Podcasts
Threat Vector
Ep 91
Threat Vector 10.30.25
Ep 91 | 10.30.25

Don't Leave Them to Their Own Devices

Show Notes
Transcript

David Moulton: Welcome to Threat Vector, the Palo Alto Network's podcast where we discuss pressing cybersecurity threats and resilience, and uncover insights into the latest industry trends. I'm your host, David Moulton, Senior Director of Thought Leadership for Unit 42.

Asher Davila: One of the most important things is changing this mindset of while visibility is the foundation, it's not enough on its own. The organization must achieve this kind of having a strategy based on context; understanding what are the critical processes they are working with in terms of IT; also, maybe not only focusing on criticality, but also, what is the path that those devices could have between different devices? [ Music ] Today, I'm speaking with Asher Davila, Principal Security Researcher at Palo Alto Networks. Asher leads vulnerability and malware research on IoT, ICS/OT, and 5G technologies, with work spanning binary exploitation, firmware analysis, and AI-driven detection. Today we're going to talk about the newly released 2025 Device Security Enterprise Threat Report by Palo Alto Networks, and what it reveals about the state of managed and unmanaged device security, the risk of flat networks, and how defenders can take back control of their expanding attack surface. [ Music ] Asher, welcome to Threat Vector. I'm really excited to have you here. And when I look through the report, I think that this is going to be one of those conversations that is massively eye-opening, based on the research that you and your team have led. Hi, David. Thank you for having me. Your podcast is really amazing. I'm really excited for being here, and yeah, certainly, it's been very revealing, even for me, to know many of these stats.

David Moulton: So before we get into the report, I want to talk to you about what drew you into this specialization in/and around IoT and OT research.

Asher Davila: Yeah, that's interesting. I think it was not something I planned directly. I started doing some offensive security, like regular weapon testing, offensive security, and red teaming operations. Then I transitioned into a team, a different company. They were trying to build an in-house incident response team. So they called me and said we're looking for someone that has some offensive background, and can I help us out to look into what are some of the things that we need to implement and those things? And that was back in 2017 in Mexico. So yeah, I moved to that. I transitioned into that company, and we started building this incident response team. But then afterwards, I was not feeling like, I understand that people who does incident response are super important, but I was not just feeling that; that was not for me. And I was looking for some other type of challenges that I was more related with, more feeling attracted to, like malware analysis or vulnerability research. So I saw that the foundation of that was reverse engineering, so I started looking into that. And eventually, I saw an opportunity on LinkedIn. It was just a challenge in which you would basically need to reverse engineer like a firmware of a camera and a malware, Mirai variant, which by that time for me was something I was not very familiar with. And the challenge was just to like reverse engineer it, try to answer some questions from a report, like what is it doing? What kind of firmware this is and so on. And at the end, you would submit that report, and it turns out that that challenge was meant to be for an interview, so it was like a challenge, so you would be interviewed. And that company was a startup called Signbox that was later acquired by Palo Alto Networks, and that company was one of the first of focusing on IoT security. That's how I got into IoT security.

David Moulton: So I've got to ask, when you're doing an interview, but you don't know you're doing an interview, are you dressed for an interview or are you, like, more casual, more comfortable getting into that reversing that you're working on?

Asher Davila: No. I was in my PJs because I was not sure what I was doing, right?

David Moulton: I love it. You know, I know that you've published and presented around the world from, you know, DEF CON and beyond. Could you talk to me about some of the presentations that you think have sparked some of the most discussions or reaction amongst your peers?

Asher Davila: Sure, I think it was this year's RSA conference. I delivered a talk on this lifecycle of end-of-life devices, especially IoT devices; that some of them are not properly decommissioned and some of the protocols that are outdated or deprecated and shouldn't be used anymore. So at the end, some CISOs asked questions like, okay, you talked a lot about end-of-life devices. What are the risks about having those in your organization, but I cannot remove them? What should I do, right? I cannot do anything you are proposing, like implementing those measures or just purchasing new devices. It's -- operational-wise, I cannot do that. What should I do then? Then the answer might be a little controversial, but for me, it's like you need to accept the risks sometimes. But the most important thing is that you know that you have that risk in your network, because the problem is when you don't know that you have that risk in your network, that becomes a blind spot. But as long as you know that it's there, you understand that there are some risks around that kind of device, and that you know that those devices should be constantly monitored for attacks or compromises or if it's been infected with a malware. You understand that you have those problems and those challenges in your organization. As long as you know that, then you sometimes don't have any other option than just accepting the risk.

David Moulton: Yeah, so Asher, if I play that back, you're basically saying, look, you can't take it out; you can't fix it, so you're kind of stuck between this rock and a vulnerable place. I just made that up, and if that's true, then put extra visibility on it; maybe understand some sort of resilience or fallback plan if something happens, when something happens and make sure that the organization generally knows that that risk exists, but operationally, you need to just keep moving with what you've got. And I think I've heard that before in manufacturing and certainly within health care where there are some times where you have something that you must keep running and you cannot take it down, but you cannot make it secure. So, you know, layer security around it. Is that generally -- did I get the idea today?

Asher Davila: Right, exactly. As you said, implementing complementary or some ways to complement your security, like firewalls, like monitoring systems, like a good policy, a good deployment of security or network capabilities. That's also really important to monitor those kind of devices.

David Moulton: Well, let's dig into that visibility. You called it, you know, "known risk versus unknown risk," and I'm curious, why do organizations still struggle so much to accurately inventory their managed and unmanaged devices? You know, here we are in 2025, and this is a conversation that keeps seeming to come up.

Asher Davila: I think that's a great question, and as you can see in the report, we found roughly 80 different type of devices on an average network, so just think about it. And if you just look at your surroundings, how many devices are currently connected in your network? Just your phone, your laptop, your tablet, your smartwatch, whatever, so you have so many devices connected to your to your network, and that's just your devices. So now multiply that for thousands or hundreds of employees in an organization like that starts creating a very complex ecosystem. So you have different types of devices with different challenges, with different operating systems, different versionings. So combine that with bring your own devices like everyone brings their own devices from their -- from like personal devices to their enterprise organization, like your personal laptops, mobile phones, wearables, et cetera. So that's why, oftentimes, administrators don't see -- don't consider the complexity of the ecosystem. And also, another important thing that we have observed is that some administrators do not have the best visibility strategy. So, for example, they're using old switches that do not support good SPAN ports to monitor all the traffic that they are -- that is flowing through their network. And also, they don't place firewalls or sensors in there, in the best place, to obtain the best quality of the data.

David Moulton: So help our listeners understand what are some of the devices that, you know, continuously fall through the cracks in this visibility side?

Asher Davila: Yeah, some of them are smartphones and tablets. Yeah, especially if they are personal smartphone and they are connected to the corporate network with no -- any kind of segmentation. These devices often lack corporate security. They don't have any, like, EDR. They don't have any protection. So also, in the IoT space, you're going to see a lot of IP cameras because IP cameras are everywhere. IP cameras and DVRs are in pretty much every business, but at the same time, they are exposed to the Internet without any kind of hardening solution or protection, especially because people want them to access them remotely. They want to be monitoring their business from remote, but they don't apply the correct hardening solution or policies to access them correctly. Also, another important thing that, for me, was, like, some of the issues that I'd been observing and now this report confirms it, is virtual machines. So depending on what you are doing with virtual machines, but imagine you have a laptop and you're running a virtual machine on your laptop because you are an engineer that needs to run a different operating system or whatever reason you need to run a virtual machine. So what happens when in your laptop, your company applies different security policies, like not allowing you to install specific extension from a browser or using a very specific VPN service, and that is very protected in your host device? But in your VM that you're running, if the VM device does not apply the same policy, that can pose issues in their network.

David Moulton: Yes, so you're basically saying that there's areas where we didn't upgrade switches, there may be there's a cost and you don't understand that that compounds risk, and then you run into the convenience side, right? Like, I just want to be able to look at my cameras remotely and don't necessarily go through the process of hardening or getting those deployed in a way that's secure. And over time, you start to forget about those things. It multiplies; people are bringing in a lot of different devices. In and around the bring-your-own device type of mindset, I can imagine that for an administrator, this becomes just this expanding problem that doesn't necessarily have a very visible footprint, right? It's not something that you can just walk in and see, so I'm curious. We know that that's a big problem, and then, the report shows that nearly 40%, I think -- or the stat was like 39% of IT devices in active directory lack that EDR or XDR protection. Why is that so widespread when environments are assumed to be secure?

Asher Davila: Yeah, that's a great question. I think the top reasons I'm going to give you are the most common ones, but one of them is always compatibility. Many organizations run other workstation or specialized hardware that are not supported by modern EDR or XDRs, so that makes them a blind spot that you cannot -- there's no way for you to install an endpoint security for many of them. Another reason is budget. You're limited. Those licenses, you need to purchase a certain amount of licenses, and you -- and that's also a kind of like part of a thing that many administrators tend to allocate certain budgets for just protecting the most high-value assets, which is at some point correct. But sometimes, they are missing some important devices that also require endpoint security, and one of the reasons is budget. They cannot -- they don't want to purchase licenses for every single device. And also, sometimes -- and this happens a lot, especially in tech companies that you purchase a server to do some testing and run some experiments or just deploy something and you put it into your organization. And then, that server is never used again, but the server is still connected, and it is not being monitored; it doesn't have any EDR protection. So all those kind of devices make the count for that 39%, and that's -- yeah, I think those are the top reasons why they are not -- or that's the top reasons of why they are -- we have this blind spot on EDRs. [ Music ]

David Moulton: So let's shift gears a little bit and talk about networks. I was drawn to that in the report. So when you've got these unmanaged devices that are connecting to really flat networks as managed endpoints, can you talk about the new attack paths that opens up?

Asher Davila: Sure. I think similar to what I was mentioning before it's that, sometimes, in an ideal world, you want to have different, like this, what is called sometimes, like, microsegmentation, right, different kinds of devices on just one segment of the network. But that's also not the case. Sometimes you want to share devices among -- in the same segment of the network, for example, a printer. Sometimes you have a medium sized organization. You want to share the same printer across all the employees, so you put it in the same -- like, in the same in the same segment of the network. So sometimes that's desired, but if you don't do it following the best practices to make sure that you have a good control on the access of who is accessing those devices, that creates a larger playground for attackers; because if one of those devices that pose risk into your organization -- some attacker gets into it -- and then, they can start doing lateral movements across different devices that are in the same segment. So maybe they compromise a device that is a low-value asset. But then from there, since it is in the same segment as a high-value asset, then they can try to do lateral movements, credential reusage, and all the typical lateral movements attacks.

David Moulton: I can see how that could get complex where you're looking for efficiencies or ease of deployment, but you could make some really critical mistakes where you have, like, a high access device that's allowing too many people in to that segment of the network. Do you have some thoughts? Is segmentation the most effective strategy in most cases, or is there something else?

Asher Davila: I'm going to say something that could sound controversial, but this is my personal opinion, and I think that segmentation doesn't mean that you have a secure network. Definitely it's important and it's a baseline, it's a foundation, but if you have a segmented network, it does not necessarily mean you have a secure network. But definitely, it helps, and it helps a lot to have a better control of the traffic flow between them and between all the devices. You can use more granular policies like who can access what, especially if there are very specialized hardware or specialized devices that not everyone in the organization should have access to. And also, having segmentation allows you to have improved monitoring so you can know if an attack happens. You can pay attention to where exactly in the network it's happening, why it is happening, and what it's affecting and what are the surroundings that are affected, also, by this incident? So definitely, it helps. It boosts your security posture, but having a segmented network is not everything to say, okay, this is a secure network.

David Moulton: So I've always wanted to have a segment on Threat Vector called underrated, overrated, and I think that having a segmented network is overrated will be your position. We'll have to find somebody to come on and debate with you, but I think your point is right. If you think that the silver bullet is just segmenting your network and you don't do it very well, all you've done is segment the network improperly, but not doing it is not the recommendation. I think what you're saying is do it and do it very well. Yeah, that's great advice. Let's talk about credential abuse like SSH, brute force. Does that still dominate attack telemetry?

Asher Davila: It does. It does, actually. It is one of the top attacks that we have observed. It's not only towards IoT, but also IT servers, and actually, recently during our DEF CON talk, we presented analysis of a malware family likely targeting Pumatronix cameras, which are a Brazilian manufacturer of, like, traffic cameras and video surveillance cameras. And this piece of malware that was programmed in Go language, it was targeting -- it was attacking using SSH brute force. So yeah, definitely it is still happening. It is one of the top type of attacks that we have observed during the past year.

David Moulton: So how does that intersect with managed or poorly monitored devices?

Asher Davila: If they are not managed, of course, in terms of endpoint security, cameras are almost impossible to be managed in terms of endpoint security. However, you need to establish a good security policy, for example, minimum privilege. So you can have your cameras, but are those cameras directly connected to other servers or other ecosystems within your organization that could cause lateral movements? You need to disable unused services. Sometimes you don't need to use all the services available in your DVRs or in your recording servers. Also apply hardening and good password hygiene, because if you don't take care of, like, how the passwords are used for those devices, if you keep using, like, the default admin password, well, that's going to be a problem, right? So in those kind of scenarios in which you have a device that is impossible to install an endpoint security or traditional endpoint security, you need to take that into consideration and apply other security alternatives like putting firewalls in between, like putting VPNs to access them, et cetera.

David Moulton: Asher, we talk a lot about zero trust, but it assumes that device trust can be validated. How do gaps in management and monitoring undermine those principles?

Asher Davila: The principle of zero trust is that device trust can be validated and should be validated, and that's absolutely fundamental for zero trust. I think it's not the only thing. I don't like to oversimplify it because I think when you ask people, like, what is zero trust? Oh, yeah, don't trust anyone. Well, yeah, that's the principle, but it relies more on having rich data like intelligence of your devices, having context of definitely if you can see a device on your network, you cannot protect it. I think that's something that many organizations, or many people, have tried to come up with this kind of like mindset of you cannot protect what you can observe. Definitely, that's true, but that's not the only thing, right? You need to understand the context, who has access to it, and what does that mean for the organization? What does that device have to do with your processes within your business? So this means that having a huge portion of your environment with no visibility or that you don't know that they are not being patched. It is what causes problems in that sense.

David Moulton: Let's shift gears and talk about lifecycle management for a minute. Why are so many outdated and unsupported systems still alive inside of enterprise networks?

Asher Davila: Yeah, that's a very interesting question, and I think it is a dangerous habit in many organizations that they think like, if it works, don't fix it. That's sometimes a dangerous mindset, and that's the reason that so many outdated systems are still running, too, because they say, okay, there's nothing to change. It is working well. It has been working for years. Why would I change something about it? And also, there are other problems. Sometimes they want to change it, but sometimes, as I said, operational necessity does not allow that, budgetary constraints, or simply they are not considering. They never think about it. Especially companies that are not tech-focused, they don't always think about, oh, I invested any amount of millions of dollars in this. They don't want to constantly be purchasing new systems, right? So that's one of the things, and many of those unsupported systems are running critical legacy applications. Sometimes the software they are running is so old that it doesn't even run on new devices, on new computers, or more modern operating systems. So migrating applications, those kind of applications to modern servers or modern systems, they see it as a risky and expensive project. They don't want to disrupt business operations, so they just decided to, like, leave it as it is.

David Moulton: Asher, what's the role of IT asset life-cycle governance in reducing long-term exposure?

Asher Davila: Yeah, asset life-cycle governance plays a critical role for transforming security into a more reactive perspective to a more proactive perspective. Because -- and that's what I talked about during my last RSA presentation. That's one of the most important things when you're talking about IoT and IT, is you need -- since you are purchasing the device, even before purchasing a device or a server or any kind of device that is going to be placed in your corporate's network, you need to think about this life-cycle, like how you're going to buy it, for how long it's going to be there in your organization. And then, when it is end of life, how are you going to decommission it, and how are you going to make sure that it is removed from your network properly, and it's going to be -- like, any critical or sensitive data that was stored there is properly wiped, and some organizations don't think about that. They don't even know that they have end-of-life devices running in their organizations, and also, maybe you remember, there are so many devices, but one example that is very famous is you have this kind of like music streaming device that you can connect in your car in case your car doesn't have any smart infotainment, so you can connect to it and stream music from it. But then, I don't know, I think it was after a year or after a couple of years, they just decided, okay, we're not going to support it anymore. And then, there's nothing you can do about it. You just need to trash that device, and that's it. There's no -- any update. And some of them, yeah, stopped working like that one, the example that I just gave, but some others are still working. And as I said, if it works, don't fix it. It is still there. It's my router. It's been there for years. It doesn't have any issues, but they don't know they are not receiving security patches anymore. They don't know there are a lot of exploitation available in the Internet that anyone can download, and even with very few, very basic knowledge in technology, they can run those exploits and compromise those devices. Additionally, there are not policies that enforce that. Like, in the U.S., there's no policy that says that if you start selling a device, you need to provide any kind of like -- okay, you need to provide patches for at least four years, right? So there's nothing like that. Those are the main points that are critical, but at the same time, I want to reaffirm that that is also why it is important to have a -- to define a well-defined strategy when you are even before acquiring any kind of device that is going to be connected directly in your network's organization.

David Moulton: Asher, what does a context-aware risk score reveal about traditional severity ratings?

Asher Davila: Let me talk about, first, a little bit about traditional risk scoring. And I'm not saying this is the rule or this is what everyone is doing, but oftentimes, you see that administrators or vulnerability managers, they try to focus on the most critical vulnerabilities in their organizations to fix them first. And that makes sense because you have limited resources to put in; you have limited time; you cannot fix all the vulnerabilities at once, and that makes a lot of sense. But also, you need to understand that not always the most critical vulnerability is the one that is going to pose the most risk into your organization. Sometimes a medium or not-so-critical, but maybe medium or high vulnerability in a device that is critical within the context of your process, that's going to be even more important than fixing the most critical vulnerability, the one that rates the highest vulnerability in your organization. And attackers sometimes are not going to be targeting the most high-value assets at the beginning. They want to target low-value assets because it's easier to get in because they know administrators do not invest a lot of resources into those devices. They're going to target maybe, I don't know, even, like, sales engineers. They need to be opening emails all the time. They are prone to phishing attacks, as everyone is. But since the nature of their job is to be opening emails or talking to random people, trying to create more streams of revenue, that's what happens, and they're going to attack those roles that are more prone to attacks. And they're going to target, also, devices that are also, like, weak links in your organization. So that's the point, that having the context of where they are placed and the kind of connections they have, what are the level of access those users have to high-value assets, that's what's going to change your mindset and your strategy, and I think that's one of the most important things about this report. You need to think about not only what kind of devices, like visibility, yeah, definitely that's foundational, and I think, at this point, everyone knows about it, that you need to have visibility of your assets. But what is, in my opinion, more important than just visibility itself is the context.

David Moulton: How do you advise? How do you advise CISOs how to go through and prioritize amongst all those thousands of managed and unmanaged assets when they have this type of problem in front of them?

Asher Davila: It's a very difficult and complex task. It's not something, like, they're just going to go there and purchase a certain tool and fix everything magically. So, of course, it is a context of where we score. Adopting that kind of mindset, a context of where we're at risk, in which you assign a score depending not only on the criticality of the vulnerability, but also, how important this is within your process, the most important process. So, of course, for that, you need to gather data or learn from your devices. And for that, of course, you need tooling, but in terms of the strategy, you need to understand that criticality does not always mean the most important things to be fixed.

David Moulton: You've analyzed how attackers chain together exposures, credentials, microconfigurations, unmanaged endpoints to move through networks. What's the best way to break up that chain?

Asher Davila: In my opinion, it's moving from reactive to a more proactive approach, and for that, the strategy needs to focus on understanding the attack flow at all at once. Like, defining correctly your crown jewels, understanding what are your most valued assets and also understanding what are the devices that are directly exposed to the Internet and trying to find if there's a way to connect, like, entry points? Like, quote/unquote "entry points" from any -- directly devices exposed to the Internet that they can pivot into other users that are within the organization that eventually can get into these high-value assets. So I say, also, one of the goals is to remove the -- or to understand these building blocks that they rely on to create the full chain. And also, I think if I would need to do a recommendation, some key actions that I would take is, well, first, you need to eliminate this kind of freedom of the attacker to move laterally, so we can talk about microsegmentation. We can talk about serial trust architecture, you know, a good password policy. And in the report, you can see many organizations do not care about segmenting the network or, like, isolating critical assets from being accessed by everyone within the organization. And the second thing is that you need to eliminate the blind spots. So you need to implement and place correctly your firewalls, your sensors where you're collecting network data; having modern switches, modern network equipment, so you can collect as much data as possible, and also, be able to install EDR or XDRs, endpoint security, not only in your critical assets, but also, assets that are directly or indirectly connected to your high asset value, your high-valued assets. And finally, well, you have to eliminate any kind of directly exposed -- like, there is going to be very few cases, and you want to have directly exposed devices to the Internet, so you need to consider which ones you really need to be directly exposed to the Internet.

David Moulton: So if I'm following along, right, it sounds like rocking at the security fundamentals, making sure that you've got great visibility, and then, shrinking your attack surface?

Asher Davila: Yep. That is correct.

David Moulton: Well, I'm sure that our listeners are interested in the report. We'll go ahead and have that document linked in our show notes, so whatever you're listening on, there should be a description and the URL there for you. And Asher, awesome conversation today. I think this is one of those underreported areas in security, you know, the managed, the unmanaged, the OT, the IoT devices, but one of those things that is literally surrounding us with billions and billions of these devices, so it's super important. I appreciate you getting into the data and the report today on Threat Vector and spending a little bit of time educating me on what you found and what we need to do to be a little safer in the world.

Asher Davila: No, thank you, David, for having me here. It's been an honor.

David Moulton: Asher, before I let you go, where can folks find you out on the Internet if they want to continue the conversation with you directly?

Asher Davila: Sure. You can find me on LinkedIn as Asher Davila, or if you don't want to reach out to me there, you can search for me in X as Asher underscore Davila, D-a-v-i-l-a. If you drop me a DM, I will try to reply as soon as possible, and feel free to reach out to me with any question or any comment or wherever you want to talk to me about. [ Music ]

David Moulton: If you like what you've heard today, please subscribe wherever you listen and leave us your review out on Apple Podcast or Spotify. Your reviews and that feedback really do help me understand what you want to hear about, and if you want to reach out to me about the show, email me directly at threatvector @paloaltonetworks.com. I want to thank our executive producer, Michael Heller, our content and production teams, which include Kenne Miller, Joe Bettencourt, and Virginia Tran; original music and mix by Elliot Peltzman. We'll be back next week. Until then, stay secure, stay vigilant, goodbye for now. [ Music ]

Threat Vector
Podcast Info
HOST(S):
Sherrod DeGrippo

Meet David Moulton, the voice for Threat Vector, the Palo Alto Networks podcast dedicated to sharing knowledge, know-how, and groundbreaking research to safeguard our digital world.

Moulton, leads Thought Leadership for Palo Alto Networks, draws on a rich background of experience, including roles in design, strategy, marketing, and sales, to connect with experts from across the globe.

Schedule: Biweekly, Thursdays
Credits: Executive Producer is Michael Heller, Show production by Kenne Miller, Joe Bettencourt, Virginia Tran and David Moulton. Editing and audio engineering by Elliott Peltzman.
Creator: Palo Alto Unit 42
Threat Vector