In this episode, Corey Nachreiner interviews WatchGuard Cybersecurity Analyst and Threat Emulation & Investigations Lead, Kristen Yang, about the path into cybersecurity, the evolution from threat hunting to leading investigations, and the realities of defending against modern attacks. They explore today’s threat landscape, incident response mistakes, red teaming lessons, MITRE ATT&CK, AI in security, and the skills analysts need most, plus a rapid-fire round to close things out.
View Transcript
Corey Nachreiner 0:00
Hey everyone, welcome back to the 443 security simplified podcast. I'm your host today, Corey Nachreiner, and joining me today is Kristin Yang, a lead in our SOC for WatchGuard's, managed detection and response, or MDR service, who we will introduce in more depth during today's episode. It's a pleasure to have you, Kristin!
Kristin Yang 0:21
pleasure is all mine. Thank you for inviting me over. Of course, thanks again for joining us.
Corey Nachreiner 0:26
So as you can tell, today's episode is a bit special and different. Today, we have the pleasure to talk to an experienced security operations center analyst and red teamer professional who has seen and helped detect and remediate many security incidents for many organizations. So during this episode, we'll learn what that entails. We'll learn what the most common threats she has seen that you should all look out for, and of course, we'll talk about defensive and protection strategies that can keep you safe. So with that, let's jump right in. You.
Corey Nachreiner 1:06
And Christian, Kristin, I'm sorry. You're new to the episode. We always like to start with a default question, which is, what is your Hacker's origin story? And just so you know, back in my day, hacker wasn't automatically a cyber criminal. Hacker was actually honorific for someone that thought out of side the box and ultimately eventually learned how to exploit software. But because of that, they're also good at catching it too, so it's not meant as a bad thing. But yeah, what? Essentially, what got you into security today?
Kristin Yang 1:37
Yeah, so my journey into cyber security didn't start off in cyber security. Actually, I did work in Help Desk for about 10 years. That actually gave me the technical background I needed to then get into cyber security. So it was really good that I started off in help desk, and then during that time at my previous employment. I was then promoted to a security analyst because there was a information security department that was spinning up, and they needed someone to help fill that role and help build a program. So, yeah, I was promoted and hired to do that.
Kristin Yang 2:17
aDuring that time, I started learning about ethical hacking
Kristin Yang 2:22
and also became curious about how hackers got, got into a corporate environment, ways that they did. So then I ended up pursuing the Certified Ethical Hacker certification, which I eventually got. Yeah, that's a pretty hands on one too, where you have to use pen test tools during it, right? Yeah, yeah. So then after that, I worked there for three years, and eventually left to join act zero, which is now part of Watchguard. And during my time at Watchguard, as a SOC analyst throughout the throughout the time, I suddenly, then got more engaged with offensive security tactics and red teaming stuff, because I got really more interested in the offensive side of things, so I started doing a lot more training on that front, and then just started delving into some red team exercises just recently. And that's where I'm at.
Corey Nachreiner 3:15
Awesome, awesome. I actually think it's interesting how people get into security. Sometimes you have nerds or little geeks like me that we're kind of interested in learning how to explore on the internet and came into it immediately. But I actually think it's good for the folks that come up through it organically, through through technology and networking like we're often asked, How can we get in the field? What certification should we get? And for instance, your CA, CH is great, but my first comment is you should learn deep networking and or deep coding first, because everything in security is based off, not not everything, but a lot of the actual technical security is based off having an understanding of how networking works, how operating systems work, and, in some cases, for vulnerabilities, how coding works. So I think it's amazing that you came up through the IT field. Now moving on, today, you mentioned you like you kind of transitioned to the offensive side. And today for us, your title, you're a threat emulation and investigation lead, as I mentioned, for our SOC team, specifically not the corporate SOC, but the SOC we use to manage the security, you know, manage detection and response for our customers. So on a day to day, what does that threat emulation investigation lead role look like?
Kristin Yang 4:38
So, yeah, good question. So part of my role as on the SOC side, I am the lead investigator, tech lead, in terms of helping my team with directing the flow of what an investigation should go towards, in terms of investigating certain alerts or there's a major incident, I serve as the lead for that,
Kristin Yang 5:01
and they are directing the team as needed. And then during my other other free time, I do research my the latest threats are out there. The latest, yeah, latest threats, building threat profiles, developing IOCs and using those to build tabletop exercises to help improve the SOC's knowledge of what's going on out there, to keep them up to date in the latest, latest threats.
Kristin Yang 5:27
Yeah, and then also improve some of the alerting structures that we have and improving our detections.
Corey Nachreiner 5:33
So that's very cool. And I feel like it's, I think the reason security people, the good guys, so to speak to good people want to go in. The offensive side is by learning how to do the dark arts, you really get a good understanding. Like, like, first it's a cat and mouse game. Bad guys are always updating their technique, so they're trying to hide from us. So you have to keep you know appraised with what is going on, and maybe even be outside the box. Puzzle solver yourself to help figure out how they're hiding from us. But two, I imagine that the reason your investigative lead is you can more quickly than someone that doesn't have the offensive skills, figure out based on different indicators if something's bad or not.
Kristin Yang 6:17
Yeah, exactly. It gives you that, gives me that different perspective.
Corey Nachreiner 6:20
Yeah, awesome. So before this, you were like a typical threat Hunter and maybe a typical SOC analyst. What was that role? How did that different and what led well, you kind of gave us a bit of it. But how did you convert from that role to this one?
Kristin Yang 6:35
So, yeah, I started off as a SOC analyst. When I joined ACTzero, I was like, right now, the frontline analysts, people who are doing the initial triage and responsive alerts that come in monitoring threats, and introduced me to really, the whole field of managed detection and response, which I've never heard about honestly when before I joined Xero, so that was pretty new to me.
Kristin Yang 6:59
But then throughout that, throughout that time, I started to become curious about how attackers are leaving, they're leaving their footprints in our environments, which is, how are they doing that? So just then I just because, because of that, I just got more curious, and just eventually pivoted over to the offensive side of things, because I just wanted to learn how they got in. So with all this different raw telemetry, they didn't know how to understand that at first. So that's I'm like, You know what? I want to learn how to do it. So cool.
Corey Nachreiner 7:29
Yeah, sounded I agree. It's the fun stuff. When you get into cybersecurity. I'm now as Mark jokes all the time. Now that I'm a CISO role, I have to do all the political people management stuff, even though I came up playing with Metasploit and Burp suite myself, so everyone else gets to do the cool stuff now. So it is, it is fun, even though, at the end of the day, we don't want attackers to be successful. It's great to understand. I will say one thing not planned, but I do want to unpack you mentioned you hadn't heard of what MDR was before you became part of MDR service. And I, I think a lot of the listeners here, you're probably out there as partners or MSP. So maybe you know it, and maybe smaller businesses know it more. But just for those listening like obviously, every company needs some way to do monitoring like we believe in this day and age, besides having preventative security controls, like having a firewall, like a watch guard firewall, or having endpoint protection like watch guard epdr
Unknown Speaker 8:33
is good, there's you can't prevent everything, and there's products that, like EDR, that start to detect living off the land attacks and and there's other indicator. There's lots of indicators that are not for sure. We know this is malware when we can block it, but lots of indicators that add up to potentially an attack is happening. So a typical business, when we say sock, that's a security operation center, basically, you're trying to to bring in all the telemetry from the security controls you have, all the telemetry from the identity and network security controls you have, and literally find the stuff that that the preventative stuff is missing, but, but I think the reason MDR exists is
Unknown Speaker 9:18
that costs money, right? Like people buy firewalls at endpoint, but to buy a SIM, something called a security incident event management system, to have smart folks like Christian Yang and even basic cert computer response, incident response team handlers. You know, if you're a business of 50 people, you probably have an IT guy who's wearing a security hat. You're not going to have a CISO. So at the end of the day, just for the folks listening, MDR is a service specifically made to help our managed service providers deliver the same type of SOC experience you would build at an enterprise to the smallest company. Because we know, you know, it's a.
Unknown Speaker 10:00
Capital expenditure to do it yourself. So we're trying to give you that same 24/7 detection with threat hunters and people can that who can see these indicators and find additional threats for a price that SMBs need. So that was more for the listeners. So I kind of asked what the difference was between a SOC analyst, role,
Unknown Speaker 10:22
investigation lead and a threat hunter. I think I'm going to ask even more details later, but as soon as we hear threat hunting, I mean, people want to know, what are you finding? So what do you think
Unknown Speaker 10:35
based on your threat hunting during that phase? We'll get in more depth later, but at a high level, what is something MSP should be looking into their environment, or end user customers should be looking in their environment. That's a real just common things you see all the time.
Unknown Speaker 10:52
Well, in terms of threat hunting, I think the most important ones to look for would be indicators of initial access. So basically, there are signs that someone unauthorized is trying to get into your environment, because a lot of a lot of attacks can be prevented if that was caught in the beginning.
Unknown Speaker 11:18
So stuff like brute force attacks on on prem Active Directory or cloud accounts like Office 365
Unknown Speaker 11:26
brute force attacks such as that weak credentials, that's that's a really common way of someone getting trying to get in. Also, we've seen a lot of you know people down to people downloading third party software websites that are just, you know, suspicious, and I've seen that too, yeah, if you don't have control, like a lot of people, don't enforce white listing only. They give people admin, local admin on their laptop, and they empower their users to install anything. So maybe they Google something to rip video, and it turns out that that also has malware or Trojans. That's very common. Yeah? So I've seen a lot of that. Yeah, local app giving users local admin rights is a really big no no, but a lot of people do that just before efficiency purposes, which I would have to say, I feel, like most I like us security folks, would love to see people not have admin, the local admin, and be able to install anything. And we'd love to even see white app hard, like hardened white app listing, meaning literally only letting applications you want to run
Unknown Speaker 12:40
and block every other executable, but it is this a little harder to maintain, so not a lot of SMBs do it. One other thing I picked up there is, you talked about initial access.
Unknown Speaker 12:52
I think security nerds, at least for me, I geek out about the really sophisticated and cool attacks that don't require end user or user enter. I like, think a zero, like a zero day vulnerability in a software application, and then a really fancy privilege escalation based on a vulnerability where it's not just a user identity, but on the flip side, if you're talking about what's seen most commonly, there's a common saying that that hackers log in they don't hack in, meaning, it seems like most attacks start with them somehow, just getting a legitimate privilege credential, as we're talking about common thing is, is that true? What's your based on what you see? Should I be more worried about all this sophisticated nation state zero day or just making sure I protect my identities. So a one very common factor of attackers, you know, finding ways to get in our IoT internet of things. So that's, that's a big one, so especially with some of the ones that I can recall, like the infamous proxy shell attack, which against Microsoft Exchange,
Unknown Speaker 14:08
basically, and if any exposed Microsoft Exchange server that's running a vulnerable version that exploits publicly available, anyone can just download that pub that exploit and just run it. Or, I think if the Mirai botnet, the Mirai botnet that was looking for things like, essentially, they're looking for Linux devices that weren't hardened, and pretty much every whether it's a business or consumer IoT device, say it's a webcam, say it's a consumer level router. When you get the really cheap webcams from different Southeast Asia, you know, places they run Linux. They work great as webcams, but they have spent no time hardening and Mirai, at the end of the day, targeted basic Linux, you know, weaknesses, not even vulnerabilities. And like you say, pop all your webcams. They also make if I'm in a thread.
Unknown Speaker 15:00
Actor. What a lovely bastion host to have, because you don't suspect your Smart TV or your webcam, but it's a full Linux computer. I can scan your network, I can run scripts, I can do all my lateral movement from that, that little webcam that some people may not realize is really just a full blown, blown computer. Yeah, cool. Is there, you know, you've given us common ones. We'll talk about more. But is there like a really horrible war story from the cyber trenches that keeps you, keeps you up at night, as far as worrying about it happening to your customers or to us? Oh, not currently, but I do now that you mentioned it. I do remember when wannacry hit back in 20. Oh yeah, that was a big one. And that that, at that time, at my previous employment, wannacry was a big thing. So, like, our entire teams were, like, just going about, which, like, patching all of our servers. I had SMB version one because that was, that was, yeah, so that that was, that was one that reminds me of how bad worms can be. Like, like, at that point when wanna cry came out, ransomware had started taking off with crypto locker, and it proved that ransomware really could lock up computers, but we hadn't seen self propagating worms. Is often like, like, the security industry had gotten better with the network security controls that, for the most part, tried to block how worms might propagate, at least in internal both internally or over the external internet if you find the right network vulnerability. But to your point, SMB shared that took ransomware from people just infecting one computer at a time and asking for $300 in cryptocurrency to a grandma to SMB flaw
Unknown Speaker 16:49
Server Message, it's basically, it's what it's the net, it's what Windows uses to do file sharing. I forget the acronym for SMB,
Unknown Speaker 16:58
but basically that allowed the ransomware to infect every computer in a Windows network that wasn't updated in the right way. You definitely don't want to use SMB v1 anymore. So yeah, that's a great one. And the fact that it showed us how widespread it could go, where, not only it started targeting hosts, if I remember right, that was North, we suspect it's alleged that is the nation state of North Korea, which was also unusual, because you expect criminal cyber attackers to be looking for money, but North Korea, because of its sanctions, I believe, is one of the few nation states that is actually not just hacking for espionage, but is hacking to steal money. But I remember it showing up in train stations. Like a German train station had the want to cry ransom note on its scheduling thing, just because it happened to be a Windows console. It targeting hospitals with it specifically, but the warmness of it made it escape its bounds. So, yeah, that was big one. Worms do scare me? We're getting better at fixing the network vulnerability mechanisms that allow worms to automatically propagate versus just a single malware. But scary for sure? Yeah. Speaking of this, do you think in general, obviously, we've talked about a few nation states who are known for being apt threat actors. So apt Sam's for advanced persistent threat, but it really means a more sophisticated threat actor that uses a lot of evasion and the advanced techniques to not get caught. Do you think the average threat actor, including cyber criminals, is getting more sophisticated, or are they just more efficiently exploiting the same old weakness because we haven't fixed them, or a mix of both. Honestly, from what I've seen, it's a mix of both, because we still got organizations that are using legacy software, legacy systems, those vulnerabilities and printers, they still they're still there. There's still opportunity to attack, especially if they're exposed to the internet. That's just, that's prime message right there. Also with the with the rising of artificial intelligence being more more common among many workforces nowadays, and many companies using AI to do automation stuff,
Unknown Speaker 19:14
the attack surface just got pretty, pretty interesting. So, yeah, with AI, I feel like AI's biggest thing to the threat actor is, is it's lowering the bar. It's allowing dumb script kiddies to become more sophisticated, yeah, like back in the day, to exploit something like, let's say you are exploiting the zero day, to be a reverser, to actually knows assembly and can reverse a program, let alone find a deep vulnerability in the program and make it exploitable. You need some smarts for that, yeah, now AI can literally do that for you, sometimes in seconds. So AI whether or not the threat actor is sophisticated, I feel like it's going to make it's going to lower the bar and make you.
Unknown Speaker 20:00
And the average threat actor have more sophisticated techniques. Yep, that's what, that's what it's becoming now.
Unknown Speaker 20:07
It does suck that we still have all those weaknesses out there. I do like that you mentioned IoT, though, because I feel like in the business world, we call it more ot operational technology, but it's the same thing. It's very it's equipment that uses a computer inside it that's connected to a network. So like in healthcare MRI machine or in a bank ATM machine really just a computer. And guess what? Until recently, 90% of them were Windows CE. No, like, like, it's not only is it a Windows operating system, but CE is the old, you know, Palm Pilot ver like. So to your point, I feel like even people that are trying to do the right thing, as far as updating traditional computers, patching my laptops, patching my servers and workstations, it's so easy to have all this legacy sometimes, end of life stuff in the OT or IoT equipment you have out there, because hopefully most administrators know those are computers that need firmware updates too. But in the past, you know, if it didn't look like a computer, you didn't treat it like one. Cool besides that, any other before, before we move on to other things, any other general attack trends or patterns that really stand out lately, maybe in the last year or so? Yeah, again, I mentioned AI. Many companies are adopting AI tools, and with that comes a new set of vulnerabilities that are just surfacing as more security researchers delve into and more and there's, there's going to be, that's gonna probably be a new thing for a while, also with the recent supply chain infrastructure attack with Notepad plus, plus
Unknown Speaker 21:48
that that's also a huge trend that's going on. Dive into that one a little bit more, if I remember right. Notepad is something that comes with Windows, but if you're like a script or code or Notepad Plus, is a something you can download for free, essentially, that has it will highlight and show you code better. So a lot of people prefer it, but if I remember right, that was a supply chain trojanization of it, why don't you go into that low I think we talked about it on the podcast, but I'd love to hear your take. Yeah. So basically, from what I recall, the update server, which was used to roll out the updates, was compromised, yeah, and that, that server was taken over to deploy malicious versions of notepad. Plus, from what I recall, I mean, my That's right, that's right, I think that that's what that was. And then they they updated. No, they're they updated. They sense updated. So now that it's you can't do that, it's similar to a lot of other things I that this audience might know, like SolarWinds is Orion situation where SolarWinds, an organization that makes very popular monitoring software for networking, got compromised at a corporate level, but so far into their software development
Unknown Speaker 23:02
networks that they were able to literally add malware to the real installer and have it perfectly signed like it was a normal update. The one I remember before that was, do you remember the C cleaner one? CCleaner is a really popular win, or used to be anyways, Windows app that would like clean your registry from below to just do basic stuff, a lot of normal I don't think it was used in business a lot, but a lot of Windows users that didn't like registry bloat would use it. But Perforce at the time, a different company owns it now, but they had a corporate breach, and they got into the development network. So I guess really kind of the pattern is, watch out for digital or software supply chain attacks.
Unknown Speaker 23:50
Cool
Unknown Speaker 23:52
for organizations. I guess I kind of Prelude. I talked a little bit about what a security operation center is, and the whole reason we have MDR services. As small companies tend not to be able to have a full SOC, and they often have to outsource it. But for those who haven't really managed or had a SOC or been in one, can you kind of explain how a SOC team, a security operation center team, handles, you know, any incident from from finding it to to how they react and do all the other steps. Yeah. So basically this, the SOC team handles an incident from the initial triage to the response to the customer. So the initial triage is done by our frontline analysts. They get an alert, they review it.
Unknown Speaker 24:42
And then after some initial investigation is done, they send an initial response out to the customer with their findings. And then if there is, if there is a sign that a major incident has occurred, that's declared, and then another process and just kicks in to do the major incident pre.
Unknown Speaker 25:00
Process so that that's another monster in itself, because it includes containment, remediation and recovery, but that sort of thing can also happen happen during, like a regular security alert. That's some, some odd thing happens on a host, and we just do the containment and then just follow through with the customer, and then the customer will then take the steps to remediate. And, yeah, but you've provided them kind of a playbook, yeah, do that based on, yeah, yeah, pretty much. So cool, yeah, if I were to dumb it down a little bit more, like, obviously, there's types of things that are that our products do. They're completely preventative. Like, if you get a malware detection that we blocked, that's not a sock incident, because we've already blocked it, but what you're really saying is we're gathering a lot of other telemetry through our products, and maybe other devices or products to that are indicators of suspicion. So really what what you're doing is, first, how do you get an alert? One of the magic sauces I think we have with why we acquired act zero to build our stock upon, is how you take all these little indicators, like an indicator of an attack can be, Oh, I I just found a program running that is, is not a Microsoft program, but it's using a Microsoft or maybe the opposite, that that's not using a known maybe I find a kernel driver running that's not using a known digital certificate for kernel drivers, it's not signed properly. That could be a very bad indicator. But alone, it's not enough. Maybe you need other indicators. So basically, what our SOC is doing is gathering all that telemetry, I think. And one of our magic things is, normally a threat hunter would have to go through every let's call them, not really like warnings indicators, and do the correlation. But we have a lot of AI modeling that's taking all that noise and only bringing your team the alerts that we really have some confidence to look into. So when you say you get an alert, by then, we've gotten maybe not 100% confidence, but this is something the team has to look into. So you guys do look into it, you confirm it, and that's when you start to then follow, okay, if this, this looks like an incident, what everything did it touch? How you know, and that's part of your containment and remediation plan, and then you deliver all that data for the folks that were giving this service to to outsource. Yep, one of the things that like, if I were running a SOC, a lot of people talk about prevented prevention, detection and response, which is basically what I just talked about, but they talk about it linearly. It really is a loop. Once you've done all of these steps and the customer is remediated and contained, what you should be doing is you've also identified a root cause. You've identified things that might have made it laterally move easier. You have all of these learnings, and really that should circle back to prevention, meaning, then the customer should, if possible, if you learn something new, make changes, add new security things. How, as someone that is in MDR, where we're giving them playbooks and managing responses, is there anything we do to help them take their learnings and put it back into their security defense after to do the circle back to prevention.
Unknown Speaker 28:24
Yeah. So especially during major incidents, that's when it really comes to that's when it really exposes all the the misconfigurations and vulnerabilities a customer has. Yeah, it's not, it's unfortunately, it's not until a major incident has occurred that it really shines light onto those things. So during that time, when we go through a major incident process, like you mentioned, the prevention, detection and the response, and then
Unknown Speaker 28:55
calling our key stakeholders to get involved in, you know, all the people who with the different skills needed to help solve this case, yeah, building a root cause analysis at the end, gathering all that data, all that information, into one readable report, one report for them, yeah, or for them, to help identify what what was, what were the lessons learned? How did this attacker get in? Here are the here are the indicators that we found. Here are the vulnerabilities that we found. Here are the endpoints which aren't being monitored. Here are the some of the things where we we don't have available logging for and that's why we missed it. A lot of these things get identified in the root cause analysis. And I that RCA really is important when it comes to fixing someone's, you know, environment, and fixing up those vulnerabilities. So it's really important that's done. So, yeah, so that that analysis, that root cause analysis, and the final report, really is a huge value that the customer can use to help them fix. I, by the way, I there's a scenario.
Unknown Speaker 30:00
To give an idea of
Unknown Speaker 30:02
if you're finding vulnerabilities in a lot of things, it could be lots of takeaways, but how often is it a
Unknown Speaker 30:09
just a basic weakness? And let me give you a specific example that the endpoint team has talked about before that I wonder if you see from a SOC level where we have great products. We epdr, not only is preventative of a ton of ransomware, but it actually has a lot of automated EDR that can be preventative even post execution. Can, can even when things aren't blocked or known right away, can, can stop it while it's doing stuff. So we find that if people have our product on, for instance, they get ransomware very rarely. But what happens is, we sometimes find a customer that has had ransomware on a thing, we've detected it because another device detected ransomware trying to come to it. And it turns out the root cause is, oh, I had epdr installed on a ton of computers and workstations, but I didn't put it on my server that's in this one place that I didn't really have a network map of, and that server got infected. Is that common in the socket? Yeah, it's very, very, very common. That's like, unfortunately, one of the ways that how, you know, organizations get attacked is because, if they're they, if they have, like, an EDR rolled out, that's great and all. But if you don't have everything, every asset to play with it, and someone manages to find that loophole and get in, then you're gonna have a whole this is where, by the way, my job, when I talk about how a CISO doesn't get to do to fund technical stuff, it does point out why basic blocking and tackling asset inventory like having a basic asset inventory that's continuously updated and accurate, meaning it should be automated. Discovering those assets, you would be maybe you wouldn't be surprised, but I think the average person would be surprised that how few people have a network map, how people, like most of them, have old school network maps that are not digital ones that are scanning networks and keeping them continuous. They're just a network map someone tried to make 10 years ago, okay, maybe one year ago, but did it as a vector diagram, and a day later, someone brought a new device, and it's not accurate, but I don't care how great your security products are. Watchguard makes great ones. I want you to have them. They will protect you if you aren't doing basic asset inventory right, so that you really know what your products are, and you miss putting security on one of the devices half the time. It's it's not, it's not the security product or the technology that failed, it's the fact that you haven't configured it properly, including not installing it. So just find that interesting.
Unknown Speaker 32:50
But let's pivot, because you got more interested in the offensive side of things, and now in your latest role, that threat emulation part is basically a form of red teaming, which I'm sure our audience knows, is pretending to be an attacker and trying to break in. Usually when there's a blue team, usually it's to help train like you're not doing it as a real attacker. You're trying to help the company find weaknesses, or help a defensive Blue team to ensure they have the right visibility to catch this type of stuff. So you know, what types of things have you learned to improve a customer's detection and response based on that?
Unknown Speaker 33:30
So, as a red teamer, yeah, as a red teamer or a threat emulation person, yeah. So after having some being in a as a red team sort of mind understanding how the kill chain works using really popular frameworks like miter and Lockheed Martin, those frameworks really help break down how an attack kill chain would look like. So there are different phases of an attack, from initial access gaining, initial access credential dumping, defensive Asian privilege escalation. There's a few more. So understanding what each phase is in terms of the actual indicators that I see in in our telemetry really helps then identify what areas that a blue team needs to focus in more of and to act and then also understand, like, how, how does the telemetry look like when during that sort of phase? So that helps me as a red team to be able to organize that and being able to then tailor more so, in other words, you can find a specific weaknesses in their particular like, just to give you, you mentioned the Lockheed Martin cybersecurity skill chain, which I think there's seven or eight, but it essentially is reconnaissance, which is all about learning about an attack, a phase where, based on what you learn as an attacker, you figure out a weak spot where you have to kind of weaponize and develop a vulnerable.
Unknown Speaker 35:00
Ability. There's a period where you then exploit that vulnerability, then presumably it was successful, but with maybe guest privileges on one computer. So then there's a lateral movement, pivoting phase, and eventually I might be missing a few steps, but it gets to the actual thing the attacker wants to do, whether it's exfiltration of data. Another way to look at this. We may not dive deep into it, but I know you're familiar with the miter attack chain, which is, is really, while they might have different phases at a high level, it has those same killed chain top level phases, but it goes into very technical depths about different techniques you can use in each phase. Yeah. So it sounds to me like you're describing by you knowing that, by you understanding that kill chain and the miter attack defense when you're red teaming, you're you're, you're not only seeing their weaknesses in each of those phases and each of those attack techniques, but maybe you can find a highlight that, oh, the preventative stuff was okay. I might have found one hole, but in lateral movement, you had a really crunchy exterior shell that it took me a while to get through, but once I got inside, it was soft and chewy in the middle, and I could do anything I wanted. So you really have to work on the lateral pivoting movement part of the kill chain. Yeah. Is that kind of accurate?
Unknown Speaker 36:23
Rewording what you said? Or yeah, pretty much, yeah. Cool. So that's what you've kind of learned as a red Teamer. What do blue teams consistently underestimate about attackers? So there are a few things. So for one, especially with nation, nation state actors. They have all the time and the resources given to them to help do
Unknown Speaker 36:49
months or weeks of reconnaissance against a target. They collect all the information they can about a target, the people the company, any sensitive information they can find online. If I were to pause you there, by the way, that's, that's what in the apt thing, if you're talking that, that's what the persistent part is. The persistent is they have the time and sometimes money, to just keep at it for a long period, keep going. Yeah, yeah. So they, they have the time to build out their tax any custom tool sets and need to code or whatnot. And then, yeah, and that's less one thing, and then also the one thing that is pretty difficult to detect is defensive Asian, which is one of the tactics in the miter framework. So defensive Asian is the ability for an attacker to stay in a network and persist in a network without being seen by any security product or any blue team or so. That's probably one of the most toughest ones too. There's tons of techniques that can lead to defense evasion, but I think the most common one, especially for once you're there, could be defense evasion for the the
Unknown Speaker 37:59
exploit phase to like, fragmentation attacks that get past IPS signatures or something. But the one I think you're talking about once you're inside, the one I think of the most is generally category characterized as living off the land attacks, yeah. That's, yeah. That's one of the many ways you can do perspective. That's the many ways. Or there are other ways that yeah, can be achieved, but that's, that's a known one, yeah, yeah. And the for people that I'm sure everyone knows, living off the land, but like, if you install malware right away, you're introducing a tool that could be detected. But living off the land attacks is at the very basic understanding, is using tools that a normal person, or at least administrator, would use. So it's much harder to tell Hey, that PowerShell might just be an administrator doing something, but it could also be an attacker using the power of PowerShell pun intended to do whatever he wants on your network or she wants on your network.
Unknown Speaker 38:57
Cool.
Unknown Speaker 38:59
What's one technique from Red Teaming that every SOC analyst should understand. And keep keep getting technical. I think our audience loves to dive in and explain to
Unknown Speaker 39:10
honestly, like I've left, like I've alluded defensive Asian is the one thing that
Unknown Speaker 39:15
the is there a particular technique or thing you think about the most that stands out as the most, like a defensive Asian you see, because it could be many of them. But what is the one that is there a specific example that stands out in what you see today?
Unknown Speaker 39:34
Yeah, honestly, I think the one that you just mentioned, already living off the land is the most common ways.
Unknown Speaker 39:42
But even that type that has many different like, it could be living off the land through PowerShell. It can be leveraging cert util, which is a normal like, it's a utility that Windows uses to check digital certificates and decode things, but attackers use it to grab things from URLs and basic.
Unknown Speaker 40:00
But so just know listener that living on it, living off the land, is worth looking into, and there's a lot of techniques there. Cool.
Unknown Speaker 40:09
So whether a SOC analyst or just any cyber security professional, what skills should our listeners focus on right now, as far as if I'm already a cyber security professional, and by the way, I forgot to but I will ask another question about defenses after but what skills should I, even if I'm an IT guy doing some security role, what is a big skill I should focus on right now for cyber security? Honestly, with how things are going, AI learning, how AI works, how large, large language models work. How do they? How are they being used in the workforce? How are companies using them, using them, and what, what are the
Unknown Speaker 40:52
evolving attack vectors are there currently, absolutely, I think, like the generative AI alone is just going to be a threat enabler in that it gives threat actors more abilities. But to your point, we didn't even get into the additional attack surface that even Gen AI offers. Like it becomes an attack surface of its own with prompt injection. So things like click Fix attacks, attacks like where, if you think about being socially engineered. If an attacker can prompt, inject a legitimate Gen AI, LLM, they could get it to give you malicious responses that get you to go and look at things that could be bad. So I think that's fantastic, fantastic advice. I would add to I like, I think I'm already deep into llms. I think you also need to look at agentic AI, because that just makes the right away. Most people don't get the attack surface and the implications of just the Gen AI that they're using, other than cool nerds like us. A few people are really diving into agentic AI, but the I mean, basically that's taking llms and connecting them to everything through APIs and connectors and giving them privileges to do things. So that just takes the threat even higher, and it comes down to like a genetic AI is driven by MCP servers, so even at a network level, understanding MCP server privileges and how they work, so great answer before I ask one more question at the end. But while we're speaking of AI, how we've talked a little about this, but can you think of any other ways AI is changing both attacks and defense in your SOC world? So you've already alluded to it. So web, web API's, they authenticate, agentic. AI's
Unknown Speaker 42:41
integrating REST APIs with llms to automate work workflows and with as more organizations adopt that, there's going to be more opportunities to launch like more sophisticated attacks that, like you said before, that even a script key or an average grunt, disgruntled person can actually go in and code their own stuff to do, to do what?
Unknown Speaker 43:08
Goodness knows?
Unknown Speaker 43:10
Yeah, and I think from the security side though, this is where we kind of alluded it to before, but we have an MDR, SOC. How do you like? What can security do with AI to help all of this? Yeah, so our So, without getting to specifics, like AI for any sort of sock, if like, they can be also be used to automate, automate, to your security orchestration, to automate a lot of the manual stuff, like threat hunting or even like responses, or use maybe even doing correlation that section, like you have a lot of indicators that are low confidence, but they somehow correlate. Yeah, a human could definitely put those pieces together. But if they're all indicators that are hidden in tons of data, AI is really good at quickly finding correlations and tons of data for to increase detection even, yeah, yeah, for sure. Awesome. I do think I skipped it, but just to summarize this, at the end of the day, we don't just want to scare our audience to death, like we've talked about some of the common attacks, how threat landscape and threat actors are changing. So let's translate this to practical tips. So just thinking at a high level, from the most common attacks we've talked about or you've seen in the SOC, what are maybe a handful or three big defensive high return and investment take protection or defense strategies that you would want everyone to do to remain safe based on what you're seeing, mostly as a SOC operator.
Unknown Speaker 44:44
So patch, patch management of legacy systems isn't that crazy, by the way, I agree. I get so sick of saying MFA everywhere in patch management, but it have to.
Unknown Speaker 45:00
End of the day, yes, Agree, Agree.
Unknown Speaker 45:07
The one less common one, but I think is also as important as I kind of mentioned earlier, is IoT devices, so interfacing devices which are Internet facing that almost anyone can scan. So any internet facing applications, if you must secure them, use network access controls,
Unknown Speaker 45:29
authentic, secure authentication methods to protect those internet facing assets. I can't, like, I've seen attacks where do Yeah, I love it, and we agree, by the way, I will say, like, first of all, there are things you have to publicly expose, everything where, like websites, so definitely pardon those, yeah, but there's a lot of remote management and remote tools that you want your users to use. And I think just remote management and or VPN itself has kind of become a target, because threat actors have learned that, okay, these companies have got good at at least they're blocking Telenet and SSH, and they're blocking RDP or something else. They're blocking their SQL Server ports with a firewall, but there's people outside the company that need to get them, so they start targeting remote access. So tell me if you agree, VPN itself is a target too, but my recommendation is never expose remote management directly. No always have it behind VPN and zt or ztna, which is even more secure way to do remote access. But more importantly, because VPN is also targeted, besides keeping your VPN products patched, you must use MFA. To me, like stolen credentials are the most easy way for an attacker to hack in, and MFA will save you from the stolen credential. So that's I agree with you. Anything else there?
Unknown Speaker 47:02
The one thing is the the employees are the first and last line of defense. Yeah, security awareness, yeah. Cyber Security Awareness Training is so important that really, everyone, every organization should run through
Unknown Speaker 47:21
to be able to identify vicious emails and all that. So I don't think we'll ever fix as a society, every technical flaw, but I always put it as imagine. We fix every technical flaw, there's no vulnerabilities. Everyone is running a perfect technical security situation. You're still going to have a person be able to social engineer a person that has privilege into doing something they shouldn't. So those are great tips. Kristen, thanks for sharing. This has been really fun for me, but before we go just to get to know you more and for fun, let's do some really quick, active responses. So just to get to know you when you're like in the zone, deep in an incident in the sock Coffee, tea or energy drinks. Well, look what I'm drinking here. Coffee,
Unknown Speaker 48:07
by the way, I love the Hello Kitty. I lived in Japan for a while. All my sisters had Hello Kitty. Everything I love is it croppy? I love cropy, the frog, too. Oh yeah. Favorite cyber security related media, show, book, movie, fiction, nonfiction, doesn't matter.
Unknown Speaker 48:24
Book, the hackers playbook, three, oh, wow,
Unknown Speaker 48:29
yeah, cool. I love it. That's awesome. Are you Windows, Mac or Linux?
Unknown Speaker 48:37
Given, I don't know. I think Linux, honestly, Linux for its open source and just being able to do stuff also, if you're if you're a red teamer, 90% of the cool tools are on some sort of Nix. I will say I'm all three
Unknown Speaker 48:55
pen testing. It's always the Linux version of metasploit. But I tell you what, I never used MAC until about 10 years ago, when they moved to Intel and Mac became a BSD core, which is essentially a flavor of Linux. So 90, if you go to command line, Mac essentially, is Linux So, but yes,
Unknown Speaker 49:16
yeah, here's a controversial one. AI, will it save the world or end it? Oh,
Unknown Speaker 49:23
that's that's a tough one. Honestly, it's too early to say, because they're still still developing. Yeah, I think it has the potential for both. I think it's in our hands, and hopefully we'll make the right choice to Yeah, exactly, use it to innovate, but also put some safeguards on it, because it's very powerful. Yeah, for sure, yeah, I totally agree. Is there an overrated security tool out there? Honestly, nothing is overrated if you implement it properly.
Unknown Speaker 49:54
How about a How about an overrated,
Unknown Speaker 49:58
let's say pen test.
Unknown Speaker 50:00
Or script, Kitty tool,
Unknown Speaker 50:02
oh, man,
Unknown Speaker 50:04
what was the DDoS one? The one that was low orbital, something or other, yeah, that I always thought that was a crappy tool like it only would not DDoS anything that is beyond 1999
Unknown Speaker 50:21
okay, if you know, you know red, blue or blue pill.
Unknown Speaker 50:27
Honestly, for me, red,
Unknown Speaker 50:29
that's cool. Me too. I know that means I have to face the truth of reality, but I like facts. I don't want to live in a pretend
Unknown Speaker 50:38
ignore the man behind the curtain who's a hacker.
Unknown Speaker 50:42
One habit that makes a great sock analyst think like how an attacker would
Kristin Yang 50:48
absolutely and that's why you red team. You have to know, you have to think outside the box, otherwise you're going to miss stuff. This is for the nerdy folks that are probably in our industry more but Metasploit, cobalt strike, or core impact.
Kristin Yang 51:02
Honestly, I would love to use cobalt strike, but with my experience, I'm at a point.
Corey Nachreiner 51:08
Yeah, it started free. I mean, I know you have to pay for it now, but I love HD more. I've watched that tool develop from Pearl to Ruby to now. I'm with you. I like you. I wanted to use cobalt strike, but it's pretty expensive.
Corey Nachreiner 51:23
Is there anything we missed today that that our audience should know?
Kristin Yang 51:27
No, I think we've covered everything
Corey Nachreiner 51:30
Awesome. Well, thank you so much. It was really a pleasure having you Kristin, and I hope you had fun too.
Kristin Yang 51:35
Yeah. Well, thank you for having a discussion with me. That was great. Thank you. Awesome.
Corey Nachreiner 51:43
So. Hey everyone, thanks again for listening. As always, if you enjoyed today's episode, don't forget to rate review and subscribe. If you have any questions on today's topics or anything else, reach out to us on blue sky. I'm at segadept, and if you want to find Mark, he is at it's mark.me and both of us are in Instagram at Watchguard underscore technologies, thanks again for listening, and you will hear from us next week. You.
