Podcasts
Only Malware in the Building
Ep 19
Only Malware in the Building 1.6.26
Ep 19 | 1.6.26

Poisoned at the source.

Show Notes
Transcript

Selena Larson: Okay, guys, we've had a whole month to plan our next cold open for the show. What have you come up with?

Dave Bittner: All right, picture this. Where brave knights, armored to the teeth, marching through the server room dungeon, and there's a massive malware dragon. It breathes fire, spews corrupted files. And only we can save the mainframe.

 

Keith Mularski: And I'm swinging a sword made of pure antivirus code. Every swipe deletes the trojan instantly. The dragon's horde, a mountain of lost passwords and encrypted files.

 

Selena Larson: Uh, no, absolutely not. We are not pretending to be knights.

 

Dave Bittner: Okay. What do you got, then?

 

Selena Larson: I'm so glad you asked, Dave. How about space? Astronauts on a mission to repair the intergalactic network core, fishing meteors flying at us, ransomware black holes, and cosmic AI trying to trick us into clicking links.

 

Dave Bittner: Space is cool, but this isn't T-Minus Daily. And we'd need a bigger budget for rocket noises.

 

Keith Mularski: Yeah, plus I get motion sickness just thinking about zero gravity. What about a zombie apocalypse in the server room? Hackers have unleashed malware zombies, and we're the IT fighting them off with USB stakes in anti-virus potions.

 

Selena Larson: Yeah, every zombie could be a corrupted file, and I'm crafting a firewall barrier with my keyboard. When a zombie bites a server, boom, it's quarantined instantly. There's suspense, drama, maybe even a slow-motion delete scene.

 

Dave Bittner: Come on, guys, no, we can't be zombies, it's not even Halloween. Medieval wizards dueling with ransomware spells.

 

Selena Larson: No! Underwater divers fighting a malware octopus?

 

Dave Bittner: This is hopeless.

 

Keith Mularski: We hate everyone's ideas.

 

Selena Larson: Seems that way.

 

Dave Bittner: Great. Well, maybe we just don't have a cold open this time.

 

Selena Larson: What, like we just sit here and talk about not having one?

 

Dave Bittner: Wait a second. What if this, us arguing about the script, is the script?

 

Selena Larson: Oh my gosh. We're literally writing it as we're reading it.

 

Keith Mularski: A cold open about not having a cold open, it's genius.

 

Dave Bittner: Perfect. Keyboard clacking, pen scratching, awkward silence, it's all there.

 

Selena Larson: Fine, let's roll with it. Cue the music. [ Music ] Hello to all our listeners. You are listening to Only Malware in the Building. I am your host, Selena, here with Dave and Keith. And first of all, Happy New Year. We're back. It's January 2026. New malware, new hacks, new fun to be had. How are you guys doing?

 

Keith Mularski: Doing great. Happy New Year to you guys too. Great to see you again.

 

Dave Bittner: Happy New Year. I'm still going to be writing 2025 on all my checks for the next couple of months at least.

 

Selena Larson: You still use checks?

 

Dave Bittner: No, actually I don't write checks. But what I do is when I announce the date for the Cyber Wire Daily every day, it takes me about a week to switch over from 2025 to 2026. And so I get notes from our editors that are like, Dave, it's 2026, can you re-record that please?

 

Selena Larson: I also have this problem when doing campaign data. I always forget to change the titles of campaigns to 2026, the next year.

 

Dave Bittner: The other thing I end up doing is just for the audio editors, I'll just create a file that's me saying 2026 in a bunch of different ways so they can edit it in wherever needed. So I'll just say 2026, 2026, 2026, 2026, 2026, 2026, so they can choose whichever version to correct me, and then they don't have to come back and bother me.

 

Keith Mularski: That is genius, Dave, genius.

 

Dave Bittner: It's not my first rodeo [laughter].

 

Selena Larson: Someone is a professional podcaster.

 

Dave Bittner: Well, I'm also self-aware of my own limitations. So I try to not let my shortcomings affect the rest of the staff. So I try to anticipate their needs.

 

Selena Larson: Well, you're the whole package, Dave. And you know, I think that since it is 2026, brand new year, we should think about maybe what a big year for 2025 supply chain compromise was. [ Music ]

 

Keith Mularski: You know, last episode, we talked about diversion of cargo. So that's kind of like supplies and all that. And it just always seems every year around the holidays, there is some kind of big supply chain compromise, whether it be SolarWinds a couple of years ago, MOVEit vulnerability. And this year, just right before the holidays, you know, we had the big F5 compromise. So I just thought we can talk about supply chain and, you know, really how more prevalent we're seeing that, and just some things that our listeners should be thinking about regarding the evolution of tactics by the adversaries. So, you know, the F5 breach, if you're not familiar by this time, you know, it really -- you know, F5 said they learned about it in August of 2025 that a highly sophisticated nation-state had long-term, you know, persistent access to parts of their environment, including the BIG-IP product development systems. So very similar, if you're thinking about, you know, going after that source code, that product development, very similar to what we saw the Russians do with SolarWinds just a couple years ago. And what was taken were portions of BIG-IP's source code, internal vulnerability details, including like issues not publicly disclosed. And, you know, they were attributing this attack to Chinese nation-state actors. So whereas SolarWinds was Russia, now we have, you know, the other big nation-state adversary kind of copying that, saying, hey, look, you know, we can kind of do the same thing. We can get long-term, persistent access, and get in there and kind of see what things we're doing. And instead of trying to hack each company individually, now we get into that supply chain and now we have access to hundreds of different, you know, companies that are out there. So it was just another fascinating story that I wanted to talk about with you guys today, just because we're seeing more and more of this, you know, over the years.

 

Dave Bittner: So just to put a fine point on that and clarify the message, the tactics that are happening here, this is as if, let's say I wanted to ruin the flavor of every brand of soda in the United States, right? I just want to make them all taste like vinegar.

 

Keith Mularski: Or change the flavor of a dip, Dave.

 

Dave Bittner: Oh, let's not go too far here, let's not be hasty [laughter]. So one way to do that would be to get into Coca-Cola and poison their soda, to get into Pepsi and poison their soda, to get into RC and poison their soda. Or I could get into the company that makes all of the bottles and put some sort of flavoring in the bottle before it even gets to all of those manufacturers. So that's the supply chain, right? It's the suppliers to the providers. Getting into that line before, maybe even several steps before it's ready to be shipped off to us. Do I have that right?

 

Keith Mularski: You're spot on on that. And, you know, so when you think about getting into the software, and then that software is being used by hundreds of companies out there, now, you know, you have that backdoor in there. Those applications have been whitelisted by, you know, all of the security teams. So when they see, you know, this software that's legit, that they've purchased the license, calling out to certain things, that is not nefarious activity, that's just the behavior of that application. So when a threat actor can get into that source code, they're really able to live off the land and be hidden, you know, from network defenders.

 

Selena Larson: Well, and I think it's interesting, too, because they did steal the source code, that was part of the overall campaign. And, you know, even though they're still sort of unclear, like what the overall fallout of this is, I think that it's interesting that they could potentially theoretically operationalize that in some way, right? Like they could find potentially vulnerabilities within the code itself that the organization might not be aware of to further develop attacks. But I think, you know, this just continues to highlight that threat actors are targeting the tools and resources that enterprises are using every single day, as opposed to going after like individual enterprises. You know, targeting the supply chain, especially, you know, when it comes to organizations that are having things publicly exposed, right? You know, like a lot of these things that also might not necessarily be aware of that they're going to be externally facing or some older pieces of equipment that they don't really realize are running this type of software. So I think there's a lot of potential risk every time we read about a new supply chain attack. It's just like, okay, well, this was like one incident, but what is the potential fallout? Like how could threat actors operationalize the information that they got or the access that they got like further down the road?

 

Dave Bittner: You know, I'm reminded of a public service campaign that ran probably when Keith and I were teenagers. So Selena, you hadn't been born yet. And of course, this was during the AIDS pandemic and that terrible tragedy. And there was a campaign that basically said, I'm going to try to keep it family friendly, basically said, every person you've been intimate with, it's the same as being intimate with every person they've been intimate with, right? And of how things can spread. And I think about that with supply chain vulnerabilities, particularly when we're talking about things like open-source software. Where we have these building blocks, these components, these things that they just work, people know they just work, so they plug them into their software. It could be a printer driver, it could be, you know, whatever. And people don't think about them. They're just there. They're benign. They've worked forever. But if somebody can get into one of those and secretly add something, just the breadth of things that they can get into is really kind of chilling.

 

Keith Mularski: Yeah, and I mean, you mentioned those types of like printers and routers, and, you know, that's one of the techniques that we're really seeing these adversaries use, like Volt Typhoon and some of the other sophisticated APT groups, where they're not necessarily going in on a piece of malware that, you know, they're delivering through a phish. But they're getting up on a router, they're getting up on another device, they're just sucking down the passwords and seeing that stuff. And then they could go in through legitimate access, so that they're not raising the flag. So, you know, because you're not having, you know, endpoint detection on a router; you're not, on a printer. So these are different places that we're seeing the adversaries kind of hide, because that is -- there are no security tools and people aren't monitoring those like you are, you know, your desktop or something, or, you know, another server for the activity. So we're really kind of seeing them pivot to those type of devices.

 

Selena Larson: You know, one thing I was actually a little surprised that we don't see more of -- do you guys remember the XZ Utils backdoor in the open-source data compression utility from, was it last year, I think. But basically, somebody put in a backdoor on XZ Utils, and it would have just been like widely distributed if some guy from Microsoft hadn't just like found it.

 

Dave Bittner: Right, right. It was just luck. Yeah.

 

Selena Larson: And I think that's so interesting because I'm like, how much more does this happen that we just are not aware of it, or is it being caught and and it just doesn't happen that often? But I was kind of expecting like -- I remember last year when we were doing like predictions or whatever, I was anticipating that we would potentially see more of that in 2025 and into 2026. So, you know, maybe that's another avenue of supply chain disruption that might, you know, continue or we'll see more of. I was a little surprised that we don't hear more stories about that type of backdoor.

 

Keith Mularski: Yeah. And one of the things that we're seeing, and I think one of the other keys here is that, you know, these supply chain attacks aren't just limited to sophisticated nation-state actors. You know, we're seeing a lot of e-crime groups that are doing this. You know, a great example was the Kaseya ransomware attack that REvil did a couple of years ago, you know, where they were able to get in there and then push out ransomware, you know, to, say, its vendors. And one of the things that we're seeing at QIntel that's very interesting that I want to share with everybody today is this malware called Triada. It's Chinese-based. And what we're really seeing them do is they're backdooring these Android firmware in China. So counterfeit phones, other types of Android-based devices that are sold on Amazon and shipped. So these could be high-end, you know, counterfeit phones or just other types of Android-based, where they're having, you know, suppliers insert this right into the firmware that makes it very difficult to be detected. It's not in the Google Play Store or anything like that, but, you know, you're purchasing an Android phone on Amazon that's coming from China, and it's backdoored. And some of the types of things that this malware is doing is, you know, they can read the communications, they can read your text messages. You know, these devices are being used for proxies so that criminals can bounce through these devices, whether it be your phone or maybe it's your TV, you know, your Android TV or Google TV that has that firmware in it, it's really prevalent. And, you know, our visibility, you know, we saw, as of just a couple of days ago when I looked at our collection, 85 million devices worldwide. So you think 85 million devices worldwide that are compromised from a supply chain standpoint, you know, with this compromised firmware, you know, right at the beginning. So the breadth of these things aren't just limited to APT groups, but criminal groups are getting very sophisticated at this as well. [ Music ]

 

Selena Larson: Stick around after the break. [ Music ]

 

Dave Bittner: How much of this is about trust? You know, it seems to me like at some point, there are things in our lives that we simply trust that they are going to be the way they're described. You know, you go to the pharmacy and you buy a bottle of aspirin, you trust that there are enough things in place, enough checks and balances in place, that there's not going to be anything in that bottle of aspirin that would do you any harm. But I think even today, some of the things -- like we buy stuff through Amazon. And Amazon has a huge counterfeiting problem. You know, things like drill batteries, you know, like cordless drill batteries that have all the labeling that looks like the authentic thing, but they're not. And they could catch fire, or they could, or simply not perform as well as you want them to perform. Do you suppose that people are becoming a little more wary of things and inserting more verification into their day-to-day rather than simply trusting?

 

Keith Mularski: I think -- you know, when I buy something on Amazon, I trust it, you know. And I think that's the thing right now. The everyday average person, if they're going to buy an electronic device off of Amazon, they're thinking, hey, I'm getting a legitimate product. They're not necessarily thinking that this could be a counterfeit device and backdoor, so you know because it's manufactured over in China. They're not thinking that way. So I think we're a very trusting society. Like when you said, when you go to the store and you buy that good, you're not thinking -- you know, I mean, I don't even have like one thought when I go and buy something that this is counterfeit and this is backdoored. My brain's not even thinking that. And that's where these threat actors, you know, they really prey on that trust. And that's really the key.

 

Selena Larson: I think too that, you know, if you're asking, are we just too trusting, I think even within, not just from a consumer perspective, but even within the enterprise, I would say the answer is yes. Because, you know, we've seen many, many years of supply chain compromises. We've seen even just, you know, in 2025, you already mentioned the F5. I think Clop exploited vulnerabilities in Oracle EBS was another example of that, you know, using zero-day vulnerabilities. There's just been many, many examples of threat actors successfully compromising third parties to enable access. Certainly, the Salesforce breach was another good example of that. And yet, at the same time, you have organizations increasingly incorporating AI tools and these chat bots and these corporate third-party pieces of software -- applications, chatbots, whatever, what have you -- into their workflows. And I think that kind of in the same way that moving to cloud opened up an entirely new attack surface for threat actors to be able to exploit, and we saw them do it very successfully, and we're finally in this era of, okay, we have cloud best practices, we've locked out our cloud infrastructure, so let's open a new threat vector [laughter].

 

Dave Bittner: Yeah, we can't leave well enough alone.

 

Selena Larson: Yeah, let's just bolt on more stuff.

 

Dave Bittner: Yeah.

 

Selena Larson: You know, I think it's really interesting because, like, have we learned? Like is this -- you know, are we making sure that organizations are doing best practices and understanding the risk before adopting new tools into the enterprise and third parties that are -- may or may not be vetted and verified? You know, I think with this huge surge of AI, there's tons of AI tools that are out there. And it's like, okay, are we incorporating these into our organizations in a way that is secure first and productive second? And I'm not sure that the answer would be yes for every organization right now.

 

Keith Mularski: And I think, too, when you're thinking about like software development, you know, there's a lot of shared code that's out there, you know, on GitHub, where they're just, hey, you know, I need to solve this. Let me go on Git and let me see what's out there. Let me just pull that down and I'm going to incorporate that right into my product. Because the software developers aren't necessarily thinking from a cybersecurity standpoint. They have a job to do as like, hey, you know, I have to develop this product and this is what it needs to do, and, you know, I got to write that. So from utilizing AI to write software that maybe, you know, there's bad things that could be poisoned into that, you know, to just, you know, pulling down things that's, you know, a poison repository on Git. So yeah, it's just, you got to really get that, you know, security by design, so to speak, you know, really into that product development and making sure that they understand, you know, the threats that are out there.

 

Dave Bittner: What about SBOMs (software bills of material)? I mean, how does that play into with the transparency of, you know, basically having a -- like you have a list of ingredients on the box of Pop-Tarts that you buy, that software has to have that bill of materials as well?

 

Keith Mularski: When you're developing that software, you've got to, you know, have segmentation, you've got to verify updates using SBOM, you've got to be verifying signatures. And, you know, what you can -- if you can kind of reduce any kind of like a blast radius of, you know, if something's bad here, it's not going to destroy everything, you know, as well. That's my thoughts [laughter]. I'm not a software designer, so I'm not the best on that, so.

 

Selena Larson: I do think SBOM is a very interesting -- it's very interesting in theory. I think in practice, it hasn't fully gotten adopted to the point where it's actually incorporated. Because first of all, like how many organizations even know what's in their network? Like I think that, you know, some of them do it very well, right? It's just there's a wide variety of maturity within the enterprise and to say, oh, yes, this, you know, the calorie count or the, you know, the Campbell's Soup label for my software or hardware will save me. Like, I don't think -- I think that, yeah, you can put a sticker on it and say that you should be mindful about this. But it just sort of adds an additional layer of, okay, this is yet another box I have to tick. So it's part -- like I think it's in part due to the integrators and the supply chain entities to be able to make sure that they're making it easily, effectively communicating when things need to be updated, providing patches and being very transparent with why and how they're incorporating upgrades. And then also making sure that, you know, the default installation of a lot of these things isn't just like admin privileges everywhere. So, you know, it's not just the software and the firmware itself, but it's also how is it being deployed within the enterprise? And there are some things, right, like where in industrial control systems, things like that, just this very, very old, old, old equipment just can't be updated. And so there it's like, okay, what measures can we take to have defense in depth? Are we air gapping? Are we, you know, ensuring that we have a DMZ and we're properly segmented? What steps can we take to, sort of like to Keith's point, if something does explode, we're limiting the impact in the blast radius as much as possible? But I think, you know, we mentioned like open source a couple of times, like these tools, they're maintained by a handful of people who are doing this out of the good of their hearts. And what we see a lot of times with some of these supply chain compromises is that it's because there is something that is happening in open-source software that was found by a volunteer or just some guy who was like, I'm just going to look at this code, and is like, wait a second, this is really weird. And so you have, you know, this like constant push and pull between like, okay, like these are where some of these like really important flaws are being used. We have millions of companies that are relying on this software in their environments. And it's being maintained by a guy in Nebraska [laughter].

 

Keith Mularski: The good thing is that we have those white hats that are doing that. And, you know, that there are these people that are, you know, policing, you know, the internet and providing their knowledge. But the bad thing about that is that it's just like, it's these couple people that are doing that. And then there's not like this organization or something that's a little bit more organized, you know, around that policing. [ Music ]

 

Dave Bittner: Well, so here's what I wonder. When we talk about things like the SBOMs (the software bill of material), and that being a requirement of the federal government, right? Like if you want to do business with us, we're going to require that you fill out these forms and tell us what's in your stuff. And it kind of leads me to the old chestnut about, you know, the $75 hammer that the Army buys, you know? And I mean, that's funny, but if you dig down and you see, you know, why does the hammer cost $75, sometimes it's because it has to meet a whole lot of very specific requirements. And so what I wonder is, could there be a similar thing with software where the federal government, for example, says we're not going to accept anything that's using an open-source component that's maintained by one guy in North Dakota? Like, you got to prove it. And so in order to prove it, that it's secure, it's going to cost a lot more, and maybe the feds can afford it. But to what degree does a regulatory environment save us from these sorts of vulnerabilities? And at what point are we over-regulating past the point of being imbalanced with the risk we're willing to take on?

 

Keith Mularski: Well, I mean, I think from a government standpoint, I could see them, you know, making sure that things are verified, you know, and all of that. In just the commercial realm, that is just, you know, such overreach that that would, you know, stifle development, you know, in certain things, I think. Because speed is really the essence on a lot of developments. So to have somebody review everything and verify everything, as another entity like that, I just think -- you know, you're saying, okay, well, company A right now can't release this until this is reviewed by this other. So I just don't see the practicality of that in the commercial, you know, realm. Selena, your thoughts?

 

Selena Larson: Well, I think that there is so much of our world that is supported by open-source software, and that the maintainers are not given the pay recognition or support that they deserve. And I think that basically saying, well, you know, we can't -- you can't work with us if you're using these like open-source packages or whatever is just never going to happen.

 

Keith Mularski: Agreed.

 

Selena Larson: Because, you know, every company is using it. Do you guys remember Log4J? This was like years ago.

 

Keith Mularski: Oh, yeah. That was another, I think that was another holiday supply chain type compromise.

 

Selena Larson: Yeah. It was like, it's been 84 years. And everyone was so mad. And there was this guy, like this guy was interviewed and he's like, I have been awake for 35 hours. I have been trying to fix this. I am but one man. You know, there was a few people that were working on it. But like Log4j, everyone was using it. And then people were like, hold on a second. Is this software just like really just maintained by this handful of people and this like one person who's not his full-time job is in charge of fixing this massive issue? And so I think that, you know, if we're talking about issues with the supply chain, I also think you have to talk about ethical business practices and support of open-source software in the community that's building and supporting all of these things. Because it can be very, very, very thankless. And especially when some of these supply chains compromises are based on these open-source tools, there can be tremendous backlash to these people that are really just doing this because they believe in open-source software. And, you know, I do think there should be more responsibility on companies that are using it to actually pay and support a lot of these efforts. So it's an interesting sort of problem. But of course it's a lot different when it's like a private company that's a third party that, you know, has some sort of cyber-attack impacting them, and then their customers are getting impacted in the follow up by that. Because then you do have like additional resources to be able to support and maintain that. So it's a little bit different. But yeah, I think that, oh my gosh, open-source supply chain is a really interesting topic [laughter].

 

Keith Mularski: Yeah, I mean, that's probably a whole other podcast. I mean, because, you know, when you're just thinking about, you know, there's so much open-source components that are out there that could be exploited to really deliver a large-scale attack, you know, from penetrating into there. So it can really get deeply embedded into the software environment as well. [ Music ]

 

Dave Bittner: Well, let me come at it from a different direction. Because, you know, you say that'll never happen, like we will never get rid of open-source software because of costs and all that sort of thing. Can we imagine a big enough breach, a big enough disruption to our way of lives, that would trigger that sort of change?

 

Keith Mularski: I don't know. I think it's just going to be, you got to just start verifying certain things before we release things. The company itself that's going to be affected by it is going to be a little bit gun shy and then is going to be a little bit more diligent at reviewing, you know, the software before it's going out and tested, you know, in the dev environment. But I just don't see that happening unless you're really affected.

 

Selena Larson: I think that if that does happen, I will be so curious to see what actually is the straw that breaks the camel's back. Because I would have thought it would have happened by now, frankly. Even if we're not even just supply chain, but if we're thinking about, you know, from the ransomware perspective -- I oftentimes think of the Ohio River fire that really pushed forward the environmental protection. And so there was this big event that caused a lot of people to care about this. They introduced legislation and the EPA. And there was like a lot of environmental support built off of a very serious, horrible thing that happened. And I often think like, okay, we've had ransomware attacks hitting hospitals. We've had ransomware attacks disrupting pipelines. We've had, you know, supply chain compromises that have really crippled a lot of entities. We've had not even cyber-attacks, but outages of main core components of the internet that take down a lot of businesses. And there hasn't necessarily been this moment that's like, okay, we have to solve this problem in the same way that something like the Ohio River fire or seatbelts in cars have had. And so I think that -- and I don't know if it's because people think of like, oh, cyber is just like different. It's not, you know, it's not safety, it's not healthcare, it's, you know, it's not something else. But I've had multiple times in my career where I'm like, okay, this is the moment that's going to change things [laughter].

 

Dave Bittner: You know, like if airplanes started falling out of the sky, or the lights went off for more than, you know, a flicker, I could see that getting people's attention. I mean, we saw it when, with the gas pumps being turned off. You know, like that was -- I thought that would get more attention than it did, but people move on.

 

Keith Mularski: And I think, though, that for the most part, cyber criminals and even APT actors, they're trying to avoid those type of things. Cyber criminals, at the end of the day, they want their money. You know, when we had, you know, that cybercriminals that hit the Colonial Pipeline, they were like, oops, sorry about that, we didn't mean to wake, you know, the sleeping giant, you know, we'll just kind of back out of this here. You know, from an APT group, you know, they don't want to cause any kind of damage. Because, you know, they would think that maybe the US would do a retaliatory attack, you know. So if the Russians or Chinese are in our power grid, you kind of hope that, you know, our US components are in their power grid too. So there's a little bit of that, you know, back and forth that, hey, we don't want to escalate things. So for the most part, when we're looking at these supply chain attacks, it is financial or for an espionage standpoint, and it doesn't harm anybody from a physical standpoint, like, you know, the fires or, you know, the Pintos blowing up or, you know, things like that. So it is a little bit different. So I don't think that there will necessarily be some, you know, big event that would spur, like, a total lockdown on things. My opinion.

 

Dave Bittner: I think there might be. I don't know what it is, but I hope not.

 

Keith Mularski: I hope not too, yeah.

 

Dave Bittner: But I think it could -- we just don't know, you know? I guess what I worry is that society is a little more fragile than we like to think it is, the breakdown could come more quickly, and everything's fine right up until the moment that it isn't. Again, I hope I'm wrong. I hope I'm overthinking it. But, you know, you turn off, just turn off the electricity for an extended period of time, especially in the wintertime. That is a major stressor. So we'll see.

 

Selena Larson: I mean, I hope you are not manifesting a 2026 prediction, Dave.

 

Keith Mularski: Yes, exactly.

 

Dave Bittner: No, no, no.

 

Keith Mularski: We're in January and we're now talking about, you know, the heat, for sure. Yeah [laughter].

 

Dave Bittner: Huh-uh.

 

Keith Mularski: From these events, hopefully our defenders learn, you know, from these, and we evolve, and we become safer. You know, we've talked a lot about the negative aspects of all this stuff. A bit with, you know, each thing that we discover on this, we also learn and hope to make ourselves stronger and be a little bit more of a hardened target or deterrent to some of these threat actors, where then they have to then pivot their, you know, TTPs as well for their next thing. So we do learn and we do get a little bit more resilience. You know, we could always be better. But we do, you know, are able to strengthen ourselves based off of this stuff.

 

Selena Larson: Uh-huh, yeah. And I think, you know, if thinking about the supply chain -- and I am hopeful that because of what we have learned from supply chain compromises, from cloud compromises, that we are thinking about risk and resilience when we're incorporating third-party applications, especially when it comes to AI-enabled things. You guys know how I feel about that. But I do, you know, hope that -- that is the most critical component, is no matter what you're integrating into your environment, you need to know what it is, how it's supported, and who has access to it, and what access you're granting, whatever the application software firmware is too. So, you know, I'm hopeful that we can, you know, like to Keith's point, we can learn from these. And I am curious to see if there is ever anything that comes down from on high that forces a little bit more resilience than currently happens.

 

Keith Mularski: Well, I know the vendor questionnaire profiles out right now are -- they are learning from things because they -- you know, being a vendor, obviously working for QIntel, we have to fill those things out, and they are burdensome. I really do hate those vendor profiles [laughter]. But you can see that, you know, just from the questions that are being asked right now, they have learned from that, they're probing about, you know, what does the software have access to? They're trying to limit their blast radius. And, you know, what does the vendor have access to, you know, in the environment? So I do think we are progressing from that. And, you know, and if you're not using, as much as I hate them, if you're not using a vendor profile third-party questionnaire, you absolutely need to be doing that in your environment to understand what your vendors have access to. [ Music ]

 

Selena Larson: We will be right back after this quick break. [ Music ]

 

Dave Bittner: Are we all in agreement that AI is not going to save us in this particular case?

 

Selena Larson: Absolutely not.

 

Dave Bittner: Selena, I think you've expressed your opinion [laughter].

 

Selena Larson: No.

 

Dave Bittner: So we can't just throw AI at all the open-source software and say, hey, check and make sure this is secure; that's not going to do it?

 

Selena Larson: I've actually seen people already complain about this exact problem, where there's like AI vuln discovery, looking at open-source things, and then just dumping, here's all the things I found, no additional context [laughter]. So yeah, I don't think that it's going to be -- there's always, always, always, always going to need to be a human in the loop, no matter what. So no, I do not think AI will be our savior. Although I am kind of curious if there are opportunities for AI to like potentially alert on these things so humans can deal with them.

 

Keith Mularski: I think we have to use AI really as an extension to what we're already doing. You know what I mean? To use it as a tool, not it to be a crutch to do our work for us, but to say, hey, I'm already doing this, how could AI kind of empower me and do things quicker for me, you know, or scale faster, not necessarily just to do everything, I think. You know, we were just talking about AI today, and we were talking about, well, right now, you know, our software engineers or even us for what we're using AI for, we already know how to do the job, and we use AI to kind of help us. But in five years from now -- you know, so AI is learning from us that actually know how to do it. But in five years from now, is AI learning from AI when they're doing, you know? So these are going to be questions going forward, for sure. We may need to do a whole episode on AI here soon.

 

Selena Larson: No, no. This makes me so sad [laughter]. I like human beings.

 

Dave Bittner: All right. Well, happy New Year.

 

Keith Mularski: Indeed.

 

Dave Bittner: All right, shall we wrap it up there? I think we've covered a lot here today.

 

Keith Mularski: Absolutely. But Happy New Year, everyone. It's great to see you again this side of the new year.

 

Selena Larson: Absolutely. We have a lot more fun things coming and planned, so stay tuned. Yeah, and Dave, Keith, great to see you guys.

 

Dave Bittner: Great to see you too.

 

Keith Mularski: Absolutely.

 

Dave Bittner: Happy New Year and looking forward to everything good that's to come this year. We'll see you guys soon.

 

Selena Larson: And that's Only Malware in the Building, brought to you by N2K CyberWire. In a digital world where malware lurks in the shadows, we bring you the stories and strategies to stay one step ahead of the game. As your trusty digital sleuths, we're unraveling the mysteries of cybersecurity, always keeping the bad guys one step behind. We'd love to know what you think of this podcast. Your feedback ensures we deliver the insights that keep you ahead in the ever-evolving world of cybersecurity. If you like the show, please share a rating and review in your favorite podcast app. This episode was produced by Liz Stokes, mixing and sound design by Tre Hester, with original music by Elliott Peltzman. Our executive producer is Jennifer Eiben. Peter Kilpi is our publisher. [ Music ]

Only Malware in the Building
Podcast Info
HOST(S):
Selena Larson
Keith Mularski
Dave Bittner
Selena Larson is a Staff Threat Researcher and Lead, Intelligence Analysis and Strategy at Proofpoint on the Threat Research team. She collaborates with fellow researchers to identify and investigate advanced cybercriminal threats and develop actionable threat intelligence. Previously, she was a Cyber Threat Analyst for the industrial cybersecurity firm, Dragos, and a cybersecurity and privacy journalist.
Keith Mularski is the Chief Global Ambassador for Qintel and a retired FBI Special Agent with extensive experience in cybercrime investigations and intelligence operations. He previously led major cybercrime takedowns and held leadership roles bridging public and private sector cybersecurity efforts, including as a cybersecurity executive at Ernst & Young. He continues to collaborate with global partners to combat cyber threats and protect critical infrastructure.
Dave Bittner is a security podcast host and one of the founders at CyberWire. He's a creator, producer, videographer, actor, experimenter, and entrepreneur. He's had a long career in the worlds of television, journalism and media production, and is one of the pioneers of non-linear editing and digital storytelling.
Schedule: Monthly
Creator: N2K
ADVERTISEMENT
Sponsored by ThreatLocker
Sponsored by ThreatLocker

ThreatLocker® is a Zero Trust Platform that provides enterprise-level cybersecurity to organizations globally. With ThreatLocker, you can allow only what you need and block everything else, including ransomware! Learn more.