In this six-part blog series, the RSAC editorial team highlights the six buzz topics featured at RSAC 2022. Each blog will highlight one of the most popular topics and trends seen within related sessions. Our second topic is hackers & threats.
Nick Biasini, Head of Outreach at Talos
Pierre Cadieux, Senior Manager of Incident Response at Cisco Talos Incident Response
Biasini started the session by mentioning we should be treating our home Wi-Fi like it’s a public Wi-Fi, as VPNs are under attack. He mentioned a number of attacks in recent history that we can learn from. The use of wiping activity and destructive malware in Ukraine is a great example. HermeticWiper, CaddyWiper, and DoubleZero all attacked file systems, releasing another one that attacks metadata. The use of destructive malware is becoming incredibly common and will be happening for the foreseeable future.
Sea Turtle is targeting DNS by hacking registrants and hijacking DNS servers. In five to ten years, this could be something we should pay more attention to, according to Biasini. In the case of SolarWinds, sample tokens were targeted. Most organizations are hybrid (access to on-prem and cloud solutions), which potentially leaves an area of vulnerability.
Biasini wrapped by saying ransomware cartels are wreaking havoc on enterprises. Systems are being compromised through whatever exploits possible (like phishing or buying access directly) by taking data and creating a ransom. Trust is really under attack by nation-states, along with remote access, supply chains, weaponizing, exploiting markets, critical infrastructure, and foundations of the internet.
Cadieux then went on to discuss creating a defender-friendly infrastructure through the following steps: (1) develop your environment to allow for response; (2) understand your assets, risks, and blind spots; (3) know where your logs are trained, how to access them, and how long they are retained; (4) know how to deploy tools rapidly and the impact and process involved.
Response phases went as follows: preparation (have tools, knowledge, and skills ready to act upon the event of an incident), detection and analysis (collect and archive), containment (can the incident be isolated?), eradication and recovery (remove malicious software, deny the adversary access to the environment). Post-incident steps included capturing recommendations, analyzing the incident, and a debriefing with the team, so it doesn’t happen again.
Practical Learnings for Threat Hunting and Improving Your Security Posture
Simon Dyson, Cyber Security Operations Centre Lead at NHS Digital
Jessica Payne, Security Person at Microsoft
Payne started the sessions by saying that threats come from moderately skilled people who know slightly more about your network than you do and that threat intelligence should be as much about telling you what you don’t have to worry about.
Payne mentions that there are oftentimes commonalities you can see in attacks: office abuse, account abuse, script abuse, security product tampering, and the use of industrialized attack tools. She wraps her segment of the session by saying ransomware is a preventable disaster by monitoring opportunities continuously in network design, but you can’t just buy this—you have to build it.
Dyson leads off his portion of the session by discussing the numerous threats the UK and the globe faced throughout COVID and that we should be interested in threat actors, campaigns, tangled webs of affiliates and groups, and what we have seen before, static and behaviors.
Threat intelligence leads to threat hunting, which leads to incident management, which is followed by cyber incident response, all in a perfect continuous square. Some of the rule creation and governance from this include creating content and testing it, automating workflows, promoting rules into protective monitoring, and reviewing rules’ efficiency, performance, and effectiveness.
Concluding, Dyson mentions the team is your greatest asset. Some tips include keeping diverse and not just protected characteristics, different backgrounds in terms of technical, sector, and skill set, pure cyber, and beware of group think or CTF mentality, recognizing human ingenuity from the criminal, defender, and automation that will save time and effort. But the human element remains so important.
Read all of the series: