A

The use of vulnerabilities honestly surprised us in terms of being a dominant way that threat actors were getting into organizations. You know, the initial access vector generally in the past, when people think about the use of vulnerabilities or vulnerability exploitation when getting into organizations, they think of it more with the espionage aligned threat actors versus the criminally motivated ones. What I can tell you is everyone's using it now.

B

Welcome to another episode of Data Security decoded by Rubrik zero Labs. I'm your host, Caleb Tolan, and if this is your first time joining us, welcome to the show. Make sure you hit that subscribe button so you're notified of new episodes. If you're already a subscriber, thanks for coming back. Give us a rating. Drop a comment below, let us know what you think of the episode. Your feedback is invaluable to us now in this episode. I had the pleasure of sitting now with Allison Wyckoff, Director of Global threat intelligence at PwC. Allison has decades of experience in cyber threat intelligence, incident response, and network defense in the public sector, healthcare technology, you name it. We had a great conversation on securing software supply chains, the rise in attacks targeting old vulnerabilities, which I think you'll find particularly interesting, and the hotspot in Florida you need to check out this summer for your next vacation. I really enjoyed speaking with Alison. I think we had a fascinating conversation. I hope you enjoy it just as much as I did. So without further ado, let's dive in. Alison, thank you so much for joining us on the podcast. I'm really excited to have this conversation today with you, but I'd really love to start with a little bit about your background. And it seems like you've spent most of your career in information security, which is pretty rare. I mean, most of the people I speak to come from pretty diverse backgrounds, whether it be like someone in biology or someone who came over from physical security. But you seem to have spent most of your career within the information security space and in threat intelligence. So what initially drew you to this space and what keeps you around?

A

That's a great question. And yes, I've been in this space for over 20 years, which is really hard to believe, but I kind of fell into it. So I did both my degrees in business, but I interned doing security work and then sort of took it from there. What has kept me in the space is I am inherently very curious, or nosy, you could say, which makes for usually a pretty decent analyst. And you know, threat intelligence is a space that constantly changes and I don't like to be bored and this is certainly not a boring field at all. So like the 20 years has gone by like a blink of an eye. It's been nuts that I've been doing this this long, but I'm fortunate. It's a very fun yet challenging job.

B

Right. And you get to work with some really awesome people who are very mission driven. And you know, most of the people I met who are in threat intelligence are characters themselves. So you get to work with really, really fascinating people too. So that's awesome for sure.

A

It's a great community.

B

Yeah, definitely.

A

Cool.

B

Well, I'd love to dive into, you know, some timely topics. Right now we are seeing a pretty intense wave of retail attacks. And I'd love to know, just based off of your experience and what you're witnessing, what your take on the situation.

A

Is, there's a lot going on right. In the space in general. And if I think about some of the takeaways for the retail sector, when they think about everything that's happening, one, it's really putting a spotlight on the supply chain. So we've talked about this for years in the industry about it's not just protecting your organization itself, but understanding your supply chain and how something within your supply chain might impact you more broadly in terms of delivering your goods or services. And then the second thing that we're seeing in this space is just how effective some really targeted social engineering can be and how important it is not just to have technical controls in place to defend your organization and, but really specific training. So with some of the retail attacks that we've seen over the past six months, a lot of it shines a light on multifactor authentication. A lot of the KYC or know your customer stuff that FAQs do is now starting to be applied to validating your employees when they call in to get their, their passwords reset. But again, a lot of these things that we've been seeing are there's not some awesome tool or some great company that you can come hire in to help defend against these threats. It's, it's multifaceted and it is, a lot of it is a very specific training issue. Not issue, but opportunity within your company.

B

Right, right. So often it's just about going back to the basics. And I'm glad you mentioned the piece about supply chain and securing that with your third party vendors. We'll dive into that a little bit later in the conversation too. But I obviously, you know, want to explore one more hot trend with you and that's the explosion of generative AI. It's been really fascinating to see how that has grown over the past couple of years. And I'd love to hear what your take is on any trends you're seeing on both the attacker side and the defender side and how they're leveraging AI today.

A

So I think we're really in like, the, the beginning stages of what, like the art of the possible is with AI in terms of network defense. I mean, everybody is looking at how we can use it to more effectively defend our networks. Obviously now I live in the threat actor space, so I spend most of my time with my team trying to understand what the threat actors are doing and how they're doing it, so we can inform our clients on how to defend against it. And, you know, when AI came on the scene more mainstream a couple years ago, everyone was rightfully concerned and very cautious about how it was going to be used. You know, what I can tell you is that yes, we are seeing threat actors use AI. It has not been, as of you and I talking today, this massive revolution within threat actor tactics. Things that we've seen immediately off the bat of the days of bad grammar and misspellings and phishing emails are essentially over. So in the past, those were really great indicators of, hey, this may not be who it says they say they are. The other thing is, we have seen a lot of use of not a lot of use, but we have seen use of threat actors using AI to help with their code. But I will tell you, like, it's always the path of least resistance that threat actors are going to take. So there's not a real need for them to iterate heavily and really lean on AI to perform a lot of their tactics as of today. I mean, the indications that we've seen in terms of AI use in malware generation is they've left comments in the malware that were very indicative that they were using some sort of generative AI or artificial intelligence tool to help with it. The other thing we've seen a little bit of is the use of AI images in social engineering campaigns. But this was actually happening all the way back in like 2021, 22. So even before some of these tools were more broadly available.

B

Right, right. It's interesting to see how the hype of the headlines doesn't necessarily always match the reality. Like, you hear so much of how attacks are getting more sophisticated around AI, but that may not necessarily always be the case. And so I guess it's even as we're Looking forward to how attackers may be leveraging AI now and more in the future. Are there any tactical measures that you would suggest that organizations and security teams kind of adopt so that they can mitigate the risks of Gen AI?

A

I think, really just understanding how it's being used, like right now, again, I think we're going to be having a much different conversation years from now. But we are really both from the network defender standpoint and the threat actor standpoint, really in, like, the beginning stages of how these can actually be used to really, to really change the way that we both do our jobs. Again, like right now, a lot of the threat actors are using it the same way that we are in the business world, like trying to just, you know, speed up some of the repetitive tasks that we're doing. We're not seeing a huge, huge shift yet.

B

Right, Fantastic. Well, going to break up the conversation a little bit, and we're going to reintroduce some of our hot takes. For those of you who listened to last episode, we reintroduced these from several episodes ago. We used to do this all the time. And so, you know, the conversations we have can sometimes be a little bit heavy and want to lighten the. Lighten the mood a little bit. So, Allison, you live in Sarasota, Florida? That's correct, right?

A

I live in southwest Florida, yes.

B

Southwest Florida. Fantastic. So my hot take question for you. What would you say is the best vacation destination for those traveling to Florida this year? Would you say it's exploring the parks at Disney or Universal? Would you say it's relaxing on the beaches? Would you say it's checking out the Everglades or something entirely different?

A

I'm going to give you the classic threat intelligence person answer and say it depends. Depends on what you're into. So obviously there's the parks, which, if you're into that, you got plenty of those here. The beaches are great regardless of which coast you go to. They're all different. And there's a lot of other things in addition to the Everglades in Florida that are fun. So we have natural springs here that are generally cold water, meaning there's usually not alligators in them. So you can go swimming and kayaking in those. I'm not saying that they haven't seen them in there, but. But yeah, there's. There's a lot to do in Florida, depending on what you're into.

B

Yeah. Then I have to say I'm a little bit biased. I would definitely lean into the. The landscape and the. And the outdoors there. I mean, it's just such a beautiful state. So great tips there and a very political answer of you, so I appreciate it. All right, so diving back in. So PwC just released, or several months ago released the Year in retrospect report and that indicated significant increase in attacks targeting older or known vulnerabilities. How can organizations that may not have super sophisticated cyber programs or lofty budgets manage these vulnerabilities and improve their security posture?

A

Yeah, so you know, we mentioned at the beginning of this podcast that I have been doing security work for a while and writing these reports for a while and that was something that actually surprised us when we saw this. And kind of looking back as to what has been happening over the last. Obviously that report was from 2024, but it stands, the information stands today. You know, six months later we're still seeing a lot of the same trends that we discussed there. But yeah, the use of vulnerabilities honestly surprised us in terms of being a dominant way that threat actors were getting into organizations. You know, the initial access vector. There's a lot of focus on zero day vulnerabilities. But I'm glad you led with existing vulnerabilities because we were seeing more of that generally in the past when people think about the use of vulnerabilities or vulnerability exploitation when getting into organizations, they think of it more with the espionage aligned threat actors versus the criminally motivated ones. What I can tell you is everyone's using it now. I don't know if this is because we as an industry have just done a really great job of training our users to be really suspicious of phishing emails. If we've done a great job of multi factor authentication, if it's a combination of that. But I can say like, listen, we like generally there's tens of thousands of vulnerabilities that are issued a year. You can't patch all of them. It's just not possible. You know, I haven't been on the network defense side of things. You know, you've got to pick your challenges or pick your battles. Right. And when you think about vulnerabilities and any kind of vulnerability management process or system, you really got to understand your network. And so where are like your biggest, I'm going to say vulnerabilities. Again that's not the greatest word to use, but in this sense I'm meaning, you know, where are your access points into the environment. So in terms of the vulnerabilities that we saw exploited, both the 0 days and the older vulnerabilities, there was A lot of focus on the edge devices. So your VPNs, your WAPs, things like that. Those are the things like if I was still on the network defense side, those would be priorities in terms of patching. So anything that can be exploited to allow remote access into your environment, you know, this high severity vulnerabilities, those would be the things that we would really need to prioritize as network defenders. The other bit to vulnerability management is just understanding your network. And I know that's really trite coming from me on the research side of things or on the analysis side of things, because networks aren't what they were 20 years ago. There's not this beautiful perimeter. But you do have to understand your network in order to understand what vulnerabilities you actually need to prioritize.

B

Right, right. Figuring out how to address blind spots, I know, is an ongoing challenge for so many security teams.

A

You know, log 4J was a great example. Log 4J was a challenge for everyone. Not because it was being mass exploited. I mean, we did see some exploitation, but it wasn't super successful. But the challenge was, oh my gosh, like we don't even know where this is in our network because it comes as a part of all of these other things. You know, that was a real challenge for a lot of the industry to figure out whether or not they had it and then to actually patch.

B

Right. And speaking of blind spots, another theme that came up in your report that I found particularly interesting was the software supply chain. It remains a primary target for attackers. So how do you recommend organizations begin to mitigate the risk of their third party software vendors and what actionable steps can they take to strengthen their resilience?

A

Again, it's pretty simple. First, understanding who all your vendors are and what kind of access they have to your environment. So third party is this really overarching term. And it could be everything from somebody who's got a third party connection into your environment to somebody who's providing something to your environment. And if you don't understand what that looks like, then that is really where your exposure is. You know, we do run a lot of tabletop type exercises with our clients, and most of it is dealing with ransomware. And when we're talking about ransomware, we're not just talking about ransomware within our network, but ransomware within some of our providers. And so what we've been seeing with some of our clients is having secondary suppliers in the case that some of their critical suppliers might have some sort of outage and it causes Operational issues.

B

Fantastic. And Allison, this has been a really wonderful conversation so far. For those folks listening, what are some of the key takeaways that you would like them to walk away with to enhance their security posture?

A

So, again, I have been on the other side of this conversation and I feel for people because the networks are not what they were when I started. And you actually did have a perimeter that you can defend against. The news cycle is so insane in the threat intelligence space that if you don't understand your threat profile, you're going to drive yourself insane trying to whack a mole. All of these things that are coming across your desk in terms of vulnerabilities, in terms of threat actors, things of that nature. So, like, step one is really like, what do you have that threat actors are interested in? Or what are the primary threats that your organization might face? And if you don't have the ability to determine that yourself, work with one of your vendors, suppliers, whomever, I don't know any company that is doing everything in house by themselves. Even the government doesn't. So lean on your partners to help you build your threat profile. If you can't do it yourself, and then understanding what those threats are, and if you can defend against those, you're in pretty good shape.

B

Right? That's great advice. Fantastic. Well, Allison, thank you so much for the conversation. For our listeners who aren't familiar with the report already PwC's year in retrospect report, we will include that in the show notes. Allison? Yeah, it's been a fantastic conversation. I've really enjoyed it and I believe our listeners will learn a lot from you. So thank you so much for your time. And until next time, thanks for having me.