Threats and Defenses

[00:00:00] Threats are everywhere and that's a given.

[00:00:03] Defenses are there too but one mistake can cost you the breach of your environment.

[00:00:08] You know the saying, attackers have to succeed only once and defenders have to succeed every

[00:00:12] time.

[00:00:13] This is true because attackers will try everything they can to breach your network

[00:00:17] and gain access to it and today we are going to take a comprehensive look at the

[00:00:22] evolving threat landscape and the advanced defenses that are crucial in combating

[00:00:27] these threats.

[00:00:35] You're listening to The Cyber Riddler, where we decipher the offensive and defensive side

[00:00:42] of the cyber world.

[00:00:43] Ahmad Almorabea

[00:00:52] To effectively defend against cyber threats, it's essential to first understand what are

[00:00:57] you up against.

[00:00:59] The cyber threat landscape has evolved over the past decade.

[00:01:03] We've moved from the era of simple viruses and worms to a time where we are facing advanced

[00:01:07] persistent threats, sophisticated ransomware operations and even state-sponsored cyber

[00:01:12] attacks.

[00:01:13] I remember like 10 years ago, we cared so much about having an antivirus solution on

[00:01:18] our system because we were downloading so many things from the internet and we were

[00:01:23] afraid that we would get viruses from it and maybe a right malware.

[00:01:27] Some may call it a server or patch, remember these old days?

[00:01:31] And if you remember before like 2013, we were relying on some simple hex changes in the

[00:01:36] binary itself to avoid being detected by some patterns and that's it.

[00:01:41] And sometimes we fail just because changing some things in the binary itself will break

[00:01:45] and corrupt the execution flow of your entire binary, right?

[00:01:49] To be honest, it depends on how good the pattern and signature were in the security

[00:01:54] solution.

[00:01:55] This was in the past.

[00:01:57] And now we evolved into another stage, which is try to manipulate the execution

[00:02:02] flow, the behavior of our payload.

[00:02:04] Instead of executing it in this way, let's try to find another way of delivering and

[00:02:09] executing the malware or the payload.

[00:02:11] Things like direct sys calls, indirect sys calls, stages, stage lists, loaders

[00:02:16] and so many things that we care about nowadays.

[00:02:19] And with these things and tactics, simple antivirus solution that only did

[00:02:24] signature along with some patterns will be useless for these advanced tactics.

[00:02:29] Yes, it will help you browse the internet with a little bit of security like prevent

[00:02:33] malicious JavaScript file to be executed in your system, like with the Internet

[00:02:37] Security module or prevent a well-known malware to be executed with the famous

[00:02:42] signature.

[00:02:43] One of the most concerning trends in the recent years has been the rise of

[00:02:47] ransomware as a service or RAS, R-A-A-S.

[00:02:51] RAS has lowered the barrier to entry for the cyber criminals, allowing even those

[00:02:57] with minimal technical skills to launch devastating ransomware attacks.

[00:03:02] With pre-pulled ransomware kits available on the dark whip or people sitting

[00:03:06] them on forums or telegram channels, attackers can simply purchase these

[00:03:11] tools they need, customize them with their own payment and encryption

[00:03:15] schemes and launch attacks on massive scale.

[00:03:18] Believe it or not, these cyber gangs are not smart at all.

[00:03:22] I mean they are relying on playbooks, literally a playbook.

[00:03:26] Like they have a script to enumerate some services in your environment

[00:03:29] and if they got an exploit to it, they will try it out.

[00:03:33] If not, they will move to another target, so on and so forth.

[00:03:38] So they don't care about who to breach, they care about compromising

[00:03:42] organization that didn't do an update or have really bad surface management.

[00:03:47] And you know, I saw so many cases where cyber gangs

[00:03:51] don't know about the people who preached.

[00:03:54] Like they know they took over this entity, but they don't know what is the

[00:03:58] business of this entity and they care about getting the ransom fees

[00:04:02] and you can sense this when you talk to the operator to negotiate the ransom fees.

[00:04:07] Another significant threat is supply chain attacks,

[00:04:10] where attackers compromise a third party vendor and filterate a target

[00:04:14] organization. We've seen this with the SolarWind breach,

[00:04:18] the attacker and started a malicious code into the software update,

[00:04:22] which were then distributed to a thousand SolarWinds customers.

[00:04:27] This type of attack is really dangerous because it leveraged trusted relationship

[00:04:31] to bypass traditional security measures.

[00:04:34] Fileless malware is another emerging threat,

[00:04:37] unlike traditional malware that relies on file being written on disk,

[00:04:40] fileless malware operate entirely in memory.

[00:04:43] This makes it incredibly difficult to detect using traditional antivirus software,

[00:04:48] which typically scans files on disk.

[00:04:51] Attackers often use tools already present on their victim system,

[00:04:54] such as PowerShell, WMI and so on, to execute their malicious code.

[00:04:59] To illustrate how these threats play out in this reward,

[00:05:03] let's look at the colonial pipeline ransomware attack from 2021.

[00:05:08] This attack was carried out by Darkside ransomware group,

[00:05:12] who managed to encrypt the pipeline's IT system,

[00:05:15] forcing the company to shut down its operations.

[00:05:18] The impact was immediate and severe,

[00:05:20] leading to a fuel shortage across the eastern United States.

[00:05:24] The attackers demanded ransomware in Bitcoin,

[00:05:27] which the company eventually paid.

[00:05:29] However, the damage to their reputation and economic impact

[00:05:33] was far greater than the ransomware itself.

[00:05:36] These examples highlight the sophistication and impact of modern cyber threats,

[00:05:41] but understanding the threat landscape just the first tip.

[00:05:45] To effectively defend against these threats,

[00:05:47] we need to employ multi-liar approach

[00:05:49] that includes advanced technologies, proactive strategies,

[00:05:54] and continuous monitoring.

[00:05:55] When it comes to cyber security, there is no silver bullet.

[00:05:59] That's why the principle of defense and depth so critical.

[00:06:03] Defense and depth involve implementing multiple layers of security controls

[00:06:08] throughout an organization IT infrastructure.

[00:06:11] The idea is that if one layer fails,

[00:06:13] either will still provide protection.

[00:06:15] Let's break down these layers.

[00:06:17] At the perimeter, we have traditional defenses like firewall

[00:06:21] and intrusion addiction systems,

[00:06:22] IDS or WAF web application firewalls.

[00:06:26] These tools are essential for blocking known threats

[00:06:28] and monitoring network traffic for signs of malicious activity.

[00:06:32] However, they are not enough on their own.

[00:06:35] Let me give you an example.

[00:06:36] If you relied on a WAF to secure your application,

[00:06:39] like you are 100% mistaken, you may ask why right?

[00:06:43] I already have a good WAF in place and I'm secured,

[00:06:46] but in reality there are many aspects where the WAF could fail.

[00:06:51] Let's break it down for you.

[00:06:52] A WAF usually look for patterns and if the attacker manages

[00:06:56] to find a way to smuggle his malicious code

[00:06:59] like SQL injections or shell or OS commands or whatever

[00:07:02] and bypass the WAF, the web application itself

[00:07:05] will be talking directly to the attacker without a barrier.

[00:07:09] Another thing that could go wrong,

[00:07:11] which how aggressive your WAF is,

[00:07:13] it could be configured to give alerts only

[00:07:15] or do small checks because we do want it

[00:07:18] to disrupt our users daily operations.

[00:07:21] So an attacker in this case have a better chance to bypass it.

[00:07:25] So you can see that having a WAF alone is not enough.

[00:07:29] You should also secure and audit your web application

[00:07:32] to be ready in case the WAF fail to prevent hackers.

[00:07:36] At the end point level,

[00:07:37] endpoint detection and response EDR solutions play a crucial role.

[00:07:42] Tools like CrowdStrike and Carbon Black

[00:07:44] monitor end points for suspicious behavior

[00:07:46] such as unusual file modification or a process

[00:07:50] that could indicate a compromise.

[00:07:51] EDR solution don't just detect threats.

[00:07:55] They also provide detailed forensic data

[00:07:57] that can be used to investigate incidents after they occur.

[00:08:01] In addition to these traditional defenses,

[00:08:03] we are seeing the rise of behavior analytics.

[00:08:06] This technology leverages machine learning

[00:08:08] to analyze user behavior and detect anomalies

[00:08:11] that could indicate security breaches.

[00:08:14] For example, if a user typically log in from Saudi Arabia

[00:08:18] and suddenly access the network from the US

[00:08:20] that could trigger an alert,

[00:08:22] behavior analytics is particularly effective

[00:08:25] at detecting insider threats and advanced attacks

[00:08:28] that bypass conventional security measures

[00:08:30] because it looks for a strange behavior

[00:08:32] that we didn't see before.

[00:08:34] Like the VPN example we mentioned earlier,

[00:08:37] we have two scenarios.

[00:08:39] Maybe the employee did go to the US that day.

[00:08:42] And in this case, it's legit.

[00:08:44] But if it's like the employee was doing his job

[00:08:47] in the office that entire day,

[00:08:49] and then the same day after working hours,

[00:08:53] suddenly there is a log in from the US.

[00:08:55] There is no way he traveled in the same day

[00:08:58] after like few hours.

[00:09:00] But there is another scenario

[00:09:01] that he was using a VPN service

[00:09:03] and that VPN gave him an IP registered in the US.

[00:09:07] I think you got it now.

[00:09:09] It's a strange behavior that needed to be investigated.

[00:09:12] Even though it could be legit,

[00:09:14] these things will not be pointed out

[00:09:16] by your security solution.

[00:09:17] But most of the time,

[00:09:19] the solution will not take an action

[00:09:20] and it will be left to the analyst.

[00:09:23] Another crucial strategy

[00:09:25] is the implementation of zero trust architecture.

[00:09:28] Unlike traditional security models,

[00:09:30] zero trust assumes that the network

[00:09:32] has already been preached.

[00:09:34] Every user, device, and application

[00:09:36] is treated as untrusted by default.

[00:09:39] Access is granted based on continuous verification

[00:09:42] of identity, device health.

[00:09:45] Implementing zero trust requires

[00:09:46] significant changes to how organization

[00:09:48] measure access and identity.

[00:09:51] But it's really important to have this approach.

[00:09:54] As the threat landscape evolve,

[00:09:56] the problem with zero trust is really easy

[00:09:58] to talk about.

[00:10:00] But in reality, every organization

[00:10:01] have its own policies and baggage.

[00:10:04] Like if a company don't have a good

[00:10:06] asset management and they can't do an asset check,

[00:10:09] they can't implement zero trust

[00:10:11] as they have to fix these things first.

[00:10:13] Or if a company have some technical issues

[00:10:15] for people to connect to their environment

[00:10:18] due to a policy or mistab architecture,

[00:10:21] it will be hard for them to add defenses

[00:10:23] to the environment.

[00:10:25] And there are many more examples like this.

[00:10:28] Sometimes everything is good to go,

[00:10:30] but the policies have to be changed first.

[00:10:32] And that alone could take a significant amount

[00:10:35] of time to update.

[00:10:37] Threat intelligence platform

[00:10:38] are another vital component

[00:10:40] of modern cyber security defenses.

[00:10:42] Threat intelligence aggregate threat data

[00:10:45] from various sources,

[00:10:46] including open source feeds,

[00:10:48] commercial providers and internal security tools.

[00:10:51] This data is then analyzed to identify trends,

[00:10:54] merging threats and indicators of compromise,

[00:10:57] IOCs.

[00:10:58] By integrating threat intelligence

[00:11:00] into security operations,

[00:11:01] organizations can proactively defend

[00:11:03] against attacks before they occur.

[00:11:05] But even with all these tools in place,

[00:11:08] it's essential to adopt

[00:11:09] proactive defenses strategy.

[00:11:11] Threat hunting is one such approach,

[00:11:13] unlike traditional security measure,

[00:11:16] that wait for alerts to trigger a response,

[00:11:18] threat hunting involve actively searching

[00:11:20] for signs of compromise within the environment.

[00:11:23] This can involve analyzing logs,

[00:11:25] looking for unusual patterns in the network traffic,

[00:11:27] or even deploying honeybots

[00:11:29] to attract and monitor potential attackers.

[00:11:32] Of course, none of this is effective

[00:11:34] without our boss incident response plan.

[00:11:36] An incident response plan outlined

[00:11:38] the steps that need to be taken

[00:11:40] in the event of the threat.

[00:11:42] Eradicating malicious actor from the network

[00:11:45] and recovering affected systems,

[00:11:47] regular drills and updates to the plan

[00:11:49] is necessary to ensure that when an incident occurs,

[00:11:53] the response is swift and effective.

[00:11:56] I think you got an idea now

[00:11:57] about how to secure your system

[00:11:59] and how to look for threats in your environment.

[00:12:02] I know it's a lot of work to do,

[00:12:03] but it's crucial for your system

[00:12:05] if you do want to get breached.

[00:12:07] You have been listening to the cyber riddler.

[00:12:09] Don't forget to perform threat hunting activities

[00:12:12] in your network in a proactive measure.

[00:12:14] Maybe you'll find something interesting, trust me.

[00:12:17] Don't forget to share this episode

[00:12:18] with anyone you think is interested about this topic

[00:12:20] and don't forget to follow us on X,

[00:12:23] Cyberridler or Al-Murabi, A-L-M-O-R-A-B-E-A.

[00:12:28] Until next time, this is Ahmad Al-Murabi, signing off.