0:00

Hello Welcome to their Friday April

0:03

Twenty Six, Two Thousand Twenty Four

0:05

Edition of The Sands and it

0:07

stomps on Earth. Storm Cast my

0:09

name is your Highness already and

0:11

Ram recording from Jacksonville, Florida. Quick.

0:14

Reminder Day from Jersey that

0:16

even on a Honeypot A

0:18

the Fireball configuration matters. It's

0:20

less a matter of blocking

0:22

or allowing certain courts, but

0:24

redirecting traffic to approach Bread

0:26

listeners. The Honey Pot V

0:28

are using his tenure picture

0:30

from how are you where

0:32

you're using Ip tables in

0:35

order to are we direct

0:37

traffic A to individual ports.

0:39

If you have things like

0:41

calorie and our web Honeypot

0:43

listening on that. Way, if

0:45

a the firewall rules aren't

0:47

not configured correctly, you may

0:49

miss quite a bit of

0:51

traffic. And that's a what

0:53

Jesse observed in his easier

0:55

cloud based honeypot. Black.

0:59

X is eleven older, a botnet

1:01

originally coming out in Twenty Twenty

1:04

in March Twenty Twenty Three Sophos

1:06

wrote about it and it had

1:08

a couple interesting properties. One was

1:10

that it's one of those are

1:13

bots that actually propagates over Us

1:15

Be Styx. So if you connect

1:17

us, be Stick to infect that

1:19

system, it copies itself and then

1:21

a could potentially be launched on

1:24

a new system. As at the

1:26

Us, Be Stick is a being

1:28

moved. Now as offer

1:30

late last year it has bought

1:32

net was resort of considered somewhat

1:34

debt because it only communicated with

1:36

one specific Ip address. as a

1:38

command control server well it turns

1:41

out of lab Sequoia has it

1:43

taken over that ip address. It

1:45

was hosted with a green cloud

1:47

so they pretty much just set

1:49

up an account with them and

1:51

had them self assign at this

1:53

Ip address. And since September last

1:55

year they're using it as a

1:57

sinkhole tool basically learn more about.

1:59

this particular botnet. Sadly,

2:02

it always happens that there

2:04

are still thousands, if not

2:06

hundreds of thousands of systems

2:09

infected by this somewhat older

2:11

worm. And Sequoia

2:14

now also discovered a little

2:16

weakness in the command and

2:18

control protocol used by BlackX

2:22

that theoretically allows Sequoia

2:24

to uninstall this particular

2:26

worm. That of course

2:28

puts up a whole

2:31

set of ethical questions. And

2:34

Sequoia sort of has an interesting approach

2:36

to kind of deal with that.

2:39

They're now offering national

2:42

law enforcement agencies the

2:44

ability to essentially launch

2:46

these uninstall commands. We

2:49

have seen this in a couple

2:51

cases before here in the US

2:53

where the FBI got court orders

2:55

that allowed them to send

2:57

these uninstall commands. Just I think it

2:59

was earlier this year with some of

3:01

the router malware that

3:04

where they actually performed

3:06

such a take down not just

3:08

on the command control server side,

3:10

but also on the infected host

3:12

side. We'll see what happens

3:15

with this interesting approach to sort of

3:17

reach out to basically individual

3:19

countries law enforcement agencies to

3:21

deal with it in a

3:23

legal manner, typically involving some

3:26

kind of a court order.

3:28

But of course the exact

3:30

procedures will vary widely depending

3:32

on the country that is

3:34

engaging here with Sequoia if

3:36

they actually do. And

3:38

open source firewalls are not free

3:41

of vulnerabilities either. There is an

3:43

update for a PF sense that

3:45

fixes for a different vulnerabilities. Three

3:48

of them are cross site scripting

3:50

vulnerabilities. The fourth one is a

3:53

local filing include vulnerability. A little

3:55

bit hard to tell from the

3:57

description how exploitable they are. but

4:00

definitely something that you do want to

4:02

patch. And

4:05

GitLab also released an update.

4:07

This one fixes

4:09

five different vulnerabilities. The

4:12

one with the highest CVS score,

4:14

8.5, is a

4:16

path traversal attack,

4:19

but apparently only leads to

4:21

a denial of service. And

4:24

the one bucket sounds kind of

4:26

interesting, and that relates to BigBucket.

4:29

If you set up a connection

4:31

between BigBucket and your GitLab instance,

4:34

it's possible an attacker who has

4:36

one of your users' BigBucket

4:39

credentials could take over another

4:41

user's GitLab account. So

4:44

not exactly sure how this works, but OIRAuth

4:47

sometimes works in mysterious

4:50

ways. And

4:52

while we do have

4:54

another Sansa.edu student for

4:56

our Friday podcast, Matthew

4:59

L. Voorhees is joining me here.

5:02

Matthew, could you introduce yourself, please?

5:04

Yeah, Matthew Voorhees. I

5:07

currently work at a company called

5:09

Medtronic. We develop and market

5:12

medical devices, regulated medical devices

5:14

around the world. And

5:16

we're one of the larger players in

5:18

the industry. The

5:21

group I work in is a

5:23

bit unique from traditional

5:25

enterprise IT security. The group I

5:27

work in is regulated

5:29

medical device and regulated

5:31

medical device software security.

5:34

So we typically deal with

5:36

non-traditional computing

5:39

systems and software, and

5:41

how to secure those while also providing

5:43

kind of therapeutic benefit within

5:46

the expectations of customers, which

5:48

are kind of hospitals and clinics, as

5:51

well as regulators like the United

5:53

States FDA that authorizes

5:55

many of our products to be sold

5:58

on the market. So

6:00

that's Medtronic and the

6:03

group I work in have been

6:05

part of the topic of regulated

6:07

medical device cybersecurity for almost eight

6:09

years now. And it's kind of

6:11

been a relatively new topic

6:15

in our industry that really started around

6:17

2015 timeframe. But

6:21

the focus of my kind of

6:23

research paper that we'll chat about

6:25

here is really on kind of

6:27

preventative controls because that is a larger

6:30

focus for regulated medical

6:33

device security, maybe

6:35

more so than other

6:37

computers that are more general purpose that

6:40

are within the general IT enterprise.

6:43

So that's kind of what I dived into because

6:46

that's what we're kind of restricted to work

6:49

with in most medical devices that are

6:51

connected to a network or the internet.

6:55

And that's sort of really the interesting part of

6:57

the paper. I think I had at least one

7:00

student on the podcast that

7:02

talked about detecting a living

7:05

off the land attacks. And that's how it's

7:07

usually being approached kind of as something that's

7:09

inevitable. Yes, you know,

7:12

command dot exe ping. They

7:14

are on the system hard to remove them.

7:16

Maybe ping you could theoretically remove. I'm not

7:18

sure what they could break. Something would probably

7:20

break if you remove ping. So

7:22

you really more look for is it abused? Is

7:24

it used in any odd ways? But you actually

7:27

try to look at how can you block

7:29

usage. So can you talk a bit

7:32

about the approach that you tried there? What worked? What

7:34

didn't work? Yeah, I

7:36

was trying to think of a topic

7:38

for research. It was around the time

7:41

that a bulk typhoon report was issued

7:43

by kind of the

7:45

five eyes in governmental agencies

7:47

as well as Microsoft. And

7:50

one kind of keystone in that

7:52

report was this idea of land

7:55

binaries. And this topic had

7:57

been around for a number of years in our industry.

8:01

This was one of the first can

8:03

have big reports of it being. Used

8:07

as a principal kind of tactic

8:09

by threat actors to to great

8:11

success rate so I think it

8:13

can have. Renewed. Interest in

8:15

the topic but also. If.

8:17

You look at that report, they're

8:20

not doing like complex things are

8:22

not using like whoa benz as

8:24

they're called better a node or

8:27

obscure, right? It's it's it's kind

8:29

of traditional ones, right? Which

8:32

is kind of blows my mind

8:34

about in the or twenty twenty

8:36

three twenty twenty four right? Oh

8:38

in this research was done so

8:41

I think it also. Allowed

8:44

me to take a step back and in think

8:46

that. When.

8:49

We. Were back doing prevention of

8:51

while bins years back on.

8:55

We didn't have

8:58

the prevalence of.

9:00

Software. Is a solution on. Technology

9:05

and. Over

9:07

the years, over the last

9:09

four or five years there's

9:11

been a growing seen of

9:13

of the web browsers the

9:16

new operating system because frankly

9:18

a lot of and of

9:20

just general workaday ah activities

9:22

for just as usual enterprise

9:25

and forty are really done

9:27

within the web browser or

9:29

basically the Microsoft sweet of

9:31

applications for Office. And it's.

9:34

Kind. Of that, the combination of

9:36

of them can have relatively

9:38

new paradigm as a lack

9:40

of sick client applications for

9:42

most workaday usage by enterprise

9:44

groups as well as in

9:46

combination with. Kind. Of Opens.

9:49

Being used by threat actors, but that

9:52

really obscure albums led me to can

9:54

have their the point of this research

9:56

that I did which. Understanding

9:59

if we could create some profiles

10:01

of traditional enterprise users based on

10:03

can have their work tasks that

10:06

they need to get done. ah

10:08

nn actually justine like a is

10:10

it actually possible to disable some

10:13

of these traditional all been like

10:15

to be on I see where

10:17

even pain and in still having

10:19

these kind of workaday applications on

10:22

the cook sick client side is

10:24

was operations and the web browser

10:26

really happy impaired and and I

10:29

think. The. New

10:31

technology that we can have

10:33

had and opened up to

10:35

us through certain vendors including

10:37

Microsoft allows execution of those

10:39

opens for specific applications right

10:42

that we trust and we

10:44

can set established baselines, have

10:46

trusted applications in the beginning.

10:48

On the the friction that's

10:50

created from disallowing usage of

10:52

those albums outside of those

10:54

trusted applications really really goes

10:56

down right in. And I

10:59

think the research that. I

11:01

haven't. My paper can have at

11:04

least proves that out and in

11:06

some application and in tennis initial

11:08

test them are down and generic

11:11

user profiles ever created for a

11:13

technical users that use a lot

11:16

of the coin applications for like

11:18

of development but also for general

11:20

a general enterprise users as well.

11:24

How do customs and of fact

11:26

lines fit in there? Like. Not.

11:29

Familiar with the. Medical. To

11:31

my stuff but I've seen some of

11:33

in Insurance is for you have these

11:35

weird like a rap artists around town

11:37

that connects to wear. A

11:40

to a mainframe or something like that

11:42

movie and. With a

11:44

son of fit into that model. So

11:47

as I can have sought about this

11:49

and this is a little bit in

11:51

my paper to but not is an

11:53

acute her appearance i would say is.

11:56

If. You look, it's you. Just. Whole

11:58

group. The employees similar to were just

12:01

focused on workstations for this research is

12:03

why we didn't really look at servers,

12:05

but if you look at your whole

12:07

population employees, there's a very small percentage

12:09

of those employees that. Probably.

12:12

Use. Power Shell and there's a

12:14

very small percentage or probably use

12:17

command line like. Most

12:19

people. Don't need

12:21

access to those utilities for for

12:24

a dirty job than he emailed

12:26

Any team any do like they.

12:28

They don't need a lot of

12:30

things so you can really kind

12:32

of. Isolate.

12:34

Your risk for those unique employees that

12:37

you mention that might need that middleware

12:39

stuff that may be as his running

12:41

on on their computer or maybe like

12:44

a server them I did better or

12:46

stuff to operate on like if you

12:48

can. Burn. Down the risk

12:50

kills. Allowing hundred percent of

12:53

your employees access to all these utilities

12:55

that they're never going to use downs

12:57

you may be to and percent of

12:59

the employees that might need them once

13:02

a year rate like. That. Burns

13:04

down a lot of risk very

13:06

quickly. Especially if you adopt

13:08

kind of the allow list and denialist

13:10

approach that been recommended in my in

13:12

my research paper. To.

13:16

To make sure that we're conceal

13:18

be executed by. Your.

13:20

Your shrinking down the attack surface

13:22

of of what malicious programs and

13:25

threat actors can execute on a

13:27

workstation a significantly right in it

13:29

and it's a defense in depth

13:32

approach that. You're Not gonna.

13:35

You're Not gonna. Remove. All risk

13:37

great you're You're definitely gonna prevent

13:39

the execution of of work today.

13:43

And malware and and malicious programs

13:45

through. what you're able to do

13:47

is your heard Nina of allows

13:49

him to that was seen Application

13:51

control approaches ah but that's still

13:54

at the end of the day.

13:56

Saves a lot of time and

13:58

energy for incident response. And

14:00

and working incidence because you don't

14:02

want them to be spending their time

14:04

on Opens rates, you want them to

14:07

be spending their time and more value

14:09

add activities and and really this helps

14:11

at the end of the day reduce

14:14

that. Noise. As traded in

14:16

the Enterprise for detection of a

14:18

lot of the stuff and really

14:20

focuses the time and energy of

14:22

of those responders on and things

14:24

that truly do matter right arm

14:26

that at do that are worth

14:28

their time and investment. Yes,

14:31

on attacker getting access to a

14:33

machine and attempting to execute one

14:36

of those block a lovins' Would.

14:39

They still trick on alert or

14:41

with a cessna people executed. Yeah

14:43

so so we're strictly can a

14:45

talking about windows right now I'm

14:47

in the research I did but.

14:50

I mean it's so gets lodged in in

14:52

windows lives which would go to a C

14:55

murder some kind of monitoring solution right where

14:57

it would block it but it would also

14:59

note that it blocked it in what blocked

15:01

and kind of the parent child relationship with

15:04

what it lacked in when it blocked and

15:06

works like you get all that information still

15:08

which is valuable. To. Be

15:10

aware that something was blocked

15:13

because. Suzanne. Who's never

15:15

opened up Cmd.e X P in the

15:17

fifteen years he's worked at the company

15:20

just executed them. You am I see

15:22

from a command prompt like that that's

15:24

ever happened in almost two decades and

15:27

you on that that's an anomalous behavior

15:29

you want might want to look into

15:31

even if it prevented the initial kind

15:34

of approach for the threat actor right

15:36

arm so there is still value and

15:38

in detection and response but it's more

15:41

focus to then right like. You.

15:43

Know that you you've probably dodged the first

15:45

bullet but that doesn't mean you don't want

15:47

to investigate and make sure that they don't

15:50

try something different or don't enumerate your denialists

15:52

since have find or that when I'm on

15:54

the getting kind of you want know that

15:56

day you will You want to know that

15:58

they had in normal. The denialist. So

16:01

hopefully I will. Stop. The

16:03

before he found something that you've got

16:05

kind of our exactly you'll have to

16:07

have enabled have you attempted aside from

16:09

to research paper to implement that at

16:12

the organization? Yes sir. Yes

16:14

on I mean in the context of. Regulated

16:17

medical devices. It's

16:19

a very difficult. Problem

16:21

because they're providing therapeutic benefit

16:24

and we can't really use

16:26

availability. Denial of availability of

16:29

control cadets. It's a safety

16:31

risk. Arms or

16:33

if get creative right? But the silver

16:36

lining as is that. We're

16:38

not building general purpose computers. We're.

16:41

Building computers that are designed to

16:43

do. A. Couple things. Very

16:46

well. In a very predictable

16:48

way. And like you

16:51

can carve around. Capabilities.

16:53

Of have a computer to do a

16:55

few things very well. Very predictably. Through

16:59

approaches like application control and

17:01

allow listen denialists to to

17:03

very soon to degree nowadays.

17:07

So we we certainly do kind

17:09

of. Apply that

17:11

approach him principles to

17:14

ah most of our.

17:17

Medical devices that are not embedded

17:19

systems rate than are running on

17:22

real time. Operating systems are really

17:24

thin pieces of avast footprint firmware

17:26

rate than the the bigger iron

17:29

devices we like to think about

17:31

on that that have a large

17:33

footprint physically are generally are running

17:36

on Windows or Linux her kind

17:38

of a combination of both that

17:41

and his few computers so that

17:43

the stuff me and as a

17:45

tried and true approach. That

17:48

were able to leverage was and

17:50

medical. The by security for certain

17:52

medical devices are now within the

17:54

I to Security enterprise we we

17:57

have here and lesson on that

17:59

side of the operations right arm.

18:01

So I'm not familiar with with

18:03

their application control approaches that they've

18:06

implemented answers or tool sweet that

18:08

from a regulated medical device side

18:10

as certainly an approach we implement.

18:14

And. I would think that they name mentioned

18:16

availability of that when the selling points

18:18

could be that settles more stable if

18:20

you. Remove. Some of the

18:23

unnecessary. Dunk. From it Totally

18:25

yeah I'm here goes It goes

18:27

back to can a basic cyber

18:29

security principles or if you never

18:31

gonna use it or need it

18:33

is attack surface that can be

18:35

leveraged so that the best kind

18:37

of control responses his removal rights

18:39

so. There. There's a lot

18:41

of effort done at the beginning

18:44

of other projects on that leverages

18:46

commercial operating systems to remove that

18:48

attack surface com and and really

18:50

truly harden the image of the

18:53

operating system just down to watching

18:55

the. A

18:57

little more expansive like we have to

18:59

do softer bill materials for our medical

19:01

devices in the software now rate So

19:03

if your listing out all the components

19:06

in your softer bill materials. That

19:08

is also a good coach chuck. To say like.

19:11

I. Actually, don't need all that stuff

19:13

cause we don't leverage any of those

19:15

libraries or any of those utilities. I

19:17

did it. It's a good validation of

19:20

like. Going. Down Literally

19:22

the list. Insane Is this important?

19:24

Is this really important? As

19:26

is enough for it and we never use

19:28

it. Get rid of it actually and so

19:31

and that is also a good got checked

19:33

for us. And in this realm of application

19:35

control and and hard. Yeah.

19:38

Thank. You for joining me year and

19:40

them Virginia program where you done

19:42

now are laugh last last ah

19:44

I'm it is really funny actually

19:46

I'm I've been in, I'm in

19:48

my last class and I submitted

19:50

my last. Assignment. But there

19:52

hasn't been graded yet, so I have no

19:55

more work to do. But I'm technically that

19:57

complete the set of Into Purgatory Room right

19:59

now. But. I really appreciate

20:01

the opportunity arm and and frankly the

20:03

support from The Scenes Institute A To

20:06

I really do my first kind of

20:08

academic research arm and and spread my

20:10

wings a little bit. Have.

20:12

Thanks and I have to check my inbox

20:14

if your papers as waiting there for. Heard

20:17

from him. Had to up this. Effect

20:20

Ok as thank you and the

20:22

well as thanks everybody for listening

20:24

and talk to Get on a.

20:26

Monday.