2024 Security BSides // Marcelle Lee

Al righty hello everybody um great to see you here today as you heard from Simon I am Marcel uh I hail from Maryland in the US and I'm pretty sure we're having gorgeous fall weather right now without rain but I'd still rather be in the Cayman and as Simon mentioned this is my third uh time at besides Cayman Islands it's one of my favorite conferences and I love meeting folks so definitely hope to meet quite a few of you while I'm here um you can talk to me about maybe moving here I'd be down anyway so uh you see what I'm talking about I went with kind of like a beachy theme um because I was so excited to be

coming down here I'm like oh beach pictures anyway uh so you got a little bit of an intro about me but I am a principal information security engineer and the lead for threat research at equinex and I'm going to tell you about equinex in a minute um I'm also on the board of directors for a fabulous organization called women's Society of cyber Jitsu um if you haven't heard of it well actually I'm gonna have a slide for that too but but there are a few ladies here from cyber Jitsu some of them are sitting right up here in the second row uh Mary is our CEO uh so it's a I'll tell you about it in a minute and

then yes Adjunct professor I teach at University of Maryland variety of like certification prep kind of courses primarily I have four degrees and a lot of certifications which I did not list here um I am a career changer I have not always done cyber security so basically it's been about 12 years now that I've been in the industry um before that I was not even technical was like operations and project management so I have a very soft spot for users you will never hear me bash users because I used to be one of them and I understand the pain we do not do a good enough job in this world basically about making things easier for our users and and just

enabling them to be more secure uh and then I'm at Marcel Le on most of the social media platforms um LinkedIn Twitter what not I really don't use Twitter that much anymore I kind of don't like it so much but but I am still on there so anyway so a bit about equinex who here has actually heard of equinex before well yes few of you okay so it is the world's largest data center company we have uh over 260 data centers all around the globe um well in 99.99 whatever up time but I'm not a salesperson so anyway it's a very unique environment to work in because like everything is a threat to us uh you consider we have our standard

corporate environment but we also have IC and OT operational technology because that's what runs our data center so think of like building management systems and all the things that are connected to that and then also geopolitical concerns it's huge for us right um we're always on the lookout for like what might be happening in the world that could impact access to our data centers or employees or whatever so work a lot with like physical security teams and corporate security all right that's enough about equinex and then cyber Jitsu so my slide about cyber Jitsu this is um a nonprofit that's all about getting more diversity in the field and our our focus is primarily gender but but really

diversity across Ross the board anybody can be a member you do not have to be a woman so we encourage uh people to sign up and that's the website okay so what I'm going to talk about today basically it's I'm going to cover trends that I'm seeing in the field and talk a little bit also about possible mitigations for some of the things that we're seeing um you all probably just saw John talk he probably scared you a little bit I will continue in that same vein because that's what we do but hope is not lost for sure so just quickly some of the things I'm going to talk about ransomware obviously is very much

still a thing uh stolen credentials this is mind-blowing some of that information uh the use of malvertising SEO poisoning fake browser updates so on and so forth uh more sophisticated social engineering which John touched on also um increased use of legitimate services in attacks increasing supply chain attacks that's really something that's just growing Leaps and Bounds uh more intense dos attacks like the Dos attacks of like 10 years ago are like so nothing compared to what they are now um shorter timing I'll get into what that means for for teams and then last but not least malware being written in a variety of different uh languages so let's let's get into each of these all right so first off the um

ransomware threat landscape it's it's still super super prevalent as I'm sure you all know um but the tactics and techniques that are being used by the threat actors are are really getting ramped up so a few different things that we're seeing and when I say we I mean like just us in the threat Intel industry right um increased use by state spond sponsored threat groups this is kind of a departure because we typically associate ransomware with cyber criminals but we are seeing more and more state sponsored groups get into this and for example their uh North Korea stonefly group this is I'm I'm very much a ripped from the headlines kind of presenter so you'll see lots of

like Snippets from different news sources and whatnot I also will have a list of like all the links that I'll share out with folks afterwards if they're interested um so yeah so we're seeing this with North Korea but we're also seeing it with Iran China and well Russia was always kind of hands in hands with cyber criminals so that's not that new but um but yeah this is this is different um another thing that we're seeing is just different ways that thread actors are trying to get uh companies to pay the ransoms so denial of service attacks this is something they're like okay if you don't pay the ransom we're going to Doss you until you do basically uh

that's becoming fairly prevalent uh swatting phone calls so on and so forth so this is a particularly egregious example but um there was a children's hospital in the US that got breached earlier this year and uh they they actually first of all it's bad enough that thread actors are breaching hospitals it used to be kind of like an Unwritten rule that you didn't impact organizations that you know could ultimately cause harm to people but that's like so out the window now everything's fair game um but at any rate they got the names of like patients and were threatening to swat the patients and if you're not familiar with swatting it's where you basically make a

call or whatever to the police department and say there's some heinous crime happening at an address and then like the whole SWAT team which is where swatting comes from shows up and like knocking down the door to say we're here to you know take care of whatever um and it's all fake but they were threatening to do that to patients of this Hospital which is just crazy um phone calls so uh uh one of the headlines there is uh one threat group was using uh phone calls like to different people in like the executives family they were calling his wife and just generally harassing people so this is all like kind of really beyond the pale and I think it's just

going to continue to advance like whatever they can think of to pressure will continue to be a thing um also threats of public exposure there was one one ransomware group that um basically said they were going to um notify the SEC that the company had not filed their obligatory uh disclosure closure about being breached and that's Security and Exchange Commission in the US you're probably familiar with that and they came up with a new reporting rule last year I think in December you have three days to report a material cyber incident so the thread actors were like oh well they didn't report it so we're gonna contact SEC so all just kinds of ways to

like make an impact and then uh the whole exit scam thing this is interesting too because a lot of the ransomware groups are operating as ransomware as a service right so there's one ransomware group that you know is the operator of the program they probably developed the malware as well and then they sell this to their Affiliates so there's a whole affiliate program and John was like joking about like you know black matter having that little AI kind of chatbot thing on their site this is like this stuff is run as a business it's 100% like a real business and there's a ton of money to be made so it's not surprising uh but anyway so

exit scams are basically when a threat group just decides that they're going to pull up stakes and take off with all the money so in this case like when um black cat did that they left all their Affiliates like in the Lurch because they just kept all the money and didn't pay out anything to the Affiliates so think about where that leaves you as an organization if you're the one that got ransomed and you've paid the ransom but meanwhile The Ransom group has just like skipped town and so nobody's like the person who actually ransomed you didn't get the money you've lost the money and this is just well okay this is going to come as a huge surprise to you but

threat actors are not trustworthy you cannot rely on them to do what they're supposed to do so yeah so lots of different things happening in the ransom space and and you know I I'll see people talk about like targeting of different verticals so on and so forth and it always makes me a little insane because it doesn't matter what industry you're in at all like ransomware is a crime of opportunity so if a thread actor can get into your organization relatively easily and you know you have any kind of money at all then they're GNA pop you and and it's nothing to do with whether you're Finance or or health care or whatever it's where they can get

in um so this is a screenshot of a dark web post um I think this was breach forums if I remember correctly um and just to show you an example of what this looks like so foret was recently breached and so they basically just put on the uh dark wide forum a description of what they've done and then in this case they've also where I've highlighted in the the lower box they've said some really unpleasant things about the um the CEO but um but yeah so this is another one where they're threatening to do the SEC notification um but yeah this is this is the kind of stuff that's out there all the time um so from a mitigation

standpoint one thing that I would recommend is you want to know if your company is being referenced on these dark web forums like you definitely don't want to hear about a possible breach in your environment because like somebody saw it on Twitter or something right you want to be able to get ahead of it and I'm not here to sell any services and I'm not going to talk about like our Tech stack but but there are tools that you can use to to monitor for that kind of activity you definitely want to know if your company is being mentioned in these kind of situations of course if you've been ransomed you already know but but

there's a lot of stuff that happens you know pre all right so another pretty hot topic is stolen credentials um there is a massive massive amount of stolen credentials out there in the world right now um and just some of the the recent headlines you know at& T got popped and they stole the records of nearly all the customers like that's millions and millions of people right um that they've gotten information for and also uh ADT which is a security company not cyber security but like home security they got breached twice and uh basically because of using stolen credentials and as the one headline says there stolen credentials have turned sassa into attackers playgrounds so I'm

going to show you um on the next slide a little snippet but so this is coming from information Steelers database breaches so on and so forth and then just straight up credential harvesting so when we talk about fishing at least in our environment the number one type of fish that we see is a credential harvesting fish across the board and so that's basically where you know the thread actor sends an email with maybe a Lin in and going to go to like a fake Microsoft login page or whatever right um this is very very common but I will say I I do this like quarterly fishing report for the company and the last quarter our fishing numbers

went down like dramatically like from 990,000 fishing emails to 60,000 fishing emails in a quarter that's a huge drop right um I attribute that to the fact that there's just so many credentials out there that the thread actors don't need to fish for them so much anymore you can just go on the dark web and buy them um so this is another area where you want to be monitoring for your employees credentials being out there um it's something that we do internally again I'm not going to espouse any particular tool but you can definitely get services that will look for that kind of information because you want to know like if you have employee credentials that have been exposed and

potentially with passwords a lot of times with passwords somebody can use that information to get into your environment and I've seen crazy things like OCTA credentials just being totally exposed uh not for our company fortunately but for other companies and then I'm always like oh my gosh I feel like I should tell them or something but I don't really know how to go about doing that uh but yeah it's a huge thing um um so information stealer malware I think that John touched on this a little bit in his talk but basically it's malware that is um on your computer doing just what it sounds like stealing information so it's going to be um any

number of different data points but also a really important thing to know is that these information Steelers are quite capable of stealing credentials that you store in your browser so once piece of advice for you I'm sure I'll have more than one but this one is do not store your credentials in browsers do not use Google to store your brow your credentials Chrome is what I mean really by that Safari any of them th thread actors know how to extract that information and they do so it's much better to use an actual password manager like a standalone thing um so there's that and there's a zillion different Steelers out there this is a brand new one I've never even

heard of but I thought the image was kind of cool so I just threw it in the deck um but we see a lot of like Redline stealer lumus stealer they're just massively prevalent and uh they get delivered to your people usually by fishing also um drive by downloads uh so yeah it's they're hard to avoid okay so screenshot here for you the one in the middle with like the pink that's me covering up emails and passwords and this is all related to The Hot Topic breach which just happened and is anybody familiar with Hot Topic it's like a clothing store for like twin I'm not really sure I don't personally shop there but um but they got popped and uh

and it's apparently the largest retail breach ever like this is just from like last week um 30 50 million customers and basically this is showing like logins to the Hot Topic site by various people there was thousands uh just in my tool that I was using to find that uh so yeah it's definitely something else that you want to keep an eye on your employee exposure okay so malvertising SEO poisoning and fake browser updates woohoo all the fun things um malvertising the screenshot on the uh the one side there with key pass is an example of malvertising with a bit of SEO poisoning involved so essentially what happens is thread actors will set up um a website that looks like a

legitimate uh download page so you'll see this for anything that people are going to commonly Google so if somebody Googles like d load Adobe whatever download keypass or download whatever this these results come up and they're not legitimate but they come to the top of the list because the thread actors are paying for like Google whatever service to to promote them so this is super tricky for your users as well because if you see a result pop up in Google search like at the top what's the chances that you're going to click on that one right I personally always ignore the ones that say sponsored and go further down because I don't trust that at all and in this case like you

wouldn't even be able to tell because keypass like that appears to be the actual keypass domain but they did a little trick where they Ed something called puny code which is sort of like a it's not asky it's like asy with a lot more characters um so it look like asy but it's it's not it will actually render as a different domain but it appears to be the actual one so this is it's impossible like nobody could tell that just by looking at it and then the other thing is these fake browser updates and this is really Associated a lot with the information stealer malware um we see tons and tons of this kind of

thing um in our environment but um basically you'll go to say like that keypass site for example and not the real one and then you're going to get a popup that looks like that and it's like you need to update your browser and these are really sophisticated campaigns because they use traffic direction Services which is basically used for ad industry right so you know how like if you go to um a site it kind of like knows that you're on iPhone or whatever like all this is kind of traffic direction uh so basically if I land on this page and I'm using my MacBook it's going to tell me something like it wouldn't tell me I needed an edge

browser update right because chances are I'm not using Microsoft Edge on my MacBook I 100% I'm not but um although I think you actually can so so it's very specifically geared to whoever is hitting that page um and again it looks super realistic but I will say one thing you can tell tell your users is that this is not how browsers update right browsers will have a little thing in the corner that you may or may not ever click on that says update um if you have that in the corner of your browser click on it and update but it's not going to present like this so that's definitely like an education point that you can

work on with your people yeah and this is the part to the last slide but thre actors are making bank they have money to spend on things like traffic direction service and SEO you know search engine optimization and so on and so forth all right so more sophisticated social engineering John touched on this earlier he was just saying how you know you used to kind of be able to rely on a fishing email looking like kind of poorly written or whatever but I will tell you that threat actors also use AI just like we do and how hard is it to say craft an email that you know is targeting well you couldn't say targeting because then like chat PTT GPT

would be like no you can't do that but you can just Define like what you want that email to look like who your your intended audiences and it will create it for you um another thing that I see from in terms of the use of AI is um making very convincing websites so it's it's super easy to do like you could basically say create a website that looks like paypal.com and it would just generate that HTML code for you so we definitely see it but on the the good news front is that we're also being able to use AI within the security Community too so it does empower us to do better like threat detection and things like

that so these are some examples that came out of our environment um we got a new CEO this year and I think I don't even know she'd started yet and our employees were starting to get all kinds of smishing so SMS fishing right smishing that's so hard to say I don't know who comes up with these Adam's favorite words coming up next um but anyway so yeah so the right actors if they had their eye on equinex they're GNA be like oh there's this new CEO let's see if we can fish some people and this particular one I think it was What's apppp um you know we have a huge presence in Amia and lots of people use

WhatsApp over there so we do see tons of targeting that way but yeah it looks like a dare that's not a dare's phone number and uh it was definitely very targeted though it was for a very specific person um we've seen campaigns like this in the past where they reach out um by email but then they're like can we take the conversation over to like WhatsApp or some other channel that's not like a sanctioned Communications Channel and the whole point is that they're trying to get around like your internal security controls because chances are you're not monitoring WhatsApp conversations right um although it would be a good idea to do that probably because of data loss

prevention uh but anyway so um so as soon as they get to that like taking it off you know the main comm's Channel then like negoti negot iation start in Earnest and and one that we saw not too long ago uh there was somebody in finance who was being targeted and she went and you know took the conversation offline or whatever and they were very subtle like in asking her for information but then basically it came down to they were asking her to like do some financial transaction and she finally was like oh wait a minute this is a little suspicious and you know good on her she reported the whole thing and shared all the coms so we got to see all

that but yeah there I know I said the thing about opportunistic but there's definitely thread actors that could be targeting your organization very specifically and with equinex we see that all the time right they might want to get into us just because we're a Fortune 500 company so we probably have some money but um also because we have really high-profile customers chances are like I don't know something like 90% of all internet traffic goes through our data centers each day so your data probably has flown through at some point or another or you might even be a customer but yeah so the potential for access to high-profile government whatever customers is one reason that we're specifically

targeted um the other example there is a it was a fishing email and there was a word doc that was attached to it or maybe it was a link to word doc I forget which it could be either of course and within that word doc and this is Chinese language it was actually targeting uh an employee that we had in Hong Kong um so I forget exactly what it says but something like click here to you know access the document or whatever or not click here so this is called quing which is QR code fishing and I have to say Adam hates that word I kind of hate it too like oh so quy but

anyway um I find it baffling like I can't even imagine a part of my day where I would get an email that had a QR code in it so I'm gonna like get my phone and scan that QR code on my laptop or whatever but people do it these are wildly successful so there definitely something to educate your users on nobody's sending you anything legitimate with a QR code and I think unfortunately like with the pandemic QR codes became kind of normalized because they were used a lot for like I don't know menus and and that sort of thing so people got used to clicking QR codes but it's not just fishing like I've read reports

about um QR codes on like EV charging stations for example like you go and it's like scan the code so you can like sign up to pay for your electric vehicle charging or whatever and it's it's not it's malware so people are apparently just going around and slapping up malicious QR codes all over the place uh so tried to get people to stay away from using QR codes okay so another thing that I find particularly challenging is the use of legitimate services in um threat activity uh so so many different examples but workers. deev if you and again here I'm going to spous having a fishing solution or an email security solution of some sort um if you're able to because it's

just it's crazy out there all the fishing but workers. deev is um a very legitimate service and the little code snippet there is basically four lines of code you stand up a subdomain at this workers dodev thing and it's super super easy thread actors use a all the time we get hundreds and hundreds of these uh workers. deev uh fishing emails in our environment and it's It's tricky because you can't really block workers. Dev right it's a legitimate site and it's the same thing also with ipfs ipfs is the interplanetary file system and it's kind of this weird like peer-to-peer file sharing thing but it's legitimate it's used for whatever legit purposes um but again tons and tons of fishing that

comes in so I mean you could at least maybe tune your uh your security tools to say double check anything that's coming from these known domains but then you get into search engines so we're seeing a ton of fishing um links or malicious links being distributed as like basically a search engine result so the first thing somebody's going to see on that second little box there is bing.com who's going to look any further on that they're just like oh bing.com this is safe it's not because it's literally pointing to a malicious domain which they just do rather easily by manipulating the search results um and then another interesting one that we saw just in the past couple

of weeks um and here I'll give a shout out for like information sharing um we have uh something called ISX in the United States which literally is information sharing I always forget the a the C Consortium I don't know anyway you get the idea um but uh and so like for for my organization we belong to the it ISAC which is for it related companies and we also belong to the real estate ISAC because we are organized as a real estate investment trust so that's relevant for us too um so you know you might not have that here in the Cayman but any kind of Intel sharing relationship you can get into like I highly recommend that because you just

will get stuff before you know other people do and um and you might get like tipped to different kinds of campaigns so the Tik Tock thing actually came up in an IT ISAC uh like a weekly technical committee call and somebody was just like hey has anybody seen this Tick Tock fishing and like immediately like log into our email security thing and I'm like boom yes we are seeing this um but this was a really interesting campaign because it made use of so many different legitimate services so okay is Tik Tock a legitimate service I'm not a 100% sure but we'll just put it in that category for now right um so yeah so they were using Tik Tok and

basically it was like a video link but in that whole long link there you'll also see where it says googlec and then the slashes and amp that's a it's the Google amp service and it's something about like optimizing search results or whatever um I always learn something new every time I research one of these because I'm like what's Google amp I've never heard of it um they also use cloud flare to add legitimacy to the whole fishing thing like if you come across a cloud flare you know are you a robot or check in to make sure you're a real person or whatever you're probably not going to think that that's a malicious site but again thread actors

are using these services that you know you have to pay for they're not doing everything like on the cheap like I feel like they used to um and then ultimately you get to that skycom doc com.sg uh domain which resolves to credential harvesting Microsoft right or Outlook in this case so so it it makes it very hard hard to to keep track of all this stuff um and it's really impossible like to do email blocking based on like domains just is not effective because there's a zillion new domains all the time that are being spun up but you can certainly um look for certain behaviors and and that kind of thing and that's G to stand you in good

step okay so supply chain attacks this is uh something that as I mentioned earlier is becoming more and more prevalent um as it says there in the little little um subheading or whatever a company's billion dooll cyber security program is only as good as its smallest vendor cyber security program and threat actors are definitely well aware of this so they're looking at uh organizations companies that might be used broadly by others so like OCTA for example um service now this just came up like yesterday service now is uh being well I don't know if they were actually breached or what happened but let's just say there's something going on with service now so we might want to

check that out in your environment um but yeah so software companies or prime target um Hardware so like say for example got breached um how many companies are using Cisco equipment loads of them right uh third party Services Delivery Systems so on and so forth really the sky the limit and so the different attack methods that we're seeing here are malware of course social engineering vulnerability exploitation and credential theft so credential theft we've kind of talked about a little bit already but um a lot of that is information Stealers which again I can't even say how prevalent they are it's crazy and um and also the credential harvesting that we talked about uh so vulnerability exploitation I

I just want to pause there for a second because these are the three main ways that thread actors are getting into your environment right it's exploitation of vulnerabilities in like internet facing devices um the CR cials any kind of credential abuse basically and fishing these are like the top three ways that people are getting in it is nothing typically super sophisticated you know you'll see like companies report about being breached but they were like it was clearly a very sophisticated a whatever and it was probably like some 13y olds sitting in their mom's basement right um but it looks better to say it was very sophisticated um anyway so vulnerability explo exploitation is huge um and what

you really need to be aware of is your attack surface right and there's so many organizations that I see talk to whatever where they don't really even know what assets they have let alone what's hanging out there on the internet um and and if you don't know then how do you protect those assets and examples of things that might be exposed are obviously emails servers they have to be exposed to the internet in order to work right um but again are your email servers all up to dat with patches and so on and so forth if they're not they should be but you don't really know this if you're not paying attention to that attack service basically um there's a

open- source tool called Showdown um you can look for free for uh your company's name or whatever and to see what's out there uh s h o D- an but again there's also services that you can buy so basically vulnerability management and that a tax service management all right so um just some numbers here this is actually a slide I put together for some board presentations so you notice it's different than my other slides because I mostly lots of pictures and this one's lots of words but but that's how they liked it for the uh the board thing so supply chain enabled ransomware tax um generated 500 billion dollar US dollars in Ransom payments in the first half of

2023 which was all the stats that I could find that's so much money like when I said before threat actors are making bank they really are it's crazy um and then another thing was by 2025 45% of organizations will have experienced some sort of supply chain attack three times the level of 2021 um and then basically this next stat I find particularly compelling because it's 150 companies provide 90% of Global Tech products but the top 15 provide 62% so that means 62% of companies are using something from this top 15 list and unfortunately they didn't provide like the companies because I would have liked to seen that list um but anyway they had below average security scores

and that does not make me feel warm and fuzzy right so a huge part of the world is relying on these companies to provide whatever service and their security is not up to Snuff um so obviously know your supplier is a thing um another program if you don't have this happening in your environment I highly recommend it again there's tools that do this for you but um but at the minimum like when you're onboarding a supp supper you should be asking them questions about their Tech stack and their security and all that kind of thing um you don't want to sign up for somebody with like janky security basically uh so it's something that you can incorporate for sure into

your onboarding of suppliers okay so this is just an example of a recent is well it was the summer but polyfill Supply chain attack so polyils are basically like little code Snippets and this is again like as a threat researcher you learn about so many random things because I'm like What's the polyfill so I had to ask Google of course but yeah little code Snippets that basically contain like links to redirect to like another site and so this one domain uh cdnp polyfill.io um belong to somebody and I guess they just let the domain expire it was like an old project they weren't actively managing it anymore and a Chinese company and you read into that what you

want uh snapped that domain up and then basically started using the domain which is embedded into zillion websites uh to redirect people to malicious domains so pretty crafty right um and the thing that kind of is very compelling to me about this is like they must have been like waiting for this domain to like expire and then they just hopped on it right away so thread actors are definitely looking for ways to do these supply chain attacks um so fortunately uh somebody basically uh sink hold the domain or something and and it turned out to not be like a massive thing you might not have even heard about it but it had the potential to be a massive you

know Global kind of issue um so it was primarily being used to send people to gambling sites but it could have been used for anything right so interesting case study okay and onto distributed denial of service attacks um again I mentioned earlier we're seeing these just like crazy crazy intense dos attacks um so Cloud flare of course has an eye on what's happening in the Doos space and they reported that um 4.2 terabits per second is like the worst dos attack that they've seen think about that 4.2 terabits per second being directed at your web server whatever resource right pretty much anything's going to fall over if you get that much traffic sent to it and even even Cloud flare

can't necessarily help you with that one um we're also seeing more like applic ation layer dos attacks and not all firewalls are capable of detecting that um it is something that you want to check your web application firewall for um and things that thread actors tend to like go after is you know they don't necessarily care about your website being taken down that was like a thing where it was more like a hacktivist kind of thing but now they're going after like your API endpoints your customer login portals things like that if you take those down it's going to be problematic for people to access you know their environments or do business thanks um with your

organization uh let's see what else um yeah just some stats there about dos attacks but 150% increase globally since 2021 I mean that's pretty huge um a new Cyber attack occurs every 39 seconds oh my how many have happened just while I've been up here talking quite a few hopefully not in the Cayman um anyway I'm not going to read all the things to you but there's DS is something to be concerned about and so this is where you know I mentioned looking at your web application firewalls or the provider that does that for you and just make sure that you're tuned sufficiently to withstand an intense D attack you may or may not be um and you don't want to wait

until you have an attack to find out um so that's that's a tuning thing that you can do for sure um and then also just being aware of those exposed um portals API points all that kind of stuff like know those and and make sure they're protected he want them to be behind some kind of Dos protection um equin equinex is not immune to Dos attacks this was actually from last year and Anonymous Sudan who's a well-known activist group and recently just had a couple of their members arrested um they said hey we're going to start taking out companies and the first one we're going to go after is equinex why we don't know but but again

this was our Darkwood monitoring right so we saw this before they even did it and uh and you know I mean it wasn't a very exciting dos attack but they did do it so it can happen to anyone all right I'm G to try to wrap it up I'm almost finished shorter timing increases pressure so this is a big deal right um John showed in his thing like two seconds or whatever for ransomware to be deployed and infect or you know encrypt an entire box but but that's not even the thing that concerns me too much um and really like you need to take care of all the stuff that happens before ransomware deployment so think of all

the phases of an attack attack right um use the miter attack framework if you don't already and uh Adam can tell you more about that but you know how are they getting in what's that initial access Vector what are they doing when they're in your environment like these are all things that you can detect um once reder has been deployed it's basically too late right you want to stop the activity before it happens to or gets to that level um but the dwell time thing is interesting to me because it used to be like the average dwell time was something like oh no 120 days so how long the thread actors were in your environment before they did

whatever they're going to do so ransomware encryption or data exfiltration or both as often is the case um that dwell time is shortening dramatically and so like that's a secure Works report they're talking about um 24 hours like for you to be able to detect something happening before it leads to ransomware or whatever but in only 24 hours that's really hard that's super hard nobody usually would have even the Cycles to detect that uh so that concerns me a lot um and then also the time to market for vulnerability exploits so you'll have a new vulnerability come out and it is not long before there is a working proof of concept exploit or just straight up

exploit itation in the wild and it's a bit tricky because you know with responsible disclosure people do need to share like how they how they exploited that vulnerability but then of course it's also used by thread actors they're like oh perfect somebody created a a p we'll just work that for our own uh measures and then this secc filing deadlines I mentioned that before three days in the US to report a material cyber incident um everybody's scrambling right now to figure out what is material and I'm sure you all probably have something similar all right and last but not least uh malware written in a variety of languages why do we care about this we

care about it because that makes malware more multiplatform right so it used to be that the vast majority of malware was written for Windows and that's simply because there's a lot of Windows computers out there but we're seeing malware that's now being written that is specifically for Macs or Linux um so this there's some like sort of false Comfort when you're on like a Mac or whatever that you think you're maybe not going to get a virus but that is 100% not true you absolutely can on a Mac um and then when you think about Linux you're probably like well I don't have any Linux computers but almost all the web servers in the world are Linux

Apache for the most part right so very very common very targeted and then think about like all your Docker systems your virtual environments all these things you know malware is being written specifically for those environments okay I think I am right at the end but uh anyway that was it this is my email if you want to reach out about anything um I will share like the links and the deck and stuff probably on my GitHub later but yeah it's been a pleasure talking with you all thank you and I don't know if we have time for questions or not so a minute all right do anybody have a question oh I see one all the way in the

back Lindsay's the

runner hi uh first of all nice to see you again who in the panel last time besides that's right welcome back to Kim uh I just wanted to add on your point of questionis and using QR codes um something that is relevant to kman what we seeing a lot for is with the rise of crypto industry and a lot of that uh a lot of people use Telegram and a lot of people add each other on telegram so there's a lot of stuff happening with that because there's obvious SC that you can use it in the wrong way and add another device by mistake especially if two factor is not enabled and like this is something that feel like 4K mind

Industries is more relevant yeah for sure telegram really any comms platform is either being targeted by thread actors or used by thread actors or both right so a lot of the thread actor activity that we see is on Telegram and that's something that we also monitor for like with using those platforms that I was talking about before for uh dark web and other kinds of activity good question or good comment all right any other questions all right I think that might be it then so [Applause]