Threat Vector 2.22.24
Ep 16 | 2.22.24

Deep dive into the 2024 Incident Response Report with Unit 42's Michael "Siko" Sikorski


David Moulton: Do you have a favorite cybersecurity joke that you're willing to tell?

Michael Sikorski: No. I don't. I don't have a lot of cybersecurity jokes. I've got to work on that.

David Moulton: You want to hear one?

Michael Sikorski: Yeah, sure.

David Moulton: My son's a drummer, and I was inspired the other day to change my banking password to the high hat. But the bank rejected it and said no symbols.

Michael Sikorski: Ah. That's pretty bad.

David Moulton: Welcome to Threat Vector, where Unit 42 shares unique threat intelligence insights, new threat actor TTPs, and real-world case studies. Unit 42 has a global team of threat intelligence experts, incident responders, and proactive security consultants dedicated to safeguarding our digital world. I'm your host, David Moulton, Director of Thought Leadership for Unit 42. This week, I want to share a conversation I've had with Michael Siko Sikorski. Siko is Unit 42's CTO and VP of Engineering and Threat Intelligence. He's an industry expert in reverse engineering and wrote the best seller, Practical Malware Analysis, and teaches cybersecurity at Columbia University. Siko was the first guest we had on Threat Vector, and it's great to have him back. In this conversation, we dove into the new 2024 incident response report from Unit 42 and talked about emerging cyberthreats and novel tactics that the team has uncovered as we work matters with clients around the world. Siko highlights the importance of managing vulnerabilities and shared his thoughts on best practices to mitigate these risks. We also discussed how leveraging AI, automated responses, and threat intelligence can bolster cybersecurity. You can read the report or download a copy from our website. Here's our conversation.

Michael Sikorski: Yeah. I think it's really becoming challenging for organizations that they need to make sense of this really quickly, right? If they're going to -- if they're going to get data off your network and exfiltrate in a day, that's really fast. I remember when I started doing incident response a long time ago, I'd go in. And the threat actor had been there for a year, and they still hadn't exfiltrated or even figured out where the thing is that they wanted to exfiltrate. So the time, the time before the threat actor got access to the things they wanted could just take a really long time. But now what's happened is people are really starting to centralize their data like never before, right. Cloud came out. People started unifying in one place. They don't have networks that are kind of messy from the perspective of the data is all over the place. It's more easily accessed across the network to the customers and more scalable. But in doing so that kind of centralized everything and made it a lot easier for attackers to, once they get access to one thing, they're able to get out with everything they need. And in a ransomware case we worked this past year, in less than 14 hours, the attackers gained access to the org, exfiltrated terabytes of data, and then deployed ransomware to 10,000 endpoints, all in 14 hours. I mean, the amount of time you have when you're talking about that, this is a large customer. You've got to realize what's happening very quickly and realize when you need to pull a siren and start executing and defending yourself. And I think the fact that there's just so many alerts and people are so buried by the amount of data they're getting from security, it's really important to start including things like AI and automation and orchestration to make sure that you're able to sift through the noise, figure out what's important so you can respond super quickly to lock things down. I also think it's really important to figure out what are your crown jewels? What are the things the attacker is going to go after, right? Like, when I look at ransomware extortion cases that we've worked, a large amount of them, it's all about that data that they're after, right? Because if they can get your data, steal it, you're going to -- and if they encrypt it, you're going to want it back. If you don't have proper backups, let's say you do a proper backups, well, they're going to then threaten you because they took it off the network; and they're going to say, we're going to release this data, and you're not going to want that to happen because your customers, your patients, your employees are going to get their information leaked. And that's going to be a problem for your business. So what are you willing to pay for that? So what you need to do is really hyper focus around protecting the things that matter most, right, because you -- at the end of the day, everybody gets hacked. Your day, if you haven't come yet, it will come. It's a matter of when that day is going to come. And you need to be prepared, which means you also need to set up a defense on your crown jewels, the things that matter most, which is typically your data. And so how are you protecting that? How are you monitoring it at a level that is above and beyond anything else you're doing anywhere else? Because that is going to enable you to know when something has gone awry.

David Moulton: Siko, you mentioned AI and automation. And I'm wondering, are you noticing in our clients a difference between the haves and the have nots when it comes to AI and automation, maybe those that are leveraging AI and automation having smaller impacts or much faster response times?

Michael Sikorski: Absolutely. I think the organizations that are -- that have more -- are more mature and have adopted this more quickly, right, instead of just dumping piles of alerts to a single place and having individuals sift through them to a point that they'll never make it through, is definitely run into that time and time again where we're doing incident response case, we come in, and a lot of the information that would have alerted them that there was a problem is there. So it's not necessarily like, hey, they don't have the information they need to know that something bad was happening. A lot of times that information is there. We're able to see it once we go in and really sift through it at a much lower level like you would do as an incident response team, which means that they didn't have time for it, they dismissed it thinking it wasn't that important, or they didn't stitch things together. So that's another thing we really focus on with our technology is, like, how do you stitch things together? Like, what you see on the network versus what you see on the host? Are those one in the same? You stitch them together into an incident; it's a lot easier for you to review, figure out what's really going on and make sense of it versus, if you just see those things by themselves, you're just clicking through. Like, is this important or not? You know, it's harder to make sense of. So absolutely. We're seeing a big difference in sort of the haves and have nots when it comes to cybersecurity in general.

David Moulton: Let's talk about investigations where Unit 42 was involved and we saw payment was made. In cases investigated by Unit 42 where payment was made, 82% involved data theft; and harassment was involved in 27% of the matters. With these realities, how should organizations cope with the evolution of data threats and harassment?

Michael Sikorski: Yeah. And that's actually up from the year before. So last year, we put out a report that where that trend started. And now it's just gotten really heavy, right. Like you mentioned, 82% of the times where we see ransomware extortion happening in data theft is included. In the early days of ransomware, they came in, encrypted everything, and then asked you to pay for the key to get your data back. Now, 82% of those times they're stealing your data first before they do the encryption. And sometimes we're not even seeing them even bother with the encryption at all. They just steal the data and then start threatening you with what they're going to do with that data. And if your whole business is data, which is very common, especially when we look at, like, the top industries hit, one of the top industries is high technology, which means, you know, data is a huge part of that, right. And so they're going after these entities where data is very critically important. And they're stealing it. And the real reason they're doing that is because people have gotten better at having backups than ever before because they realize that, hey, I need to actually be backed up. They need to be backed up so that they can recover from a ransomware attack, of course, but it's also because they're not going to get insurance. They're not going to get a good policy written to them if they're not proving that they can recover from an attack of a ransomware attack. So this forced the threat actors to pivot and start saying, well, how can I still get paid? Well, I can still get paid, even if they don't pay me on encryption, if I steal the data. And then what happened is, that even became a thing where people weren't paying on. And that's where they've sort of gone this what I describe as the dark place where they started harassing people. And it's gotten pretty nasty out there where, you know, harassment is up. It's up to 27% of the time of cases [inaudible 00:08:54] processes like almost every single week we're seeing some sort of harassment. This could be anything from the CEO is getting harassed directly. We've seen spouses of C level executives get text messages from threat actors, flowers sent to their house, I mean, that level of harassment. We've seen employees get harassed. We've seen customers get harassed where they're pretending to be the company. And we've seen people say, hey. If I'd known this harassment was going to be at this level, I would have paid a long time ago. We even had a healthcare organization get a hit and ransom. And they then -- the threat actor actually reached out to the patients and said, you can pay us $3 to see what data we have and then $50 to get it removed or this all gets leaked, while at the same time they were asking the healthcare entity to pay millions. So they're really stooping to a low level where they're willing to go after schools, hospitals, and others like never before. And then that level of harassment, like I said, year or year has gone up. And we don't sense that's going to stop anytime soon.

David Moulton: Do you have any recommendations for how to deal with a harassment best practices to put in place, ways to add this to your playbook?

Michael Sikorski: I think it's really being prepared, right, like taking the time to think about what is -- what happens to this data if it is stolen and somebody has it in their hands? What is our playbook to deal with that? Like, what is the value of it to us? What happens if they leak it? What could they do with our customer data? What can they do with our patient data? What can they do with our employee data? Thinking about all those different scenarios and being ready to -- what to do there. And I think another, is it making sure you have a good partner who knows the threat actors really well to the point of, like, I mean, I'll talk about us. It makes sense because we actually have ransomware negotiators on staff in Unit 42 who understand what the threat actors are willing to do. And if they're going to keep their promises, right, if they're actually going to follow through and do what they said they're going to do. And because we are involved with them a lot of the time, they know that they might see us again in another negotiation. And we know what to expect from them, right? We know if they're just going to leak your data anyway, in which case that advice, knowing that the threat actor is going to leak it anyway, means that you can prepare when that day inevitably comes. Obviously, it's about stalling them at that point if you know they're going to do it anyway and then how to make sense of it. And one of the things we're actually able to analyze with this incident response report we're putting out is how often do they keep their promises. So in 68% of the time, they kept their promise, which when I saw that stat I actually thought to myself, I thought that was pretty low because, when we looked at it, 21% of the time, they did not keep their promises. And meaning that, even though they said they weren't going to leak the data, they still did after the ransom was paid. And these threat actors, specifically the ransomware gangs, they have a reputation to uphold on multiple fronts to stay in business. We saw 25 new ransomware groups emerge in 2023. And really, for them, it's really about -- about their reputation. Like so -- and when I see multiple angles of the reputation, one is do they pay out for access? So somebody might hack someone, use a vulnerability to get in. They then take that and they sell access to the ransomware gang, who then, you know, gets the cryptocurrency payment and actually executes the ransomware, everything else. But then you've got to pay that person for the access. How often and how properly do they pay? That's part of the reputation. The other angle of the reputation is, when someone does pay them, how often is it over, right? How often is I pay that, that that ransomware gang, they stop right there. They don't leak. They don't do anything else with it. And those two reputation scores really do dictate which of the ransomware gangs become the most popular because, as soon as you stray from that, it's like, why would you do business with them again, right? Like, if somebody starts not keeping a promise, we immediately advise our customers to not pay them because what's the point if they're not going to honor the terms, right?

David Moulton: Absolutely. If you know somebody's not going to honor their word, especially in a high-stakes ransomware negotiation, why would you continue to work with them? So let me shift a little bit. Siko, Unit 42 found that the use of wipers and data destroyers were up 5x year over year. How does this feed into the evolution of the attacker methods that you've been talking about?

Michael Sikorski: Yeah. I think a lot of the wiper activity we've seen, so many say it's up, up across the board. So a lot of that is seen through the threat actors that are more nation state focused. So -- and, obviously, we're dealing with a lot of wars and geopolitical situations around the world to a point that, you know, we have virtual war rooms set up for at least three to four of them right now that are just highly active. And we're seeing nation states really be willing to deploy them in order to cause damage and impact others' ability to do business. A lot of this is against, you know, critical infrastructure or things they perceive as the equivalent of critical infrastructure and really focusing there. We've also seen these types of technologies deployed when people just want to remove evidence of what they did, right? So if they did something to get onto a network, got the data off the systems and they're not actually going to deploy ransomware, they might just run some wipers to kind of cover their tracks. And if they already made out with the data, they could still use that against the organization but then obscure the things that they did do on the network.

David Moulton: According to Unit 42 research, software vulnerabilities are now the top initial access vector, scooting ahead of compromised credentials and phishing attacks, which is really a game changer. I'd like to hear your thoughts on what's driving the shift and how companies can stay one step ahead.

Michael Sikorski: Yeah. I think in 2023, when we look back, it really was that year of this steady cadence of just massive vulnerabilities that are exploited at an unprecedented scale. I think there's a few factors leading to that. I think they're -- these vulnerabilities, the threat actors are able to latch onto them and will leverage them very quickly. We saw the CL0P ransomware gang jump onto the MOVEit vulnerability and exposed thousands worldwide and implement ransomware against a ton of them, becoming one of the most prolific gangs of 2023, just off that alone. We saw a lot of, you know, external facing products that, you know, that had zero days, and organizations did not patch. We saw the Citrix vulnerability that was huge. We saw the Cisco vulnerability. Confluence was another big one. We're talking tens of thousands of devices exposed. And then, most recently, we saw Ivanti talk about four zero days in a row here with upwards of 30,000 exposed devices, to the point that the US government is saying, forget about that. Just unplug it because we don't even know what's going to come next there. So just unplug the technology and not even use it because we don't know what more attacks could come against that. And the ability for attackers to take these vulnerabilities and scan the entire internet for them and really have a good understanding of what someone's is vulnerable to very quickly so that they can execute their attack is leading towards that. So this steady cadence of just massive attacks of externally facing technologies is a big reason why. And some of these technologies are legacy. So these aren't necessarily things that are new. The Cisco case was something that should have been patched a very long time ago or not even really exposed to the internet at all. So it's just a general inability for companies to patch these, prioritize the patches but also pay attention to their actual hygiene of what are the things they have attached where people can get access and exploit. And that's what's really important, to continually perform an analysis of the attack surface that you have out there, right. What is your actual footprint? What things are exposed? Are people spinning things up in the cloud that you didn't even know and exposing that to the outside world that makes you vulnerable? Is there some old router that, you know, is still -- is attached to the web that -- with an admin interface that shouldn't be attached? These types of things are really what organizations have to be hyper focused. Like, a lot of times, they're like, oh, we've got to move to the cloud. And then they forget about all this stuff they have plugged in that needs to also be looked over. So the prioritization of the vulnerabilities, patching them and then constantly paying attention to what is actually exposed, especially as more and more vulnerabilities get released, means that you need to very quickly get in there and patch them. But that's the other thing is making sure you know what the attackers are going after. So as soon as the attackers are -- jump onto a certain vulnerability, you need to know about that and make that your highest priority because that's the biggest risk, right? Zero days are out there, no matter what you do. But knowing that the attacker is leveraging them and that's why you need to prioritize it, or even take it offline until you fix it, like, those are critical things that -- that you need to focus on. And back to the point of vulnerabilities actually displacing phishing for the first time in years, I think that's going to be short-lived. I really do. I think my prediction is that this is going to be a one year thing. And that's despite of the Ivanti zero-day happening already. I think the reason is, is because of generative AI and the ability of attackers or their phishing techniques, they're going to get so much better because they're not going to be broken English and things like that slowing them down. And, instead, there -- it's going to come up and be the number one again next year.

David Moulton: So, Siko, talk to me about the best practices that you recommend to mitigate risk from software vulnerabilities. And then if you've got a couple of ideas on what organizations should immediately do if they find that their software has been compromised.

Michael Sikorski: Yeah. I think you just need to make sure things are patched. I think that's been a forever problem in our industry is like how do you actually prioritize the patches? What is actually exposed? And I think that's where you do attack surface reduction, right? You figure out what is your attack surface? What are the places that they might come after you on, and make sure that you have an ability to actually, you know, figure out which ones are the ones you need to remediate as fast as possible, based on what's being exposed. Also, you can limit your exposure. Why do you have an admin interface to your routers exposed to the internet? Like, you're just waiting for some zero-day to drop or something bad to happen, right? Like, those should be taken down. So realizing that those are up and out there are a big part of this, right? I think about it is, like, it's all about executing a plan, right? When we talked about, you know, the speed at which they're able to exfiltrate data is like are you ever going to eliminate all of the zero days and all of your supply chain of everything you own? Probably not. But you could be prepared to figure out what to do, what happens after the fact, right. And I think that's where depth, defense and depth come into play, right, thinking about the different -- different protections you have across the board so that, as the attacker is moving laterally, as they're logging into systems that they shouldn't, how are you catching them along the way, in case they do actually use a zero-day to get in and he didn't have a chance to prioritize it, right? And that's where things like zero trust also come in. It's a way to limit the damage, that if they don't have the proper permissions to get access to something, they're going to then have to escalate and be able to figure out a way around. That's another angle in which you could catch them, right. And that goes back to the point of AI and automation and orchestration, where you're taking all this stuff that's coming in so that you can make sense of it quickly. And I think the other -- the last thing is, what is your plan, your incident response plan? So we talk about the Ivanti zero days that were -- that came out is you probably know if you got hit or not. But what is your playbook after that? What are the different things, records you're going to pull? What are the different logs you're going to pull? What are the different things you're going to analyze? Who are you going to talk to you about it to get their perspective on what are they seeing in attacks that are also going on? We've worked numerous cases for the Ivanti zero-day. Talk -- talk to people like us who can give you advice of like, Hey. We've seen this ten other times. We've worked all these cases, this is what we're seeing in those cases. These are other things you need to look for. And I think that's where threat intelligence really comes into play is, if you're learning from all these different incidents that you're seeing, you can really make sense of like, well, what does the attacker have do after they exploited the zero-day, right, because just knowing that zero-day, like, you might have already been hit with it by the time you figured out that it's out there. So you need a plan to at least be able to dig in and leverage your relationships and partnerships to make sense of what actually is going on there. So I also think that, you know, thinking about how to protect your data to the best of your ability is critically important, right? So things that are your crown jewels, be monitoring them, over -- overly watching them to the point that you're going to really understand when something's not right or abnormal actually happening. So those are just some ideas that come to mind when it comes to what I recommend people thinking about when it comes to these vulnerabilities.

David Moulton: Siko, the report covers various ways that threat actors are becoming more sophisticated. And we touched on that a little earlier as one of the major themes. And this includes the evolution of Living Off the Land where attackers are not just using the tools in the environment but building their own land via cloud instances and VMs. What do you think of these tactics? And how can organizations best defend against them? >> Michael Sikorski:. Yeah, I think when we start to think about Living Off the Land attacks, you know, going back a few years now was the threat actor would show up. Your real popular one last year was full typhoon, where they show up and they live off the land, meaning they used tools that are native on the system. So things like, you know, power shells installed in Microsoft Windows. They leveraged PowerShell to execute an attack rather than drop malware on a system, which they might traditionally do, because PowerShell might be allowed to run on the system, but a piece of malware is not allowed to run. And so they would leverage different tools that are already on the system natively to execute their attack. And the other angle which you mentioned is sort of like setting up their own infrastructure inside someone's environment, right. With now the fact that the cloud has gotten so popular, attackers are getting credentials to the cloud. And that enables them to spin up their own -- their own infrastructure, their own VMs inside customer networks. And, essentially, setting up the computer there that's running is actually inside being paid for by the person getting attacked. So the attacker is coming in. And they're saying, Well, I'm just going to set up my own computer in your infrastructure and watch all my attacks from there. And guess what? You're paying for the cloud bill on that. So you're essentially paying a cloud bill for the attacker to attack you, which is kind of crazy to think about. And that's where it's really important to figure out, you know, what is happening in your cloud environments, right? Doing that discovery, doing the posture management things that you need to do to be able to catch when something unauthorized is happening very quickly and shutting it down and making sure it's gone because, you know, people spinning up things inside your environment is -- yeah, but there's a cost to it, right, because they can also spin up, start mining for cryptocurrency and everything else from that standpoint. And also these things that they're spinning up in your environment, they might get access to systems across the network that they wouldn't otherwise have. And most people's machines on your network, like your employee machines, are managed, right? They have maybe EDR products or antivirus and other things on it that are naturally logging back and reporting that things are all good. But when they spin up these types of things in the environment that doesn't have any of that technology installed can make it easier for them to fly under the radar. It sounds like you're saying that the call is coming from inside the house. What's your advice to listeners to deal with this level of sophistication?

Michael Sikorski: I think it's all about, you know, realizing what is actually happening in your cloud environments, right. I think people are not doing that properly. They are not really paying attention to the cloud and implementing the level of protection in the cloud that they need to be. The amount of cloud incident responses that we're responding to continue to go up year over year. I think last year it was, you know, 6% of IRs we went to. Now it's already 16% of IRs. And that trend is just going to keep going up and up as more environments and more IRs involve the cloud directly. And I think, when people are moving there, they're not really thinking through it. They're hiring -- you know, people don't often have a lot of experience with it. They don't have a ton of people who know the security they should be implementing there. There's a lot of hard-coded credentials that are being leveraged to get into things that the attacker that could then go after. And then people are just not paying attention to the things that are the shadow IT that's getting spun up in the cloud. Yeah. It's getting the job done for the employees who are spinning it up, and they're not necessarily trying to cause damage by doing it. But sometimes that leaves things vulnerable because they're not patching them. They're not monitoring those things. They're getting spun up, and then it provides an access for an attacker that wouldn't otherwise be there. And the same thing goes for are you monitoring what's going on in your cloud in case an attacker gets in there and start spinning up things left and right.

David Moulton: Through all the changes in tactics, Unit 42 saw more than twice as many investigations involving business disruption, 35% of the cases in 2023. And that's up from 16% in 2022. Do you expect that trend is going to continue?

Michael Sikorski: Absolutely. I think that, when we're seeing these extortion cases and the ability that, hey, we're going to disrupt and take your data and then start harassing your customers, your patients, everything else, that's very problematic, right? And I think another thing we're seeing is they're extorting you, right? And we talked about data theft extortion. But another extortion technique that they could go after is, well, what happens if I take down your website? What happens if I take down your cloud environments because I stole the credential to all those things? And how many days, how many hours it's going to take you and what is that actually going to be -- how costly is that going to be to your business? And then also we're seeing, like, you know, a lot of these zero-day vulnerabilities we saw and even patch vulnerabilities that they are -- yeah, and the vulnerabilities that we've seen where people haven't implemented the patch, they're having to actually take systems offline. And a lot of these are network connectivity systems, right, VPN, software, routers, things like that, where they actually could take those offline to do an attack. And when you're taking that offline, that means people can't connect to the network; means they can't get their work done. And that's why we're seeing those go up is because a combination of these extortion techniques, a combination of the types of vulnerabilities that we're seeing out there be exploited.

David Moulton: I think you're absolutely right there, Siko. As an attacker, you want to have leverage, and it really doesn't matter if it's a threat to share data or to turn off work processes. It's leverage. And I think attackers as nasty as it is are willing to use it. So let's shift gears real quick and talk about AI, everyone's favorite topic. Given the significant role AI plays in cybersecurity, and this is something that's highlighted quite a bit in the 2024 incident response report, could you share your perspective on how AI is reshaping the landscape of cybersecurity, defense, and threat detection.

Michael Sikorski: Well, I think AI has been reshaping that landscape for a very long time. I think a lot of companies like ours have been investing in AI for quite some time. And I personally have been doing research for the detection and classification of malware using AI for well over a decade. And I think it's really focused on -- you know, it's really coming to be in popularity because of things like ChatGPT. And I think that'll enable people to learn things more quickly. I mentioned attackers will leverage it to make their phishing attacks better. But I think the AI reshaping cybersecurity defense is a journey we've been on. And the question is, is how quickly you get there because we really need to move faster. Because as fast as we're going to implement AI in our defense, the attackers are going to be using AI for their attacks. And so we have to stay ahead of the curve. And I do think there's -- there's some promise there. There's some light at the end of the tunnel from the perspective of, if we can use AI to find these vulnerabilities in our software as our developers are writing them, which we're starting to do, we can then patch them and not have them even exist, right? And if they don't exist, then the AI on the other end isn't going to find them. Right? So I think there's really a lot of, like, thought of, like, could AI actually cause more benefit to offense than it can -- or, sorry, to defense than it can to offense, in which case that could be really beneficial because there is a -- at the end of the day, there is time for us to fix all the problems before it goes out. And so it's about how fast can we leverage that -- that technology to make sense of things. And then I think we invested a lot as a security industry, as CISOs of trying to implement these things. And we wanted all this cool technology out there. But the problem with all the cool technologies, it just fires a tremendous amount of alerts that is really problematic for us to make sense of as humans, and that's where AI really needs to come in and then cleaned things up because, you know, we can't possibly have a human respond to the billion alerts that are coming in a day, right. We need that summarized and turned into just a few things they action and dig into and actually try and figure out if there's something more to it.

David Moulton: Siko, give me some insights on why the Unit 42 team spends the time and effort to produce these types of threat reports.

Michael Sikorski: It's really important to take a look at the trends of what you're seeing across periods of time so you know how the threat actor's adapting. And one of the big things we do in Unit 42 is we don't just go around doing incident response one after another. We actually take time to examine what happened in those incident responses. Sometimes that goes as far as staffing a threat analyst on an incident response so that they're sitting there side by side with the incident response team digging in, providing support of saying, Hey. We saw this threat actor, you know, three, six months ago, whatever it might be. This is what they did, so you should look for these things. And this is what they're known to do after that. And then also learning from the experience. So by learning from our experiences as we do incident response over a long period of time, we can really glean a lot of information about how the threat actors themselves are evolving. And then, when we come into the next incident response that hasn't even hit our phone yet to call us in, we -- it's almost like we know what to look for as soon as we come walking in the door. And when you take it a step back even further than, you know, the lower level attacker level, you can say, what does this look -- what do the trends look like across all incident response? And, by doing so, you could say, well, let's take a look and figure out how are people breaking into these networks, right? Because nowadays we can actually take our time to do an incident response. And, during that, we can say how did they get in? What was the initial infection vector that led to this intrusion? Because of the fact that we're getting called in so much faster than we ever were before, we can figure out how the attacker got in. And, by looking at that across all of the incident responses we've done, we could say, oh, this is where we really need to focus our security. We can use that information to find gaps in our own products, gaps in what the customer owns and how they have their things configured. And then we can best go into the new year knowing what types of things to recommend to customers based on what we've historically seen.

David Moulton: All right. Siko. This has been a fascinating conversation. What's the most important thing a listener should take away from today's conversation?

Michael Sikorski: I think the most important thing is that the fact that, if vulnerabilities have become the number one way that they're getting into a network, I think that's a very hard thing to combat. I think it's a best effort. I think it's focusing on your -- your attack surface that's out there. But, inevitably, a zero-day, by nature of it being a zero-day, there's only so much you can do. And that's why defense in the depth and making sense of all those alerts, which is really your defense in-depth, right, because you have all these point products that come together, if you can make sense of all that noise and turn it into the one alert that's the really important one for you then to pivot and realize that I need to take in all these other places and action it in the right way I think is of the utmost importance. And I think that comes together with AI with threat intelligence and with really making sure that you're protecting the things that matter most.

David Moulton: Siko, thanks for taking us through your thoughts on the new 2024 incident response report from Unit 42. We have a link to that report in our show notes, or you can visit the Unit 42 site. Before we end today, I want to share some of my own thoughts. Hosting the Threat Vector podcast means I always learn something new from our guest, and I hope you do too. For me, talking to experts is an incredible way to learn. And today I had three big takeaways from my conversation with Siko. My first takeaway happened when we were talking about vulnerabilities. In this report, we noted that software vulnerabilities were the number one access point for threat actors and then recommended having a well-planned, well-practiced incident response strategy. The second part, the IR strategy really isn't a surprise. But, for me, the big takeaway I had was that this recommendation is great advice for anyone that needs to respond to a security risk, podcast hosts included. As the person responsible for Threat Vector, I didn't have a playbook for how to get an episode out when the Ivanti vulnerabilities rapid response kicked off here at Unit 42 at the beginning of February. Thankfully, I'm surrounded by incredibly dedicated professionals here at Unit 42, and we were able to respond and put out a great episode. In fact, if you've not heard it and are concerned about the Ivanti vulnerabilities, you should go listen to it. There's a link in our show notes. Ingrid Parker and Sam Rubin did a fantastic job outlining the situation, the risks, and then gave thoughtful guidance on what you should do. And, as Sam pointed out, even if you're not impacted by these Ivanti vulnerabilities, use this moment as a reason to review your playbooks. Or, as he says:

Sam Rubin: Let's use this as an opportunity to make sure that we understand our attack surface. Let's make sure it's an opportunity to make sure we have the right prevention, detection, and response strategies and capabilities in place.

David Moulton: And, if you need help with that, contact Unit 42. The next thing I took away from the conversation was Siko's prediction that vulnerabilities being the number one access point for threat actors will be short-lived. At first, this really surprised me. But I think he's right. Threat actors will leverage any technology that gives them an edge. And AI will certainly help threat actors with phishing. As we update this report throughout the year, this will be something that we look out for. I suspect this is a case of when, not if. And my final takeaway was a reminder of just how relentless and adaptable and at times sophisticated threat actors can be. The part of our conversation where Siko explains how some threat actors are using the victim's own cloud environment for their activities really was adding insult to injury. It's frustrating to know that some victims are paying the bill to be attacked. I know my counterparts on our threat intelligence teams and other consulting groups are helping clients deal with these realities all the time. If you need help dealing with a sophisticated threat actor, or maybe you're like me and have recently been reminded that you should have an incident response playbook, you should talk to the professionals in Unit 42. I want to thank Siko again for taking us through this report and its findings here on Threat Vector. We'll be back in two weeks with Jacqueline Wodyka for a deep conversation on the SEC cyber rules. Until then, stay secure. Stay vigilant. Goodbye for now.