Episode Transcript
Transcripts are displayed as originally observed. Some content, including advertisements may have changed.
Use Ctrl + F to search
0:00
Hello Welcome to their Friday April
0:03
Twenty Six, Two Thousand Twenty Four
0:05
Edition of The Sands and it
0:07
stomps on Earth. Storm Cast my
0:09
name is your Highness already and
0:11
Ram recording from Jacksonville, Florida. Quick.
0:14
Reminder Day from Jersey that
0:16
even on a Honeypot A
0:18
the Fireball configuration matters. It's
0:20
less a matter of blocking
0:22
or allowing certain courts, but
0:24
redirecting traffic to approach Bread
0:26
listeners. The Honey Pot V
0:28
are using his tenure picture
0:30
from how are you where
0:32
you're using Ip tables in
0:35
order to are we direct
0:37
traffic A to individual ports.
0:39
If you have things like
0:41
calorie and our web Honeypot
0:43
listening on that. Way, if
0:45
a the firewall rules aren't
0:47
not configured correctly, you may
0:49
miss quite a bit of
0:51
traffic. And that's a what
0:53
Jesse observed in his easier
0:55
cloud based honeypot. Black.
0:59
X is eleven older, a botnet
1:01
originally coming out in Twenty Twenty
1:04
in March Twenty Twenty Three Sophos
1:06
wrote about it and it had
1:08
a couple interesting properties. One was
1:10
that it's one of those are
1:13
bots that actually propagates over Us
1:15
Be Styx. So if you connect
1:17
us, be Stick to infect that
1:19
system, it copies itself and then
1:21
a could potentially be launched on
1:24
a new system. As at the
1:26
Us, Be Stick is a being
1:28
moved. Now as offer
1:30
late last year it has bought
1:32
net was resort of considered somewhat
1:34
debt because it only communicated with
1:36
one specific Ip address. as a
1:38
command control server well it turns
1:41
out of lab Sequoia has it
1:43
taken over that ip address. It
1:45
was hosted with a green cloud
1:47
so they pretty much just set
1:49
up an account with them and
1:51
had them self assign at this
1:53
Ip address. And since September last
1:55
year they're using it as a
1:57
sinkhole tool basically learn more about.
1:59
this particular botnet. Sadly,
2:02
it always happens that there
2:04
are still thousands, if not
2:06
hundreds of thousands of systems
2:09
infected by this somewhat older
2:11
worm. And Sequoia
2:14
now also discovered a little
2:16
weakness in the command and
2:18
control protocol used by BlackX
2:22
that theoretically allows Sequoia
2:24
to uninstall this particular
2:26
worm. That of course
2:28
puts up a whole
2:31
set of ethical questions. And
2:34
Sequoia sort of has an interesting approach
2:36
to kind of deal with that.
2:39
They're now offering national
2:42
law enforcement agencies the
2:44
ability to essentially launch
2:46
these uninstall commands. We
2:49
have seen this in a couple
2:51
cases before here in the US
2:53
where the FBI got court orders
2:55
that allowed them to send
2:57
these uninstall commands. Just I think it
2:59
was earlier this year with some of
3:01
the router malware that
3:04
where they actually performed
3:06
such a take down not just
3:08
on the command control server side,
3:10
but also on the infected host
3:12
side. We'll see what happens
3:15
with this interesting approach to sort of
3:17
reach out to basically individual
3:19
countries law enforcement agencies to
3:21
deal with it in a
3:23
legal manner, typically involving some
3:26
kind of a court order.
3:28
But of course the exact
3:30
procedures will vary widely depending
3:32
on the country that is
3:34
engaging here with Sequoia if
3:36
they actually do. And
3:38
open source firewalls are not free
3:41
of vulnerabilities either. There is an
3:43
update for a PF sense that
3:45
fixes for a different vulnerabilities. Three
3:48
of them are cross site scripting
3:50
vulnerabilities. The fourth one is a
3:53
local filing include vulnerability. A little
3:55
bit hard to tell from the
3:57
description how exploitable they are. but
4:00
definitely something that you do want to
4:02
patch. And
4:05
GitLab also released an update.
4:07
This one fixes
4:09
five different vulnerabilities. The
4:12
one with the highest CVS score,
4:14
8.5, is a
4:16
path traversal attack,
4:19
but apparently only leads to
4:21
a denial of service. And
4:24
the one bucket sounds kind of
4:26
interesting, and that relates to BigBucket.
4:29
If you set up a connection
4:31
between BigBucket and your GitLab instance,
4:34
it's possible an attacker who has
4:36
one of your users' BigBucket
4:39
credentials could take over another
4:41
user's GitLab account. So
4:44
not exactly sure how this works, but OIRAuth
4:47
sometimes works in mysterious
4:50
ways. And
4:52
while we do have
4:54
another Sansa.edu student for
4:56
our Friday podcast, Matthew
4:59
L. Voorhees is joining me here.
5:02
Matthew, could you introduce yourself, please?
5:04
Yeah, Matthew Voorhees. I
5:07
currently work at a company called
5:09
Medtronic. We develop and market
5:12
medical devices, regulated medical devices
5:14
around the world. And
5:16
we're one of the larger players in
5:18
the industry. The
5:21
group I work in is a
5:23
bit unique from traditional
5:25
enterprise IT security. The group I
5:27
work in is regulated
5:29
medical device and regulated
5:31
medical device software security.
5:34
So we typically deal with
5:36
non-traditional computing
5:39
systems and software, and
5:41
how to secure those while also providing
5:43
kind of therapeutic benefit within
5:46
the expectations of customers, which
5:48
are kind of hospitals and clinics, as
5:51
well as regulators like the United
5:53
States FDA that authorizes
5:55
many of our products to be sold
5:58
on the market. So
6:00
that's Medtronic and the
6:03
group I work in have been
6:05
part of the topic of regulated
6:07
medical device cybersecurity for almost eight
6:09
years now. And it's kind of
6:11
been a relatively new topic
6:15
in our industry that really started around
6:17
2015 timeframe. But
6:21
the focus of my kind of
6:23
research paper that we'll chat about
6:25
here is really on kind of
6:27
preventative controls because that is a larger
6:30
focus for regulated medical
6:33
device security, maybe
6:35
more so than other
6:37
computers that are more general purpose that
6:40
are within the general IT enterprise.
6:43
So that's kind of what I dived into because
6:46
that's what we're kind of restricted to work
6:49
with in most medical devices that are
6:51
connected to a network or the internet.
6:55
And that's sort of really the interesting part of
6:57
the paper. I think I had at least one
7:00
student on the podcast that
7:02
talked about detecting a living
7:05
off the land attacks. And that's how it's
7:07
usually being approached kind of as something that's
7:09
inevitable. Yes, you know,
7:12
command dot exe ping. They
7:14
are on the system hard to remove them.
7:16
Maybe ping you could theoretically remove. I'm not
7:18
sure what they could break. Something would probably
7:20
break if you remove ping. So
7:22
you really more look for is it abused? Is
7:24
it used in any odd ways? But you actually
7:27
try to look at how can you block
7:29
usage. So can you talk a bit
7:32
about the approach that you tried there? What worked? What
7:34
didn't work? Yeah, I
7:36
was trying to think of a topic
7:38
for research. It was around the time
7:41
that a bulk typhoon report was issued
7:43
by kind of the
7:45
five eyes in governmental agencies
7:47
as well as Microsoft. And
7:50
one kind of keystone in that
7:52
report was this idea of land
7:55
binaries. And this topic had
7:57
been around for a number of years in our industry.
8:01
This was one of the first can
8:03
have big reports of it being. Used
8:07
as a principal kind of tactic
8:09
by threat actors to to great
8:11
success rate so I think it
8:13
can have. Renewed. Interest in
8:15
the topic but also. If.
8:17
You look at that report, they're
8:20
not doing like complex things are
8:22
not using like whoa benz as
8:24
they're called better a node or
8:27
obscure, right? It's it's it's kind
8:29
of traditional ones, right? Which
8:32
is kind of blows my mind
8:34
about in the or twenty twenty
8:36
three twenty twenty four right? Oh
8:38
in this research was done so
8:41
I think it also. Allowed
8:44
me to take a step back and in think
8:46
that. When.
8:49
We. Were back doing prevention of
8:51
while bins years back on.
8:55
We didn't have
8:58
the prevalence of.
9:00
Software. Is a solution on. Technology
9:05
and. Over
9:07
the years, over the last
9:09
four or five years there's
9:11
been a growing seen of
9:13
of the web browsers the
9:16
new operating system because frankly
9:18
a lot of and of
9:20
just general workaday ah activities
9:22
for just as usual enterprise
9:25
and forty are really done
9:27
within the web browser or
9:29
basically the Microsoft sweet of
9:31
applications for Office. And it's.
9:34
Kind. Of that, the combination of
9:36
of them can have relatively
9:38
new paradigm as a lack
9:40
of sick client applications for
9:42
most workaday usage by enterprise
9:44
groups as well as in
9:46
combination with. Kind. Of Opens.
9:49
Being used by threat actors, but that
9:52
really obscure albums led me to can
9:54
have their the point of this research
9:56
that I did which. Understanding
9:59
if we could create some profiles
10:01
of traditional enterprise users based on
10:03
can have their work tasks that
10:06
they need to get done. ah
10:08
nn actually justine like a is
10:10
it actually possible to disable some
10:13
of these traditional all been like
10:15
to be on I see where
10:17
even pain and in still having
10:19
these kind of workaday applications on
10:22
the cook sick client side is
10:24
was operations and the web browser
10:26
really happy impaired and and I
10:29
think. The. New
10:31
technology that we can have
10:33
had and opened up to
10:35
us through certain vendors including
10:37
Microsoft allows execution of those
10:39
opens for specific applications right
10:42
that we trust and we
10:44
can set established baselines, have
10:46
trusted applications in the beginning.
10:48
On the the friction that's
10:50
created from disallowing usage of
10:52
those albums outside of those
10:54
trusted applications really really goes
10:56
down right in. And I
10:59
think the research that. I
11:01
haven't. My paper can have at
11:04
least proves that out and in
11:06
some application and in tennis initial
11:08
test them are down and generic
11:11
user profiles ever created for a
11:13
technical users that use a lot
11:16
of the coin applications for like
11:18
of development but also for general
11:20
a general enterprise users as well.
11:24
How do customs and of fact
11:26
lines fit in there? Like. Not.
11:29
Familiar with the. Medical. To
11:31
my stuff but I've seen some of
11:33
in Insurance is for you have these
11:35
weird like a rap artists around town
11:37
that connects to wear. A
11:40
to a mainframe or something like that
11:42
movie and. With a
11:44
son of fit into that model. So
11:47
as I can have sought about this
11:49
and this is a little bit in
11:51
my paper to but not is an
11:53
acute her appearance i would say is.
11:56
If. You look, it's you. Just. Whole
11:58
group. The employees similar to were just
12:01
focused on workstations for this research is
12:03
why we didn't really look at servers,
12:05
but if you look at your whole
12:07
population employees, there's a very small percentage
12:09
of those employees that. Probably.
12:12
Use. Power Shell and there's a
12:14
very small percentage or probably use
12:17
command line like. Most
12:19
people. Don't need
12:21
access to those utilities for for
12:24
a dirty job than he emailed
12:26
Any team any do like they.
12:28
They don't need a lot of
12:30
things so you can really kind
12:32
of. Isolate.
12:34
Your risk for those unique employees that
12:37
you mention that might need that middleware
12:39
stuff that may be as his running
12:41
on on their computer or maybe like
12:44
a server them I did better or
12:46
stuff to operate on like if you
12:48
can. Burn. Down the risk
12:50
kills. Allowing hundred percent of
12:53
your employees access to all these utilities
12:55
that they're never going to use downs
12:57
you may be to and percent of
12:59
the employees that might need them once
13:02
a year rate like. That. Burns
13:04
down a lot of risk very
13:06
quickly. Especially if you adopt
13:08
kind of the allow list and denialist
13:10
approach that been recommended in my in
13:12
my research paper. To.
13:16
To make sure that we're conceal
13:18
be executed by. Your.
13:20
Your shrinking down the attack surface
13:22
of of what malicious programs and
13:25
threat actors can execute on a
13:27
workstation a significantly right in it
13:29
and it's a defense in depth
13:32
approach that. You're Not gonna.
13:35
You're Not gonna. Remove. All risk
13:37
great you're You're definitely gonna prevent
13:39
the execution of of work today.
13:43
And malware and and malicious programs
13:45
through. what you're able to do
13:47
is your heard Nina of allows
13:49
him to that was seen Application
13:51
control approaches ah but that's still
13:54
at the end of the day.
13:56
Saves a lot of time and
13:58
energy for incident response. And
14:00
and working incidence because you don't
14:02
want them to be spending their time
14:04
on Opens rates, you want them to
14:07
be spending their time and more value
14:09
add activities and and really this helps
14:11
at the end of the day reduce
14:14
that. Noise. As traded in
14:16
the Enterprise for detection of a
14:18
lot of the stuff and really
14:20
focuses the time and energy of
14:22
of those responders on and things
14:24
that truly do matter right arm
14:26
that at do that are worth
14:28
their time and investment. Yes,
14:31
on attacker getting access to a
14:33
machine and attempting to execute one
14:36
of those block a lovins' Would.
14:39
They still trick on alert or
14:41
with a cessna people executed. Yeah
14:43
so so we're strictly can a
14:45
talking about windows right now I'm
14:47
in the research I did but.
14:50
I mean it's so gets lodged in in
14:52
windows lives which would go to a C
14:55
murder some kind of monitoring solution right where
14:57
it would block it but it would also
14:59
note that it blocked it in what blocked
15:01
and kind of the parent child relationship with
15:04
what it lacked in when it blocked and
15:06
works like you get all that information still
15:08
which is valuable. To. Be
15:10
aware that something was blocked
15:13
because. Suzanne. Who's never
15:15
opened up Cmd.e X P in the
15:17
fifteen years he's worked at the company
15:20
just executed them. You am I see
15:22
from a command prompt like that that's
15:24
ever happened in almost two decades and
15:27
you on that that's an anomalous behavior
15:29
you want might want to look into
15:31
even if it prevented the initial kind
15:34
of approach for the threat actor right
15:36
arm so there is still value and
15:38
in detection and response but it's more
15:41
focus to then right like. You.
15:43
Know that you you've probably dodged the first
15:45
bullet but that doesn't mean you don't want
15:47
to investigate and make sure that they don't
15:50
try something different or don't enumerate your denialists
15:52
since have find or that when I'm on
15:54
the getting kind of you want know that
15:56
day you will You want to know that
15:58
they had in normal. The denialist. So
16:01
hopefully I will. Stop. The
16:03
before he found something that you've got
16:05
kind of our exactly you'll have to
16:07
have enabled have you attempted aside from
16:09
to research paper to implement that at
16:12
the organization? Yes sir. Yes
16:14
on I mean in the context of. Regulated
16:17
medical devices. It's
16:19
a very difficult. Problem
16:21
because they're providing therapeutic benefit
16:24
and we can't really use
16:26
availability. Denial of availability of
16:29
control cadets. It's a safety
16:31
risk. Arms or
16:33
if get creative right? But the silver
16:36
lining as is that. We're
16:38
not building general purpose computers. We're.
16:41
Building computers that are designed to
16:43
do. A. Couple things. Very
16:46
well. In a very predictable
16:48
way. And like you
16:51
can carve around. Capabilities.
16:53
Of have a computer to do a
16:55
few things very well. Very predictably. Through
16:59
approaches like application control and
17:01
allow listen denialists to to
17:03
very soon to degree nowadays.
17:07
So we we certainly do kind
17:09
of. Apply that
17:11
approach him principles to
17:14
ah most of our.
17:17
Medical devices that are not embedded
17:19
systems rate than are running on
17:22
real time. Operating systems are really
17:24
thin pieces of avast footprint firmware
17:26
rate than the the bigger iron
17:29
devices we like to think about
17:31
on that that have a large
17:33
footprint physically are generally are running
17:36
on Windows or Linux her kind
17:38
of a combination of both that
17:41
and his few computers so that
17:43
the stuff me and as a
17:45
tried and true approach. That
17:48
were able to leverage was and
17:50
medical. The by security for certain
17:52
medical devices are now within the
17:54
I to Security enterprise we we
17:57
have here and lesson on that
17:59
side of the operations right arm.
18:01
So I'm not familiar with with
18:03
their application control approaches that they've
18:06
implemented answers or tool sweet that
18:08
from a regulated medical device side
18:10
as certainly an approach we implement.
18:14
And. I would think that they name mentioned
18:16
availability of that when the selling points
18:18
could be that settles more stable if
18:20
you. Remove. Some of the
18:23
unnecessary. Dunk. From it Totally
18:25
yeah I'm here goes It goes
18:27
back to can a basic cyber
18:29
security principles or if you never
18:31
gonna use it or need it
18:33
is attack surface that can be
18:35
leveraged so that the best kind
18:37
of control responses his removal rights
18:39
so. There. There's a lot
18:41
of effort done at the beginning
18:44
of other projects on that leverages
18:46
commercial operating systems to remove that
18:48
attack surface com and and really
18:50
truly harden the image of the
18:53
operating system just down to watching
18:55
the. A
18:57
little more expansive like we have to
18:59
do softer bill materials for our medical
19:01
devices in the software now rate So
19:03
if your listing out all the components
19:06
in your softer bill materials. That
19:08
is also a good coach chuck. To say like.
19:11
I. Actually, don't need all that stuff
19:13
cause we don't leverage any of those
19:15
libraries or any of those utilities. I
19:17
did it. It's a good validation of
19:20
like. Going. Down Literally
19:22
the list. Insane Is this important?
19:24
Is this really important? As
19:26
is enough for it and we never use
19:28
it. Get rid of it actually and so
19:31
and that is also a good got checked
19:33
for us. And in this realm of application
19:35
control and and hard. Yeah.
19:38
Thank. You for joining me year and
19:40
them Virginia program where you done
19:42
now are laugh last last ah
19:44
I'm it is really funny actually
19:46
I'm I've been in, I'm in
19:48
my last class and I submitted
19:50
my last. Assignment. But there
19:52
hasn't been graded yet, so I have no
19:55
more work to do. But I'm technically that
19:57
complete the set of Into Purgatory Room right
19:59
now. But. I really appreciate
20:01
the opportunity arm and and frankly the
20:03
support from The Scenes Institute A To
20:06
I really do my first kind of
20:08
academic research arm and and spread my
20:10
wings a little bit. Have.
20:12
Thanks and I have to check my inbox
20:14
if your papers as waiting there for. Heard
20:17
from him. Had to up this. Effect
20:20
Ok as thank you and the
20:22
well as thanks everybody for listening
20:24
and talk to Get on a.
20:26
Monday.
Podchaser is the ultimate destination for podcast data, search, and discovery. Learn More