Maria Vermazes (13:29)

For years now we've seen a convergence and there's, if you look at our customer base from governments, financial institutions all across the board, there used to be a lot of like, oh, but we're not risk of an APT like a nation state or we're more inclined to cyber criminal and all these things. And what we've been seeing in the, in the course of several years now is that it's, it's becoming such a gray area even for our customers. You cannot say like, well, we're more at risk of an APT versus a cybercriminal because yeah, they're working together, working as proxies. So we Our researcher Tomer in the team, who's very, very talented, he took it upon himself to lay this down and explain it that there's, it's the time of attribution that you had in the past that could be very easily done is becoming harder and harder and it might actually be that you're attacked by a cybercriminal, but the ulterior motive is that it's state directed or it actually is a state actor going after your financials. So it's, it's not as easy as it, or as clear as it, as it looks used to look.

John Focker (14:43)

Can we dig into some of the details here? I mean what are some of the ways that we're seeing a lot of this crossover? Can you share some specifics?

Maria Vermazes (14:52)

Oh, totally, totally. Like things that we've seen very much being adopted on both sides is living off the land. We noticed that. And that makes attribution harder. Right. You know, you're using the tools that are either non malicious or they're actually present on the victim system, on the, in the network. So you kind of go under the radar. But it also makes it harder for a lot of your security tools to distinguish because it's not necessarily you using a malicious binary. You're just using something which was designed for good but with bad intent. And we see that being used by as well as cybercriminals as well as apt actors. So on the cybercriminal side, a lot of the ransomware gangs using a lot of the living off the land just because they, they, they don't want to be detected. And it's very useful, you don't have to smuggle anything in and you can exfiltrate data out or you can just elevate well, you can work your way through the network. At the same time, if we look at a group, let's say full Typhoon is very, very competent in using living off the land as well. To get to their objective, they often attack like edge routers, but then they move through the network laterally and they use a lot of living off the land. And this is just the tools, obviously. I have a background in law enforcement before I joined the private sector. And it's funny, I'm from the Netherlands and we have a very, I would like to say competent cybercrime teams that work a lot with the FBI and the Netherlands is known for bad hosting. And I can recall many times I had to go to a hosting provider which was considered then a bulletproof hoster and they would comply eventually. But it could have been of a request of an intelligence agency that there is actually a system being used by a state sponsored actor or it was a cyber System, was a C2 server for a cybercriminal team. So for me that says like, hey, they're using the same infrastructure because it was the same hosting provider. It was. So we're coming to the same area, the same registration, but it was just a different group, so they're using infrastructure as well.

John Focker (16:59)

Well, despite this convergence here, are there still differences that are apparent or are there different skill levels? What are some of the things that when you're looking at the techniques here that differentiate between the two to this day?

Maria Vermazes (17:15)

Yeah, that's a good question. Like if I say skill level, if we take the low bin stuff, I think if you compare let's say a ransomware group with an APT group and the APT group is not aimed to disrupt, but they're doing classic espionage, we would see that they stay low and slow and they take their time, whereas the ransomware teams are up against the clock. So they allowing them, they are allowing themselves to make a little bit more noise in order to get to their objective because their goal is essentially different. What we also see is a lot of the more refined exploit discovery development. So vulnerability discovery and then exploit development is usually done by the nation state groups, the state sponsored groups, they're far more skilled at that. And like the Midnight Blizzard, how they've been using these cloud based attacks, that's something that we have yet. Well, to see at that scale and sophistication by cybercriminal actors and yeah, we almost cannot talk any podcast without mentioning AI. So we see on both sides of the spectrum they're adopting to AI, whereas I can see that cybercriminals are adopting it for a code base and solving problems they have and speeding up their, their operation. However. Well, you know just as well as I do that cyber criminal activity is. It's not operating in a vacuum. They're always dependent on key services that are like in the kill chain, left or right of them, whereas APT actors have a lot of that stuff in house. So you would see more refined usage of AI in their attacks by state actors versus cyber criminals.

John Focker (19:08)

You know John, I've seen folks when they're looking at this blurring of lines say that attribution doesn't really matter anymore. Do you go along with that statement or is there still value there?

Maria Vermazes (19:23)

Well, depends on who you talk to. Like I yet have to see a CEO that is not interested in like who stole My wallet type of analogy. But at the same time, the, the people that we interact with and that use like our, our software and, and they use our, our, our solutions and the actual people in the trenches. Very often, yeah, attribution can help speed things up, but it is the outcome of the process you go through. That's the way I see it. So it's an important factor. But when you get breached or you're dealing with an incident, it's not always the most pressing at hand because, yeah, you have to kick off threat hunting, you have to find patient zero, you're going in a full IR cycle and by doing so, and you're using threat intelligence and you might have hypotheses forming. And I think that's a very healthy thing to do for every security practitioner to say, like, okay, what kind of adversary are we dealing with and what can we expect from such an adversary of other tools that they might use or other, or their intent? And then you could base your hunting off of that. I think that's very helpful. But while you're doing this, you kind of fill in the blanks and eventually the outcome of your full investigation would probably lead to an attribution of an actor of such kind. Um, and yeah, with ransomware, it's very obvious when you, if you wait long enough, they'll make themselves known and you get an, as our friends at Google say, a third party notification from the threat actor in their, in their State of the Union talk. I love, I love that statement, by the way. And yeah, they make themselves known and you know who you're dealing with.

John Focker (21:19)

Well, given this reality of this, this blending, this blurring as, as you all describe it, what are your recommendations then for folks who are tasked with defending their organizations, given that this is the reality.

Maria Vermazes (21:33)

Yeah, that's some, some good advice I would give is like, and you can use this, you can do this in multiple ways. But is to do a threat modeling exercise.

John Focker (21:44)

Yes.

Maria Vermazes (21:44)

You need to study the threat actors that are prevalent in your sector. That's healthy. Knew that you need to do that. But don't have that blind, that bias that you only think like, okay, no, we're only dealing with apt and no ransomware. Because be honest, if you have a vulnerability somewhere and somebody can get in, yeah, you don't know who's in until they're in and then they can wreak havoc. And that could be a cyber criminal actor. It could be even hectic. But looking at the threat landscape, looking at all the different threats that might attack you and Then overlaying those ttps, looking at, okay, what are the commonalities, what are some of the, the overlap points that they all have to do? They all have to escalate privileges, they all have to maybe use certain credentials, they all have to do X, Y or Z. And when you identify those points, you can actually look at your security controls and see, okay, are we protected against this or are there controls missing or can we adjust our current controls to have coverage? Or if we're blind, is there anything we can do with threat hunting? So can we kick off some proactive threat hunting in our environment just to get better eyes on, to study, to see and maybe there's evidence of a breach. So there's all these things we would say like, okay, study all. And nowadays, luckily that's a lot easier than it is to do than it was a couple of years back. So even with some AI, you can create some pretty elaborate stuff and you can drill down and see how your security posture is scaling up towards a multitude on actors. But every actor, initial access or whatever, they'll move on your network. So I always say, or often say, like your chance to detect them is really on that period when they first enter to their final objective. And that doesn't matter if it's a ransomware actor or an apt actor. They have to move for your network. So knowing your network and knowing what the anomalies are, that's key.

John Focker (23:47)

That's John Focker, head of threat intelligence at Trellix. We'll have a link to their publication in our show notes. And now a message from our sponsor. Zscaler, the leader in cloud security. Enterprises have spent billions of dollars on firewalls and VPNs. Yet breaches continue to rise by an 18% year over year increase in ransomware attacks and a $75 million record payout in 2024. These traditional security tools expand your attack surface with public facing IPs that are exploited by bad actors more easily than ever With AI tools, it's time to rethink your security. Zscaler Zero Trust+AI stops attackers by hiding your attack surface. Making apps and IPs invisible. Eliminating lateral movement. Connecting users only to specific apps, not the entire network. Continuously verifying every request based on identity and context. Simplifying security management with AI powered automation and detecting threats using AI to analyze over 500 billion daily transactions. Hackers can't attack what they can't see. Protect your organization with Zscaler Zero Trust and AI. Learn more@Zscaler.com Security.

Dave Bittner (25:24)

This episode is brought to you by Shopify. Forget the frustration of picking commerce platforms when you switch your business to Shopify, the global commerce platform that supercharges your selling. Wherever you sell with Shopify, you'll harness the same intuitive features, trusted apps, and powerful analytics used by the world's leading brands. Sign up today for your $1 per month trial period at shopify.com tech. All lowercase. That's shopify.com tech and finally, it is.

John Focker (26:01)

The United Nations International Day for Women and Girls in Science. It's a day worth celebrating. Here's N2K's Maria Vermazes with more.

Dave Bittner (26:14)

Today, February 11th is the International Day of Women and Girls in Science. This one's personal I grew up in a house where science and engineering were revered and encouraged at every turn. My peer group in high school were other science minded girls like me. There's a photo in my high school yearbook of our computer club that always makes me chuckle because there I am, off to the side, the only girl. It's a dynamic that you get used to even at engineering school and college, not unlike high school, it wasn't unusual to be the only young woman in a lab, or maybe one of a handful in a large seminar. It was easy for us to remember each other. US engineering school women would often become friends, toiling away at problem sets and study rooms for hours every day, sharing notes, helping each other prep for exams, rotating who would go to office hours. And it's funny, outside of engineering, many of us probably wouldn't have been friends. We really didn't have all that much in common interest wise. But we knew what we were all up against. So we banded together for survival. I'll skip to the chase. We were the class of 2005, so it's been 20 years. Many of the women I knew from those days went into their chosen fields after graduating. But now, these decades on, of the dozens of women that I knew starting their careers in science and engineering, maybe four are still working in them now. Career changes happen for all sorts of reasons, like in my case, where it simply is just not the right field for you. It happens, but sometimes it's the result of a slow fade, where over the years you have to keep fighting an invisible war and sometimes you simply get tired of it. Whatever you want to call it, a retention problem, a cultural problem, it goes way beyond any federal mandate or national border. And there are conversations happening, said and unsaid, especially right now, about whose stories are celebrated, whose competence and credibility is celebrated, who rises in the ranks with like minded peers whose accomplishments are worth a damn. Who is a merited hire. In other words, in science and engineering, who belongs? Well, women do. This is only the 10th anniversary of international Girls and Women in Science Day. So all you trailblazers toiling long hours over problem sets, labs, trials, reams and reams of data connecting with that spark of joy that ignited that love of science. Ladies, I see you. Our world needs your perspective and your expertise more than ever. Keep fighting out of spite for the haters if nothing else. And please remember, even if you are the only one in the room, you belong.

John Focker (28:51)

That's N2K's Maria Vermazes, host of the N2K T minus Daily Space Podcast. We'll have a link with more information about the International Day of Women and Girls in Science celebration. You can find that in our show Notes and that's the Cyberwire. We'd love to know what you think of this podcast. Your feedback ensures we deliver the insights that keep you a step ahead in the rapidly changing world of cybersecurity. If you like our show, please share a rating and review in your favorite podcast app. Please also fill out the survey in the show notes or send an email to cyberwire2k.com N2K's senior producer is Alice Carruth. Our Cyberwire producer is Liz Stokes. We're mixed by Trey Hester with original music and sound design by Elliot Peltzman. Our Executive Prod Producer is Jennifer Ibin. Peter Kilpe is our publisher and I'm Dave Bittner. Thanks for listening. We'll see you back here tomorrow.

Alice Carruth (30:34)

Hey everyone, grab your favorite bug and put the kettle back on the stove because afternoon Cyber tea is coming back this season. I am joined by an all star team of thought leaders and industry experts to dive into the critical trends that are shaping the future of cybersecurity. We will explore how these technologies are revolutionizing the way we work, the way we live, and the way we interact with the world around us. And as always, we will be bringing you thought provoking discussions and fresh perspectives on what is driving the future of cybersecurity and what leaders can do now to protect their teams. Tomorrow, new episodes will be coming to you in February every other Tuesday, so subscribe now wherever you get your favorite podcasts.