Threats and Defenses
The Cyber RiddlerSeptember 05, 2024x
22
00:12:478.82 MB

Threats and Defenses

In this episode, we explore the modern cybersecurity threat landscape, examining sophisticated attacks like ransomware-as-a-service, supply chain breaches, and file-less malware. We discuss essential defensive strategies, including the use of Zero Trust architecture, behavioral analytics, and other tools. Alongside these defenses, we emphasize the importance of proactive threat hunting and a strong incident response plan. This episode serves as a reminder of what you should do and hunt for threats in your environment.

  • Twitter: @almorabea
  • Twitter: @CyberRiddler
  • Website: https://thecyberriddler.com

[00:00:00] Threats are everywhere and that's a given.

[00:00:03] Defenses are there too but one mistake can cost you the breach of your environment.

[00:00:08] You know the saying, attackers have to succeed only once and defenders have to succeed every

[00:00:12] time.

[00:00:13] This is true because attackers will try everything they can to breach your network

[00:00:17] and gain access to it and today we are going to take a comprehensive look at the

[00:00:22] evolving threat landscape and the advanced defenses that are crucial in combating

[00:00:27] these threats.

[00:00:35] You're listening to The Cyber Riddler, where we decipher the offensive and defensive side

[00:00:42] of the cyber world.

[00:00:43] Ahmad Almorabea

[00:00:52] To effectively defend against cyber threats, it's essential to first understand what are

[00:00:57] you up against.

[00:00:59] The cyber threat landscape has evolved over the past decade.

[00:01:03] We've moved from the era of simple viruses and worms to a time where we are facing advanced

[00:01:07] persistent threats, sophisticated ransomware operations and even state-sponsored cyber

[00:01:12] attacks.

[00:01:13] I remember like 10 years ago, we cared so much about having an antivirus solution on

[00:01:18] our system because we were downloading so many things from the internet and we were

[00:01:23] afraid that we would get viruses from it and maybe a right malware.

[00:01:27] Some may call it a server or patch, remember these old days?

[00:01:31] And if you remember before like 2013, we were relying on some simple hex changes in the

[00:01:36] binary itself to avoid being detected by some patterns and that's it.

[00:01:41] And sometimes we fail just because changing some things in the binary itself will break

[00:01:45] and corrupt the execution flow of your entire binary, right?

[00:01:49] To be honest, it depends on how good the pattern and signature were in the security

[00:01:54] solution.

[00:01:55] This was in the past.

[00:01:57] And now we evolved into another stage, which is try to manipulate the execution

[00:02:02] flow, the behavior of our payload.

[00:02:04] Instead of executing it in this way, let's try to find another way of delivering and

[00:02:09] executing the malware or the payload.

[00:02:11] Things like direct sys calls, indirect sys calls, stages, stage lists, loaders

[00:02:16] and so many things that we care about nowadays.

[00:02:19] And with these things and tactics, simple antivirus solution that only did

[00:02:24] signature along with some patterns will be useless for these advanced tactics.

[00:02:29] Yes, it will help you browse the internet with a little bit of security like prevent

[00:02:33] malicious JavaScript file to be executed in your system, like with the Internet

[00:02:37] Security module or prevent a well-known malware to be executed with the famous

[00:02:42] signature.

[00:02:43] One of the most concerning trends in the recent years has been the rise of

[00:02:47] ransomware as a service or RAS, R-A-A-S.

[00:02:51] RAS has lowered the barrier to entry for the cyber criminals, allowing even those

[00:02:57] with minimal technical skills to launch devastating ransomware attacks.

[00:03:02] With pre-pulled ransomware kits available on the dark whip or people sitting

[00:03:06] them on forums or telegram channels, attackers can simply purchase these

[00:03:11] tools they need, customize them with their own payment and encryption

[00:03:15] schemes and launch attacks on massive scale.

[00:03:18] Believe it or not, these cyber gangs are not smart at all.

[00:03:22] I mean they are relying on playbooks, literally a playbook.

[00:03:26] Like they have a script to enumerate some services in your environment

[00:03:29] and if they got an exploit to it, they will try it out.

[00:03:33] If not, they will move to another target, so on and so forth.

[00:03:38] So they don't care about who to breach, they care about compromising

[00:03:42] organization that didn't do an update or have really bad surface management.

[00:03:47] And you know, I saw so many cases where cyber gangs

[00:03:51] don't know about the people who preached.

[00:03:54] Like they know they took over this entity, but they don't know what is the

[00:03:58] business of this entity and they care about getting the ransom fees

[00:04:02] and you can sense this when you talk to the operator to negotiate the ransom fees.

[00:04:07] Another significant threat is supply chain attacks,

[00:04:10] where attackers compromise a third party vendor and filterate a target

[00:04:14] organization. We've seen this with the SolarWind breach,

[00:04:18] the attacker and started a malicious code into the software update,

[00:04:22] which were then distributed to a thousand SolarWinds customers.

[00:04:27] This type of attack is really dangerous because it leveraged trusted relationship

[00:04:31] to bypass traditional security measures.

[00:04:34] Fileless malware is another emerging threat,

[00:04:37] unlike traditional malware that relies on file being written on disk,

[00:04:40] fileless malware operate entirely in memory.

[00:04:43] This makes it incredibly difficult to detect using traditional antivirus software,

[00:04:48] which typically scans files on disk.

[00:04:51] Attackers often use tools already present on their victim system,

[00:04:54] such as PowerShell, WMI and so on, to execute their malicious code.

[00:04:59] To illustrate how these threats play out in this reward,

[00:05:03] let's look at the colonial pipeline ransomware attack from 2021.

[00:05:08] This attack was carried out by Darkside ransomware group,

[00:05:12] who managed to encrypt the pipeline's IT system,

[00:05:15] forcing the company to shut down its operations.

[00:05:18] The impact was immediate and severe,

[00:05:20] leading to a fuel shortage across the eastern United States.

[00:05:24] The attackers demanded ransomware in Bitcoin,

[00:05:27] which the company eventually paid.

[00:05:29] However, the damage to their reputation and economic impact

[00:05:33] was far greater than the ransomware itself.

[00:05:36] These examples highlight the sophistication and impact of modern cyber threats,

[00:05:41] but understanding the threat landscape just the first tip.

[00:05:45] To effectively defend against these threats,

[00:05:47] we need to employ multi-liar approach

[00:05:49] that includes advanced technologies, proactive strategies,

[00:05:54] and continuous monitoring.

[00:05:55] When it comes to cyber security, there is no silver bullet.

[00:05:59] That's why the principle of defense and depth so critical.

[00:06:03] Defense and depth involve implementing multiple layers of security controls

[00:06:08] throughout an organization IT infrastructure.

[00:06:11] The idea is that if one layer fails,

[00:06:13] either will still provide protection.

[00:06:15] Let's break down these layers.

[00:06:17] At the perimeter, we have traditional defenses like firewall

[00:06:21] and intrusion addiction systems,

[00:06:22] IDS or WAF web application firewalls.

[00:06:26] These tools are essential for blocking known threats

[00:06:28] and monitoring network traffic for signs of malicious activity.

[00:06:32] However, they are not enough on their own.

[00:06:35] Let me give you an example.

[00:06:36] If you relied on a WAF to secure your application,

[00:06:39] like you are 100% mistaken, you may ask why right?

[00:06:43] I already have a good WAF in place and I'm secured,

[00:06:46] but in reality there are many aspects where the WAF could fail.

[00:06:51] Let's break it down for you.

[00:06:52] A WAF usually look for patterns and if the attacker manages

[00:06:56] to find a way to smuggle his malicious code

[00:06:59] like SQL injections or shell or OS commands or whatever

[00:07:02] and bypass the WAF, the web application itself

[00:07:05] will be talking directly to the attacker without a barrier.

[00:07:09] Another thing that could go wrong,

[00:07:11] which how aggressive your WAF is,

[00:07:13] it could be configured to give alerts only

[00:07:15] or do small checks because we do want it

[00:07:18] to disrupt our users daily operations.

[00:07:21] So an attacker in this case have a better chance to bypass it.

[00:07:25] So you can see that having a WAF alone is not enough.

[00:07:29] You should also secure and audit your web application

[00:07:32] to be ready in case the WAF fail to prevent hackers.

[00:07:36] At the end point level,

[00:07:37] endpoint detection and response EDR solutions play a crucial role.

[00:07:42] Tools like CrowdStrike and Carbon Black

[00:07:44] monitor end points for suspicious behavior

[00:07:46] such as unusual file modification or a process

[00:07:50] that could indicate a compromise.

[00:07:51] EDR solution don't just detect threats.

[00:07:55] They also provide detailed forensic data

[00:07:57] that can be used to investigate incidents after they occur.

[00:08:01] In addition to these traditional defenses,

[00:08:03] we are seeing the rise of behavior analytics.

[00:08:06] This technology leverages machine learning

[00:08:08] to analyze user behavior and detect anomalies

[00:08:11] that could indicate security breaches.

[00:08:14] For example, if a user typically log in from Saudi Arabia

[00:08:18] and suddenly access the network from the US

[00:08:20] that could trigger an alert,

[00:08:22] behavior analytics is particularly effective

[00:08:25] at detecting insider threats and advanced attacks

[00:08:28] that bypass conventional security measures

[00:08:30] because it looks for a strange behavior

[00:08:32] that we didn't see before.

[00:08:34] Like the VPN example we mentioned earlier,

[00:08:37] we have two scenarios.

[00:08:39] Maybe the employee did go to the US that day.

[00:08:42] And in this case, it's legit.

[00:08:44] But if it's like the employee was doing his job

[00:08:47] in the office that entire day,

[00:08:49] and then the same day after working hours,

[00:08:53] suddenly there is a log in from the US.

[00:08:55] There is no way he traveled in the same day

[00:08:58] after like few hours.

[00:09:00] But there is another scenario

[00:09:01] that he was using a VPN service

[00:09:03] and that VPN gave him an IP registered in the US.

[00:09:07] I think you got it now.

[00:09:09] It's a strange behavior that needed to be investigated.

[00:09:12] Even though it could be legit,

[00:09:14] these things will not be pointed out

[00:09:16] by your security solution.

[00:09:17] But most of the time,

[00:09:19] the solution will not take an action

[00:09:20] and it will be left to the analyst.

[00:09:23] Another crucial strategy

[00:09:25] is the implementation of zero trust architecture.

[00:09:28] Unlike traditional security models,

[00:09:30] zero trust assumes that the network

[00:09:32] has already been preached.

[00:09:34] Every user, device, and application

[00:09:36] is treated as untrusted by default.

[00:09:39] Access is granted based on continuous verification

[00:09:42] of identity, device health.

[00:09:45] Implementing zero trust requires

[00:09:46] significant changes to how organization

[00:09:48] measure access and identity.

[00:09:51] But it's really important to have this approach.

[00:09:54] As the threat landscape evolve,

[00:09:56] the problem with zero trust is really easy

[00:09:58] to talk about.

[00:10:00] But in reality, every organization

[00:10:01] have its own policies and baggage.

[00:10:04] Like if a company don't have a good

[00:10:06] asset management and they can't do an asset check,

[00:10:09] they can't implement zero trust

[00:10:11] as they have to fix these things first.

[00:10:13] Or if a company have some technical issues

[00:10:15] for people to connect to their environment

[00:10:18] due to a policy or mistab architecture,

[00:10:21] it will be hard for them to add defenses

[00:10:23] to the environment.

[00:10:25] And there are many more examples like this.

[00:10:28] Sometimes everything is good to go,

[00:10:30] but the policies have to be changed first.

[00:10:32] And that alone could take a significant amount

[00:10:35] of time to update.

[00:10:37] Threat intelligence platform

[00:10:38] are another vital component

[00:10:40] of modern cyber security defenses.

[00:10:42] Threat intelligence aggregate threat data

[00:10:45] from various sources,

[00:10:46] including open source feeds,

[00:10:48] commercial providers and internal security tools.

[00:10:51] This data is then analyzed to identify trends,

[00:10:54] merging threats and indicators of compromise,

[00:10:57] IOCs.

[00:10:58] By integrating threat intelligence

[00:11:00] into security operations,

[00:11:01] organizations can proactively defend

[00:11:03] against attacks before they occur.

[00:11:05] But even with all these tools in place,

[00:11:08] it's essential to adopt

[00:11:09] proactive defenses strategy.

[00:11:11] Threat hunting is one such approach,

[00:11:13] unlike traditional security measure,

[00:11:16] that wait for alerts to trigger a response,

[00:11:18] threat hunting involve actively searching

[00:11:20] for signs of compromise within the environment.

[00:11:23] This can involve analyzing logs,

[00:11:25] looking for unusual patterns in the network traffic,

[00:11:27] or even deploying honeybots

[00:11:29] to attract and monitor potential attackers.

[00:11:32] Of course, none of this is effective

[00:11:34] without our boss incident response plan.

[00:11:36] An incident response plan outlined

[00:11:38] the steps that need to be taken

[00:11:40] in the event of the threat.

[00:11:42] Eradicating malicious actor from the network

[00:11:45] and recovering affected systems,

[00:11:47] regular drills and updates to the plan

[00:11:49] is necessary to ensure that when an incident occurs,

[00:11:53] the response is swift and effective.

[00:11:56] I think you got an idea now

[00:11:57] about how to secure your system

[00:11:59] and how to look for threats in your environment.

[00:12:02] I know it's a lot of work to do,

[00:12:03] but it's crucial for your system

[00:12:05] if you do want to get breached.

[00:12:07] You have been listening to the cyber riddler.

[00:12:09] Don't forget to perform threat hunting activities

[00:12:12] in your network in a proactive measure.

[00:12:14] Maybe you'll find something interesting, trust me.

[00:12:17] Don't forget to share this episode

[00:12:18] with anyone you think is interested about this topic

[00:12:20] and don't forget to follow us on X,

[00:12:23] Cyberridler or Al-Murabi, A-L-M-O-R-A-B-E-A.

[00:12:28] Until next time, this is Ahmad Al-Murabi, signing off.