hardly knew ye.
Funnily enough, right?
So the really interesting thing
about the latest moves with recall is this whole thing's actually gone political.
I'm looking at two stories here.
There's one from Gavin Wilde, who has written a criticism of the Biden administration for being mute on the issue of recall.
He writes that they've made a big song and dance about secure by design and all of this. And then when this whole process was playing out of people
criticising Microsoft over recall, there was not really a word
at all from the US government, which does actually seem
a little bit weird.
And then we've got an opinion piece here that appeared
in The Hill from a former national security advisor
to Trump, Robert C. O'Brien.
Again, just really laying into Microsoft over this.
It also featured prominently in Microsoft President Brad Smith's testimony to Congress,
where they were just grilling him over this stuff, like over recall in particular.
So this whole thing has got super political.
Did that surprise you?
I mean, it did seem pretty on the nose
for Microsoft to be talking about,
you know, how important security was for them
and in the same breath be releasing recall
when, you know, you would have hoped
that they would have joined the dots,
that maybe these two things needed some care
or coordination or a little bit of a little
bit of something just to make it not quite so rude uh that you know recall was maybe they didn't
expect recall to get so much bad press but it was just you know the optics were terrible and you
would have expected them to have thought of that and the fact they didn't well and the fact and the
fact that this wasn't something that just slipped in under the radar satchin adela was the one talking up the feature right so it did seem a
little bit yeah tone deaf i think that was something we called uh pretty early on meanwhile
pro publica uh published a huge feature uh just on the eve of that testimony which was basically
it's a strange story because it's basically a hit job on ADFS saying ADFS is bad.
And they've got some former Microsoft guy who worked on ADFS who's saying, yes, ADFS is bad.
And I told everyone at Microsoft that ADFS is bad.
And they still released ADFS and wouldn't listen to me about his solution for ADFS was that people would have to log in twice.
To which you and I both said, well, that's ADFS is like the only reason it exists is so that you don't have to log in twice.
So you don't have to log in twice, yes.
The whole thing is a really weird piece.
Yeah, you had the same reaction, right?
Yeah, like it's a very strange piece and it has, like,
it definitely feels like it's written for a mass market audience,
so it obviously needs to cut some corners in terms of technical specifics, etc.
But it just smells a bit, like it smells like one guy being a little bit salty
about a thing that happened to him in his previous job,
which we worked at Microsoft and, you know,
kind of got a bit poo-pooed when he pointed out that if you have domain admin,
you can forge tokens for onward access into the cloud because of the way
that it's designed to work.
And MSRC said, like, look, this is not a security boundary,
which, you know, MSRC says that a lot to a lot of things,
and I'm sure they do that because they have to manage
the absolute worst stuff and they ain't got time for things
that are, you know, if you've got domain admin then,
because if you've got domain admin, you already won.
And I can understand their reticence there.
But overall, this piece was just a bit weird
and rather breathless.
And that, I don't think,
was a particularly helpful process.
Well, I mean, the headline is
Microsoft chose profit over security
and left US government vulnerable to Russian hack.
I mean, which is true.
But not for these reasons.
But not because ADFS.
It's true because Microsoft, not specifically ADFS.
And if you went to go criticize design choices
in the Microsoft on-prem auth ecosystem,
like there are so many things you could write this story about
other than how Active Directory Federation services work.
I mean, fundamentally, I mean,
you and I were having this conversation
since we've been here.
And, you know, if you're going to do something like ADFS,
there really is only one way, and that's the way that they did it.
Now, perhaps people aren't necessarily aware
of how critical their security, like, depends
on the integrity of their ADFS box.
Yes.
And maybe herein lies the problem,
where you're going to have some key mat on that box,
which if someone gets it, then it's party time, right?
Yeah, exactly.
But that's also true of Active Directory certificate services,
for example, or domain controllers themselves
or backup processes or, you know,
there's a bunch of, you know,
other areas of Windows permissions
and in enterprise environments that, you know,
if you don't understand the fishhooks that are in there,
you're going to end up with a hook in your mouth.
And there's just a lot of them.
And this is one of so very many that, you know,
didn't really seem worth a whole hit piece over to me.
Yeah, yeah.
Now, look, all of this might go some way to explaining
why we have in front of us now cve 2024 30078 which looks
to be a really serious vulnerability but we don't really and it's a windows wi-fi driver remote code
execution vulnerability right which is i mean that's not a happy arrangement of words no it's really not like
let's put it that way yeah being near a windows box and getting remote code exec that's not a
combination that you want right and it's not as bad as every windows box on the internet you can
get remote code exec on but but yeah it's it's near not great extremely extremely not great uh
we would say now what is interesting about this is there is
very little detail about this bug anywhere. And you look at Microsoft's write-up of this. I mean,
of course, there's no data in NVD. I nearly included the NVD link just because it's like
hilarious lack of detail. It's basically the CVE and that's it. But you look through Microsoft's
write-up here and they are playing this one really close to their chest.
Now, could it be that mitigations make this really impractical to exploit
and that's why they've minimized it or not really bothered explaining it?
Sure, that's possible.
That said, it has a CVSS of what, 8.8?
8.8.
And the difference between 10 and 8.8 in this case is
you have to be nearby in radio range.
Yeah.
You know, that is a mitigation.
That is a limiting factor, I guess.
Well, hang on.
The point that I'm getting at here is do you think it's possible that the reason Microsoft is being so cagey about this one is because they've been getting blowtorched all week by the US government?
And this timing would just be terrible for them.
I mean, certainly if I were Microsoft PR,
I would want this one to be a Friday afternoon,
you know, end of the day,
you know, let's not talk about this kind of release
that would be very nice for it to go under the radar.
So here we are helping them out.
Meanwhile, there's fake pox everywhere on social media.
Catalan was showing us like just this. Yeah, there's just pox everywhere on social media. Catalin was showing us like just this.
Yeah, there's just all these fake GitHubs.
I'm sure they will not shell your box if you try to compile
and run them whatsoever.
Totally safe.
But I just wonder if we're going to be back talking about this one next week
and it's a pretty catastrophic bug.
I've got no idea.
But, you know, and i don't know enough about windows
internals to know how effectively you can apply mitigations to things like hardware drivers i mean
you'd know more about that than me yeah i mean there is some exploit mitigation tech in in the
kernel right if we're talking bugs and drivers right there are exploit mitigation things in
modern windows and microsoft says this one affects all windowses you know we don't know how far back
that means because there can be old versions of the Windows kicking
around that don't have that sort of thing but
there are things like
kernel ASLR and stuff that can
make say mem corruption difficult but
it might not even be mem corruption. Who knows
what it is. Exactly
right. It's a CVSS 8.8
Yeah could be anything. Microsoft
said like exploit code maturity
unproven,
which doesn't fill me with confidence.
Because, you know, yeah.
Yeah, I mean, you go through some of these,
like the score metrics, like attack vector adjacent,
attack complexity low, privileges required none,
user interaction none, scope unchanged.
Well, that's because you're probably already in kernel,
so it's not like a local already in kernel so it's not like
yeah it's not a pretty risk yeah confidentiality high integrity high availability high yeah so
it doesn't it doesn't doesn't make us feel real good no uh and meanwhile uh we got a write-up here
on tech crunch from lorenzo franceschi picare which is talking about some sort of bug that allows people to spoof emails
from microsoft employees uh also not a great headline to have when you've been put on blast
by the u.s congress no not exactly and uh this one it was a little bit unclear because obviously
we've seen a lot of people who would you know bug bounty report oh my god you don't have you know
spf or dkim or something and that doesn't this does not appear to be one of those this appears to be some kind of like maybe like display spoofing bug or
something because it only appears to impact uh actually it wasn't clear it's like desktop outlook
or web outlook or both or whatever but yeah not a great look given the blow torching that they are
getting at the moment and msrc saying we can't
reproduce it when they get a video from the guy who found that he posted on twitter after he got
frustrated by msrc's response like that once again kind of you know understandable because i know how
much pressure msrc people are under but you know well that seems that seems to happen a bit like i
follow i follow a researcher named uh chom, and she was saying something very similar,
which is just recounting a conversation with MSRC,
saying, here's the exploit code, here's a video of me doing it,
and they're just like, not exploitable, derpa, derpa, derpa.
Yeah, I mean, I think everybody who is in the bug writing game
knows people who've had that experience with MSRC,
and that's a resourcing problem.
If Microsoft wants to take it seriously,
they need to go bump the number of people in MSRC
who can triage these things, pay them well,
resource them how they need,
give them support from the other product teams because...
Well, I think they're busy.
They're all busy now, right?
Because of everything that's going on.
But there's always been resource constraints in MSRC, right?
Like we've heard that.
But you would think, you know,
the one that really surprised me
about the chompy one is this is someone who's very well known.
Yes.
You know, and you would expect that when someone like that
reports something, you're going to take it seriously.
You would expect, but I mean, you know, in the end,
proof's in the pudding.
If Microsoft says that we take your privacy and security
very seriously, then they better pony up the cash.
Ka-ching-a-ling.
All right, let's move on to this piece from Wired by Kim Zeta,
where we've got what looks to be a little bit more information
on how all of these Snowflake accounts wound up getting scraped.
She's done some excellent work here chatting to Shiny Hunters,
the group that has been doing all this stuff,
and they've claimed that they kind of hit the jackpot by the looks of things by getting an
InfoStealer onto some box in Ukraine. It was a Ukrainian worker for a company based out of
Belarus that happens to do a lot of snowflake work, right? So they just had like a mega dump
of creds on this box and it looks like that
might have been a source for the lion's share of creds that wound up being used in this you know
Snowflake mass grape yes they seem to be some kind of like business process outsourcer or similar
kind of thing that has a bunch of expertise in Snowflake and this group found some creds from
an info stealer got on the box and then were able to figure out
how to use that to access snowflake stuff and then you kind of get the feeling that after they
figured that out they then went back and looked at other places they could buy snowflake credentials
to reproduce the same process against other accounts you know other people so that kind of
made the scale of it beyond just this particular firm. The story's quite funny though because Kim Zeta
talks to the company and says you know like what's going on and they're like we don't think we're
involved in this this is between Snowflake and their customers and then Kim's like uh what about
this guy you know with this credential who works for you in this place who has access to Ticketmaster do you think maybe
and they're like no we have we have nothing further to say I don't think they even replied
to that one so yeah they're having I'm guessing they're having an interesting uh couple of days
yeah but this cuts against that earlier theory that a lot of these were sort of trial slash
demo accounts and it really makes you wonder what on earth Snowflake was doing it makes you wonder
what on earth the customers were thinking allowing them to do that it makes you wonder what the
outsourcer was thinking doing this like what this whole industry oh my god yeah so so I you know
there's still going to be lessons to learn here yeah absolutely there is and I think you know that
kind of distribution of responsibility like between someone like snowflake that provides software
as a service third parties that use it on behalf of customers in the end snowflake is wearing brand
damage right and they would have said well this is kind of up to customers this is up to their
providers and so on and so forth but in the end you can only outsource blame so much yeah and you
know when we look at like mandiant wrote up a bunch of TTPs that you can go to hunt in your Snowflake logs for
and it makes you wonder
how come Snowflake didn't spot the scale
of the scraping of weird clients
accessing data, weird software applications
accessing the data in ways that was unusual, etc.
There's culpability all around here
and in the end
if you are a place that data can be stolen from you have
some obligation you know regardless of what the contractual language says i'm going to go ahead
too and agree with the identity folks uh who are using the the slogan identity is the new perimeter
because it does keep getting borne out right right, by attacks like these. You know, I mean, I think to a degree,
for large enterprise with good budgets,
like RCE on endpoints in a well-protected enterprise
is not really something that they're getting
all that much trouble from these days.
I mean, you know, there's...
It's not great.
It's not great.
But compared to having everything on the internet,
single factor, with identities that
you can get from info stealers you know there's a known science to to locking down a windows network
i guess is what i'm getting at you can do it not doesn't mean yeah and it doesn't mean everyone's
doing it but i think i've got a linkedin post uh it is you know disclaimer it is from one of the
companies i advise which is um push security lu, Luke Jennings wrote a post just talking about, in the case of Snowflake, how you can set up Snowflake to be SSO,
but that doesn't automatically seal off, like, username
and password accounts into the same Snowflake instance, right?
And that's the case for a lot of SaaS.
And there's no really effective way, currently effective and established way
to deal with that problem.
And that's sort of what they're building their company
to kind of address, right?
But they're a startup, right?
Like why don't we have a standard sort of toolkit
to go out and deal with this?
Now, I guess that's the thing,
the solutions always arrive after the problem, right?
Well, exactly.
And even understanding that that's an issue,
like what's the expected behavior
in a particular cloud service after you turn on SSO?
Does it mean local accounts stop working?
Like often the fallback process, if your SSO breaks,
you'd have to log in with a non-SSO account.
The break glass provision, right?
And why not MFA that?
Yes, yeah, exactly, right?
So this stuff is complicated.
And for all of the bad things that you would say
about Active Directory,
at least it was one solution that we all understood.
It was terrible and had all sorts of fishhooks in it,
but at least we understood the basic process.
When you're dealing with software as a service,
you don't really know how it's implemented.
You don't know what the backend looks like. So you don't have that kind
of visibility. And so for things like this, which are security critical, but it's just kind of
hand wavy, like maybe a support forum article, maybe a knowledge-based thing will explain it,
but mostly you have to go try it. And then the answer may not stay stable for years because
they're always DevOps-ing their way to the you know to the future so yeah it's hard well and just to tie this back to the past keys conversation we've got
a report here from cyber security dive it looks at they've taken a look at a cisco talos report
that has found that you know a massive percentage of high profile breaches these days like mfa has
been bypassed right so that's either push floods or you know otp
phishing this is just workaday now it is for attackers so we you know and and people have
only just implemented that stuff and some of them haven't even done that right so took us years to
get mfa on the table as a thing people would do yeah and now we're like no you can't have sms mfa
anymore you have to use pass keys and people like what's a pass key and then you're like no you can't have sms mfa anymore you have to use pass keys and people
like what's a pass key and then you're like no you need to use device bound pass keys not
syncable ones and well you can use struggling and use syncable ones and microsoft you know for
example microsoft are absolutely going to go to some sort of syncable pass key but that's why i
keep banging on about how we need to really demand a good solution to that syncing issue otherwise
we're kind of right back where we started.
So I'm spending a lot of time thinking about, you know,
auth, SSO, identity.
Like, I think it's where a lot of the interesting stuff is at the moment.
Yeah, well, exactly.
As you say, like, the perimeter is not really the thing anymore.
We don't care about network controls.
We don't care about NDR,
except now that apparently we have to have it in our cloud
because it turns out there's some good reasons, which is dumb.
You'll hear about that later.
But yeah, this industry is hard and it's complicated.
And passwords were terrible
and now passkeys will be terrible and new
in different ways that we haven't yet discovered.
What fun.
Now, when I think of, again, tying it back to identity,
Scattered Spider were a great example
of a modern hacker crew right like when i
think about like what our ttp is going to look like generally five years from now it's going to
be like the stuff they've done right which is why i think that um that uh csrb report into lapsus the
reason i kept saying to the audience like you've you've got to go read this, is because this is the direction attackers are kind of moving in, right?
But the reason we're talking about that now
is the alleged boss of Scattered Spider
has been arrested in Spain
and is in all sorts of trouble.
And this story by Brian Krebs is really interesting
and, you know, he put the interesting part at the end, I think, which is the reason this guy was in Spain. He's, he's English, uh, is that his,
he'd been home invaded, uh, by people who'd like, you know, bailed up his mom. And I think they
were beating him with a lead pipe kind of thing and trying to get his, uh, you know, crypto wallets
and passphrases and stuff like that, which is why he like literally fled the country.
So that's another feature that's kind of new
with these scattered spider lapses, the comm,
is this spillover into real-world physical violence
where people are kind of getting kidnapped for their crypto.
But it is good to see an arrest here.
Yeah, it is nice to see an arrest.
And we've seen a lot of people criticise the FBI
and law enforcement generally about the relatively slow response despite
the opsec of these people not being super great i mean this guy's name was tyler yes so his alias
is tyler and also alternatively tyler b and his name is actually tyler buchanan yeah so it's like
me going off you know being a hacker like overlord calling myself patrick g as my super secret pseudonym you know yeah so you know
it makes sense that they are going to face some some justice at some point but like this kid was
22 i guess i've been doing it for a while yeah he started when he was a minor for sure yeah and i
think you know like teenagers are not super great at risk management not super great at opsec clearly
as well but the fact that you can go from you know a punk kid
making poor choices to being arrested leading a you know being involved with a you know major
nasty crime ring like this like it's a horrible journey but at the same time plenty of us hacker
kids that grew up and didn't end up doing horrific people say that yeah exactly people say oh you
know they were just kids and it's like well what were you doing when you were a teenage hacker yeah and it wasn't this no it was not right i mean
i feel like i looked at the crime options when that looks like fun but i don't know how to do
it safely so i won't yeah yeah i think poor judgment is poor judgment and uh we we need to
realize that these people have agency they They do. And they have made these decisions.
And, you know, you buy the ticket, you take the ride.
Yes.
And, like, the FBI wants him.
He may end up, you know, in the US criminal justice system.
And that's not a fun place to be.
No, I imagine it's not.
But buy the ticket, take the ride.
Funnily enough, something you said to me yesterday
when I realised I may have accidentally drunk a glass of tap water here which is um an extremely not good not good idea so it's
gonna be a ride well let's see let's see i don't even know if i did it but uh yeah suitably nervous
uh now we're gonna have a chat with the man sitting to your left mr catalan kimpanu he
writes the risky business news News newsletter and works up the
scripts for our three times weekly news bulletins. And yeah, we're all very surprised when it turned
out that Catalin is real and he actually turned up here and he's one person. And mate, the thing
I want to talk to you about today is this story that you've picked out for us, which is about
the Muddy Water Crew basically getting doxxed. Is this a big deal? I
mean, we see doxxing now is just becoming such a standard thing between government operators,
ransomware crews, criminals, like it just, 2024 is the year of doxxing, but will this have any
impact on anything? Impact, no. I just thought it was super interesting story because the report
that doxxed them practically disappeared after two days
and it was only covered by Israeli media. So my first reaction was, was this an
oopsie on Iran International? Did someone hack their website, planted the story just to out
the names of... So where was the initial report published? The initial report was published by
Iran International, which is a news outlet run out of London by the Iranian opposition.
So it's not a big media conglomerate that has super security.
So their website looks shoddy when you look at it.
Yeah, right.
And the original report had also a YouTube video with it.
It was recorded by the same announcers that usually
record their videos. And then I remember, I covered this before, like this is not the first
time that Iran International doxes one of the Iranian hacker groups. Like this report basically
links those three people to the Darkbit ransomware group and the Marijuana APT and says,
hey, look, they're working from the same building
on the same street.
These three basically act as intermediaries
between the groups and the Iranian government,
specifically MOIS.
That information was not new
because Microsoft already linked that APT to the MOIS.
But what's new here is actually being able to put names on it.
Yeah, the fact that they put names on it.
And previously, a few months ago, Iran International also linked the Black Shadow.
I wouldn't call them an announcement group, more of a data wiper group that was attacking
Israel.
Also linked them to another three more people running
Iranian IT company.
They also work for the MOIS.
So in both stories, they claim they had sources from the inside.
So if you're working in the APT field, that's probably a website you want to follow.
Yeah, no, interesting one.
Thank you for that.
Back to Adam now.
I'm going to accelerate through the next couple
because we're a bit short on time.
Yet another one from Dan Gooden at ours,
which is last week we spoke about that PHP vuln
with a 9.8 severity rating
that only affected like non-English instances
of PHP via CGI on Windows
and it's getting ransomware uh so i don't know i
mean those sort of boxes don't sound like they're going to be particularly high value targets but
you never know they might hit something worth paying to recover for yeah so this was most
widespread it turns out in like a developer focused windows lamp stack so like apache mysql php and pearl
on windows developer environments and there was a open source project from like 2002 that ships a
vulnerable windows php stack and that's quite popular in china and so that seems to be where
we are seeing the ransomware crews have success because the number of vulnerable boxes is
dropping precipitously as ransomware crews destroy them yes so cleansing fire cleansing fire exactly
so yeah pretty pretty niche bug overall well these configuration overall um but just it was a super
interesting bug yeah uh darina and nick uh over at the Record has reported that Blackbuster, the ransomware crew, may have been using a Windows Privask as ODA, like before it was patched.
Which would be, I don't know that we've seen this really happen.
We've seen ransomware crews using very recent bugs, maybe even some ODA in stuff like file transfer appliances in the case of data extortion attempts but yeah this is the first time i can think of like a ransomware crew using a you know
legit oday privask in windows that's uh that's a bit concerning yeah it doesn't happen super
frequently but also like windows local privasks are still pretty common and this was a like the
windows error reporter had poor registry permissions and you could modify its registry and use that to prevent it.
So it wasn't a complicated bug, but yeah.
I mean, seeing these used in the wild is always interesting,
regardless of who's using them.
Yeah, and meanwhile, we've got some high-profile ransomware attacks
that we'll just mention.
Crown, the forklift company,
which I always remember the ads from when I was a kid.
You remember the ads?
Yes.
There's nothing like a Crown for lifting it up and putting it down.
Putting it down.
There you go.
Yeah, so Crown, apparently, like, they've paused manufacturing
and, like, they're in hell with ransomware.
So that's a pretty serious one.
John Greig over at The Record reports that there's been attacks
against local governments in Michigan and New York.
So there have been shutdowns there.
Not sure if that's, you know, they've pulled the pin to stop an attack propagating or if they've been properly rinsed.
Cleveland as well having some issues.
And there's a bus network in Honolulu also having some trouble.
So, yeah, ransomware, ransomware, ransomware as usual.
And now, Adam, it's actually time we're going to have a chat to our
colleague, Tom Uren, who is also here with us in the warm and sunny place as part of the Risky Biz
first ever, what are we calling this? BizFest, I thought. It's the first ever BizFest. And there's
a couple of stories here where you're really suited to talking about them. Reuters has published a bombshell report just the other day about how the Pentagon actually ran a disinformation operation in Southeast Asia trying to convince people not to take the Chinese Sinovac vaccine, which is, I mean, is there another word for it except for horrifying?
The word that came to mind when I read this was just, this is so stupid.
And I guess the problem for democracies with information operations is you're really undermining the fabric of what people believe.
And so you've got rules to keep them outside the domestic population, but you really want to achieve some sort of effect and you want to limit the collateral damage. And this one,
the effect seems to have been, let's just stick it in the eye of China, which is like,
what are you trying to achieve? Yeah. Well, I mean, it was under the Trump presidency and
just sticking China in the eye seems like something that would be, you know, the end unto itself, under Trump. Yeah. And I think there is a part of the story where
Trump did that very effectively by talking about the China virus. So his mouthpiece is so much more
effective than, you know, a small army. And I think it was 300 accounts on Twitter.
And they did point out too,
that he only started calling it the China virus after China started accusing the US and saying, Oh, COVID came from the US. Right.
And it was a US service member. So that's when he's like, okay,
it's just the China virus now. And I, you know, I mean,
a lot of people's claimed that that was terribly racist and whatever,
but I mean, I look back on that now and I think, well, I mean, well played.
Yeah.
Yeah.
That's kind of what I felt at the time.
I remember thinking when Trump said it, this is just so stupid.
Like that's not what it should be about.
But in the context of Chinese operations claiming that the virus had come from a US service member and that there were secret US labs creating COVID-19.
That, to me, is a much more effective response
than some information operation in the Philippines.
And the story goes into the potential for very bad collateral damage
in the sense that it could undermine support
for inoculation in vaccines
in general. Whereas in the middle of a global pandemic, you want people to take vaccines.
Now, Sinovac wasn't the best vaccine, but it was a vaccine. It was fine. If that's the only one you
should take, you should take it. Now, it's not clear at all that the campaign actually made much difference. Typically, these campaigns don't.
And it's really the whole ecosystem of, it's not the social media part, it's the fact that
the Chinese foreign ministry repeated those claims that makes it have any impact.
And that's why I think...
We've seen this, yeah. We've seen this before where you feed out some, you know,
misinformation or disinformation out to a bunch of fake news websites
and then that allows state officials to cite those sources basically.
Yeah, yeah.
And so that's why I think Trump talking about the China virus,
if that's a strategy you're going to pursue,
that's the big Trump, well, literally Trump card that you can play to get worldwide recognition or get that message through.
Remarkably effective.
Unlike this campaign that we're talking about, because it looks like they tally it up and they say it reached accounts with tens of thousands of followers.
I mean, I have an account with tens of thousands of followers, right?
So I think the saving grace here is that it didn't really work that well.
But what they were trying to do here was really disgusting.
And the messaging that they were using in this campaign was trying to convince Muslims in Southeast Asia not to trust this vaccine and not to use it because it was haram,
because it had apparently, you know, pork products or something where, you know, pig cells or something were used in the manufacture of the vaccine, which I think China wound up saying wasn't true. And a whole bunch
of imams said that doesn't matter anyway. That's not how this works. But yeah, amazingly ham-fisted
and evil and terrible OPSEC as well, which is why there's a huge Reuters feature. General dynamics
were involved in this and apparently like identifying, spotting and pulling apart this campaign was really easy. In fact,
Meta, Facebook detected this really quickly, went to them and told them to knock it off and they
said, please don't nuke out those accounts because we use them for other things too.
So it looks like they stopped on Meta, but kept going on like Twitter.
Yeah, I think there's a couple elements here that result in the Reuters piece
and one of them is that I just suspect a lot of people thought
this is just a terrible idea.
And so once there's a bit of distance, they feel like maybe even compelled
to talk about it so that people learn the lesson.
What they achieved, the point is totally unclear except
for just, you know, getting one back and the negative side effects vastly outweigh whatever
you would have achieved. Yeah. I mean, we spoke about this the other day just here and, you know,
it's really hard to see the upside here, right? Like, whereas the down, the downsides are limitless,
right? So, and that's the thing, like thing. They would not have moved the needle at all.
And now there is a story that people in the international community can point to as an example of America being, you know, really shit.
Yep, duplicitous.
The Chinese Ministry of Foreign Affairs have picked up on it
and said that the US always manipulates the media.
Yeah, yeah.
Didn't think that one through.
Now, let's contrast that with a...
So, Shashank Joshi, who's a reporter at The Economist,
he's been reading a book called Information Operations,
which is by someone called Steve Tatham, I think.
And, you know, here is an example of a great PSYOP
that the British military pulled off in Afghanistan.
Tell us about this because it's absolutely hilarious.
Yeah, so the problem the British military had is that all sorts of people would throw rocks at their bases.
And they were concerned that kids who were throwing rocks, one of them would eventually get shot because how do you tell a rock apart from a grenade?
Rocks don't explode explode so i would have thought
that's one way you can tell it after the fact yes yes um but the bright idea that they had was to
just stick lights on poles that would flash red lights um and then like it's just a red light but
the the trick was that they would tell the Afghan National Police,
these are long-range gonad reducers, LRGRs. So you've got to have an acronym to make it feel appropriately military.
And they said to the Afghan police, don't tell anyone,
but that's what those are for.
And of course...
They're like an energy weapon that will sterilise anyone who comes near them,
but don't tell anyone. We're just telling you so when you're on patrol, you know, sterilize anyone who comes near them. But don't tell anyone.
We're just telling you.
So when you're on patrol, you know, you can keep yourself safe.
You can avoid them.
You can avoid them.
Of course, yes, the Afghan police, not known for being terrific at keeping secrets.
All of a sudden, no one wanted to throw rocks at the base anymore.
That's right.
And so that, you know, in contrast, they've got a clear goal.
We want to stop people throwing rocks at our bases.
And, you know,
what's the collateral damage? I think you can make an argument that the collateral damage is that
people don't trust the British anymore. If you're in Afghanistan, I think that's a fair trade-off.
It's at least something that you can weigh up and make a decision on, as opposed to
the sort of previous example. Yeah, and Shashank talks about how the book is good on three things.
One is the importance of influencing behaviour,
not attitudes and beliefs.
So I think that is an important thing
when it comes to these sorts of campaigns.
And the second is the importance of understanding
the local population with fieldwork, not just, you know, internet stuff.
And the third is debunking the nonsense
written on the military role in Cambridge
Analytica so that's yeah that's interesting and he also pulled out another example of how Ukraine
wound up contacting the wife of some military commander Russian military commander and convincing
her that they're putting together a calendar for the husbands and that they should all put on their husband's jackets
with their medals and take sexy selfies
and they'll compile it into a calendar.
And they got a stack of really good info on that.
And Dmitry Alperovitch even chimed in on that thread
to point out that they did some hacking
as part of that campaign as well.
So it sounds like a book I'm going to have to add
to my wishlist.
Oh yeah, there's one more we wanted to talk to you about, Tom,
which is it looks like the EU, and we've foreshadowed this in conversations we've had
in the podcast I do with you, which is more about government policy, seriously risky business.
You know, client-side scanning for child sex abuse material is something that Apple were going to introduce
and then they got yelled out so that they pulled back on that. And, you know, you and I have long
said this is an idea that's not going to go away. And if tech doesn't meet government halfway,
then government's just going to dictate the rules and we're going to wind up in a bad place and it looks like that's now playing out. Yeah so that's the EU council has this sort of draft negotiating position which is
companies that offer public services need to act responsibly when it comes to child sexual
abuse material and you know that acting responsibility isn't well defined, but one of the sort of pathways that it goes down is that you'll be forced, if you're not employing appropriate mitigations, to have some sort that works is entirely undefined. But the point is that if you're not
acting responsibly, that's the sort of light at the end of the tunnel or the train at the end of
the tunnel, I guess, depending upon your point of view. And what strikes me about this whole debate
is that... But this is where the Brits landed, by the way. I mean, there seems to be a policy
consensus forming, which is unless you tackle it, we're going to put all of this crazy regulation on you.
Yeah, it's the EU, the UK.
There's very similar, like you can see the direction in Australia is the same.
And it seems like the regulators talk to each other.
They agree that this is a good idea.
And in so much as there is a united front, I think this is it.
And so the answer for tech companies is,
what's the best way that we can tackle these concerns
and uphold as much of what we think is absolutely critical?
Like, what's the stuff we really care about?
Is it scanning before end-to-end encryption? You know, you've got to pick your battles, I guess.
Yeah. Yeah. A hundred percent. It's interesting too. I had a conversation recently with a fairly
prominent Australian journalist, who's not just a tech journo. And he's been on an interesting,
I won't name them because it was a private conversation, but they've been on an interesting, I won't name them because it was a private conversation,
but they've been on an interesting journey with all of this because going from really believing the technology media line on this, that the governments are all just making up
the scale of the problem, to then this person going out and actually researching it, talking
to people in the field and realizing, oh my God, there is just so much unchecked CSAM,
and it's just all over these services and realising
that you know the reason governments are pushing for this is not because it's creeping surveillance
and they're trying to get some technical capability that they don't otherwise have
like this is a legitimate problem that needs to be solved. Yeah I think if you're a politician
and you hear some of those stories about people who've been impacted by this,
that is just totally outweighs any kind of argument that you can have about the sanctity
of end-to-end encryption. And the people recognize that encryption is important,
but it's not the highest value in all of human society.
And you know what's funny? You just saying that
is going to get us hate mail. Like what a world, what a world. And so, you know, the reason
encryption is important is because of privacy, right? And privacy is important because it allows
people to do what they want. They're free to live their lives. But we lock up people if they do bad
stuff. Like that's not the most
important thing. The most important thing is that we live in a society where the most people,
most of the time can do what they want. Yeah, 100%. Now, the last person we're going to hear
from is Mr. Tyrion Ferrier. And the reason I wanted to get him on the show is, you know,
the entire Risky Business full-time team is in a single room right now.
Tiran, we published a team photo the other day, and I named everyone, including Tiran, and people said, who's Tiran?
And the reason I just wanted to have him on the show very quickly is because Tiran is actually the first full-time employee in Risky Business Media, apart from me.
He does the sponsor relations, schedules all of our sponsor activity,
generally makes himself extremely useful. So I just wanted to say, Tiran,
say good day to the audience, please. Hello, everyone.
And that's it. That's Tiran Ferrier. So we're going to wrap it up there. Adam,
thank you for joining us. Thank you very much, Pat. It's nice to be here in a very warm,
lovely place. Catalan.
Thank you, everyone. And Tom.
Thanks, Pat.
That was Adam Boileau, Tom Uren and Catalin Kimpanu there with a chat about the week's security news.
It is time for this week's sponsor interview now
with Brian Dye, the Chief Executive of CoreLight.
CoreLight makes a network sensor,
which is the de facto standard for network security
sensors. It's based on the open source project Zeek, which is maintained by Corelight. And well,
you know, maintained in large part by Corelight. And Brian is here to talk about how he's seeing
more and more use of network detection response tools in cloud environments. And on one level,
that doesn't make much sense, because there are some great ways to do detection and response in the cloud.
But those approaches are sadly mostly kind of theoretical at the moment.
Like there's a lot of stuff you can do, not much stuff that people are actually doing.
Whereas you can throw a network sensor into your cloud pretty easily and you're up and running.
And that's what people are doing.
So it makes a lot more sense than I used to think
it did. And here's Brian Dye to explain why. So yeah, it's fascinating. What we see is kind
of twofold. You've got this evolution of kind of defensive controls in the cloud, right? Where a
lot of folks start on the native tools, and then they go and pick up a proper CNAP. And then they
realize, oh, wait, VPC flow isn't enough, right? And that's usually where we
see folks kind of come into NDR. And where the NDR tends to come from is kind of two different
directions, right? You've got some of the highly regulated, especially kind of the big financials
that say, look, we have compliance mandates to do the following things. There's nothing in that
compliance mandate that differentiates cloud versus on-premise versus
remote office versus you name it. It says something like monitoring.
Exactly. So you've got to do it anyway. So we're going to carry those same policies into the cloud.
And by the way, those are also the folks that are looking at more advanced threat detection,
and they're pretty sophisticated anyway. So those folks kind of jump directly to NDR actually and bypass a bunch of that traditional kind of maturity steps that I was talking about
earlier. The other one though, is we see folks that are even fully cloud native saying, Hey,
wait, I didn't realize this, but 80% of those network centric TTPs that I was worried about
in the on-prem world, they actually still do apply in the cloud world. And by the way- And I can't do anything to surface them with a lot of this cloud trail logging or whatever.
Exactly. And I love cloud trail, but I would go so far as to say no one at Amazon was thinking
about a security analyst when they designed cloud trail. It's not exactly fit for purpose.
So we really see those two things happening. Cloud native folks saying, wait, there's a bunch of very relevant TTPs that I can't address without NDR.
And then you've got the really high end, especially kind of the financial and regulated
industries that say, look, I don't have a choice. So I might as well get, you know,
don't do this dumb, do it smart. And then they start there out of the gate.
I mean, surely, and I ask you this as the chief executive of a company
that does NDR stuff, surely there's a better way. The nice thing is the cloud, as you said,
if everything is done perfectly, there's a whole set of security that theoretically shouldn't
need to exist here. But there's actually something really beautiful in the cloud,
because if you think about what the role of network visibility and network analysis is,
regardless of what environment you're in, it's about breadth. You've already got EDR and a bunch
of other depth controls that either can block or can give you additional insight that has a lot of
depth. The network's always been about breadth. The nice thing about the cloud is a bunch of
things in the control plane that are also about breadth, by the
way, are now stable enough that you can drive really discrete integrations to them and actually
get a better view of breadth in the cloud than you could on-premise. I think this is your easy
way of saying that it's actually just easy in the cloud, right? Because you're not up to your
armpits in network cables and battling for rack space and whatever. You just do it. It's pretty
easy. Well, it's not just easier. You get richer, more stable sets of data. So imagine this, right?
If you're in an on-premise environment and you're trying to kind of make your breadth information,
your view of context in the environment as good as you can, you would take the network flows,
you would add asset information from a CMDB, you'd add vulnerability information from a scanner, et cetera, et cetera.
Sometimes org information out of your HR system.
And we have folks doing all of that.
That's pretty bespoke, right?
Because you've got a whole wide range of tools you're pulling off of.
That's a big pro-serve engagement.
You can get a bunch of that out of the control plane.
So you can pull what security group was that service, was that kind of connection coming into, what service was actually being tagged. You can
actually directly connect that to the control plane. So you actually get a much easier way
to get a much more comprehensive view of what's really happening in that environment because you
got more stability. The network's always been fairly stable, but now the control plane gives
you a much more stable backdrop that you can match it together with. And if you put those two together, you really get a better
view of breadth for a heck of a lot easier than you could do on-premise. I hate that what you're
saying makes sense. Now, look, speaking of how you deploy this, right? So for a long time,
I think doing this on AWS was always pretty easy, right? Like getting a network tap,
essentially, basically anywhere you wanted it, that was easy.
And you could pump that into a sensor and away you go.
Azure was a little bit more complicated
because they announced,
hey, look, we've got network taps now.
And then they didn't really work well.
And then I think they pulled them
so customers couldn't spin new ones up.
Like what's the late,
and that was years ago last I paid attention to this.
What's the latest with like network tapping in Azure environments?
Can you actually do it yet?
So before we go on to Azure, let's not forget GCP, by the way.
Everybody forgets GCP though, Brian.
Well, A, they shouldn't.
Because I got to tell you, I've got a number of organizations we work with that are using GCP in pretty big ways.
And I want to give them credit.
The way they've done their network tapping was really good. Out of the gate, it was really good. It's easy to deploy. So look,
I get there's market share numbers here, but- Well, I mean, the market share is non-trivial.
It's 10% of a massive market, but we do live in an Azure and AWS world. But yeah, so no disrespect
to Google Mint. It's just a joke. Exactly. Exactly. Yeah. But AWS has got nailed. GCP has got us nailed. Azure's working on it. So look, I don't want to speak on behalf of Satya's team, but the VTAP is not yet GA. So yes, they're a couple of years behind in getting this thing sorted. I have heard rumors that we should be expecting something in the short order, but I don't have anything more concrete than that. And I certainly wouldn't want to speak on Microsoft's behalf, right? That's really their news to go break.
I mean, they're more than a couple of years behind, right?
Like you've been able to do this in AWS since forever.
As you're like, this is years.
It's been years and they can't get this working.
That's amazing.
I have been told that it is a very complex problem
to take something that is a shared service
and actually get essentially
what is a per tenant kind of view of that. So I'm trying to be as nice as I can. Yeah, no, no, no. This
makes sense. There's no way around it. It's Microsoft's everything is just one big system
approach, right? So how do you then carve that off? That makes sense. Okay. Yeah. Right. I'm
with you. So, you know, you mentioned earlier that there's a spectrum of people who do this. Like, what does that spectrum look like?
Like, we're seeing a shockingly wide range here.
So it's everything from, you know, kind of lower end enterprise, you know, kind of a
company that might be at a billion of revenue, which I know that's a substantial organization,
right, US dollars, all the way up to some of the biggest enterprises in the world that
are actually tackling this.
And it's because of those two different dimensions that we talked about. You're either at the very
high end, you're getting hit with a bunch of compliance mandates that don't give you a choice.
And look, depending on whose stat you pay attention to, it's something like 60 to 70%
of threats do cross a cloud surface at this point, right? So you know you need that. You need
multi-cloud visibility. You need multi-cloud visibility.
You need multi-cloud and on-premise visibility because you're tracking an attack through all of those
if you're one of these really big,
kind of very sophisticated organizations.
If you're on the lower end of the enterprise
and maybe you're fully digitally native,
you've already gone through your learning curve.
You've said, look, I started out with the basic tools.
I deployed a CNAP.
Maybe that's Wiz.
Maybe that's Palo. You name it. And you've realized, look, I started out with the basic tools. I deployed a CNAP. Maybe that's Wiz. Maybe that's Palo.
You name it.
And you've realized, oh, wait, VPC flow still leaves me exposed, right?
I can't do enough with just the flow-based information, which, look, we've all learned
in this industry kind of years ago.
So it really does run the gamut from both the high end and the low end.
Yeah, I think the uniformity argument's a good one.
Like if you've got an attacker that's sort of hopping either from cloud to on-prem or on-prem to cloud, having some sort of uniform data set that you can use to
follow that activity makes a lot of sense too, right? I'd imagine that's a big part of it.
It absolutely is. And again, it goes back to kind of why do people do NDR in the first place?
Yes, there's a set of network-centric MITRE TTPs that folks need to tackle,
but really it's about having the breadcrumbs to see what that whole end-to-end kill chain is,
map out the different stages of the attack,
confirm remediation, right?
Confirm blast radius, confirm disclosure.
And that is going to bridge
a whole bunch of your environment by definition.
So being able to see that end-to-end really is critical.
Yeah. All right. All right.
You've convinced me. I hate it.
I hate it, but you've convinced me.
Now, look, before we wrap it up,
you recently closed what is hopefully your last investment round.
What series is that?
Series?
Series E, actually, yes.
Series E, there you go.
So you closed a Series E.
And I guess the reason we're talking about an investment round,
you know, in this podcast, which we don't normally do,
is because the mix of money was really interesting
and telling. It really was. And thank you, by the way. So the main investment was led by Excel,
which we're super privileged to continue to work with them. They led our Series A and our Series C.
So we've had a chance to partner with Excel over multiple rounds. But then the really fun part is
that both CrowdStrike and Cisco invested in that round as well. And you know, the question I'll often ask people is, when was the last time you heard of any company?
I mean, any company that both Cisco and CrowdStrike invested in?
Yeah. Yeah. And I suppose that's the thing with this sort of data, right? It's like,
if you're CrowdStrike, obviously you want, you know, you want Corelight to exist because every
EDR company all of a sudden is trying to become
like an XDR platform or whatever.
And what better network data to get than the stuff that Corelight, what would you say,
curates, right?
So it's like curated network information.
So that makes sense.
What's Cisco's interest beyond money?
Like what's the strategic reasoning there?
Yeah, for Cisco, it really is around hybrid multi-cloud security.
So it's very much in line with everything we've been discussing here.
And then specifically, they've got two big initiatives.
One is their HyperShield announcement that I'm sure you saw that they see an opportunity to embed a lot more security analytics and security intelligence within the network directly.
And the other one, you know, speaking of shared open source heritage, is the isovalent
acquisition and the eBPF technology. So if you think about all the great things you can do with
that kind of kernel hook level kind of access that eBPF provides, from a network perspective,
if you take all that traffic, you need to analyze it and kind of down select it before you put it
into something like Splunk or a next gen SIM. So they view this as pretty relevant to kind of both
of those big initiatives within the network security team at SIM. So they view this as pretty relevant to kind of both of those big initiatives
within the network security team at Cisco.
So what, Corlite via eBPF on whatever?
Yeah, and I mean, look, we have customers actually
that do deploy us in Kubernetes environments,
but what I suspect is going to happen
is there's only so much CPU
you can load into a container sidecar, right?
So I think a lot of that network analysis
is still going to actually be taken off cluster just on container sidecar, right? So I think a lot of that network analysis is still
going to actually be taken off cluster just on sheer CPU cycles, right? There's only so much
ML you can do in a sidecar, right? There's a math issue there. Yeah, yeah. All right. Well,
Brian Dye, thank you so much for joining us to walk through all of that. Always a fabulous chat.
Great to see you. And I look forward to doing it again. Patrick, always a pleasure. Appreciate
you having us.
That was Brian Dye from Corlite there with this week's sponsor interview.
Big thanks to him for that and big thanks to
Corlite for being this week's sponsor. And that is it
for this week's very special show.
We'll all be home next week to bring you
more Risky Biz, except for Catalin, who's got
the week off. But until then, I've
been Patrick Gray. Thanks for listening.