Podcast Summary: Hacking Humans – The RMM Protocol: Remote, Risky, and Ready to Strike

Released on July 1, 2025 by N2K Networks

1. Introduction and Guest Introduction

In the latest episode of "Hacking Humans", hosted by N2K Networks, the focus is on the evolving landscape of cybercrime, specifically the utilization of Remote Monitoring and Management (RMM) tools by threat actors. The episode features a special guest, Keith Milarski, a former federal agent renowned for his significant contributions to dismantling global cybercrime infrastructure. Keith brings a wealth of experience in cyber investigations, international partnerships, and understanding threat actor operations.

Notable Quote:

"I'd have left at least a sticky note." — Keith Milarski (00:31)

2. The Shift to RMM Tools in Cyberattacks

The primary discussion revolves around how cybercriminals are increasingly leveraging legitimate RMM tools as a first-stage payload in their attack campaigns. Traditionally, RMM tools were employed by IT professionals to monitor and manage computer systems. However, threat actors are now exploiting these tools to gain initial access to targeted systems, replacing conventional malware like Smoke Loader or Iced ID.

Notable Quotes:

"It's really the brilliance of the threat actors, how they're evolving to our cyber defense going forward." — Dave Bittner (05:23)
"They're trying to get something there that isn't quite yet already." — Selena Larson (06:13)

3. Operation Endgame and Its Impact

The conversation delves into Operation Endgame, a significant law enforcement action aimed at disrupting key components of cybercriminal networks. This operation targeted initial access loaders and botnets responsible for enabling ransomware attacks, leading to a noticeable decline in traditional malware deployment.

Notable Quotes:

"Operation Endgame was very effective and probably affected how the threat actors were pivoting." — Dave Bittner (07:14)
"It's not necessarily a one to one shift, but it does show an example of experimentation across the landscape." — Selena Larson (13:43)

4. RMM Tools as Initial Access Brokers

Keith Milarski raises a critical question about whether threat actors are installing RMM tools on targeted systems or exploiting pre-existing installations. Selena clarifies that, in the context of their research, threat actors are primarily installing new RMM tools as an initial access method, rather than exploiting existing ones. This approach allows them to bypass traditional detection mechanisms that focus on identifying malicious signatures.

Notable Quotes:

"They're trying to get a new app loaded on a host." — Selena Larson (06:13)
"The normal corporate person is not going to have access to RMM tools on their desktop computer." — Dave Bittner (10:08)

5. The Cyber Underground's RMM Services

The episode highlights how the cyber underground marketplaces have adapted to this shift by offering RMM services for sale. Threat actors are now monetizing access to legitimate RMM software, providing it as a service to other criminals seeking initial access to target systems.

Notable Quotes:

"We saw an actor offering a service for Screen Connect to Access via their on premise solutions." — Dave Bittner (16:13)
"They're advertising this and that's probably because they're doing these phishing campaigns, they're getting access to these services and now they can monetize that." — Dave Bittner (16:50)

6. Defense Strategies Against RMM Exploitation

A significant portion of the discussion is dedicated to mitigation and prevention strategies to counteract the misuse of RMM tools. Selena emphasizes the importance of:

• User Training: Educating employees about the evolving threat landscape and recognizing potential social engineering tactics.

• Restricting Software Installations: Implementing strict policies to prevent the unauthorized download and installation of RMM tools.

• Behavioral Detection: Moving beyond traditional signature-based detections to monitor and analyze behavioral anomalies within network traffic and system operations.

Keith and Dave further elaborate on adopting a defense-in-depth approach, incorporating principles like least privilege and multi-factor authentication to minimize potential attack vectors.

Notable Quotes:

"Not all organizations are going to have the same risk and the same resources to manage them." — Selena Larson (26:17)
"Knowing your adversary, having intelligence to drive operations is really the key to this." — Dave Bittner (26:56)

7. The Evolving Threat Landscape and Future Directions

The podcast touches upon the broader implications of this shift, noting that as traditional defenses become more effective, threat actors continually adapt their tactics. The move towards abusing legitimate tools like RMM software signifies a more sophisticated and evasive approach to cyberattacks. Selena points out that while this tactic poses new challenges, ongoing research and adaptation in defense strategies can mitigate these risks.

Notable Quotes:

"Different types of malware that are a little bit less complicated, but the attack chains are a little bit more clever." — Selena Larson (23:35)
"There is no one silver bullet for anything." — Selena Larson (31:30)

8. Conclusion

As the episode concludes, the hosts reflect on the complexities of modern cybersecurity, acknowledging that while no system is entirely secure, a proactive and informed approach can significantly enhance an organization's resilience against evolving threats. Keith Milarski's insights provide a valuable perspective on the intersection of law enforcement actions and cybercriminal adaptations, underscoring the need for continuous vigilance and adaptive defense mechanisms.

Notable Quotes:

"Is anything ever going to be totally secure? No, because really, a person's on the end of the keyboard, and we all know that that is really the weakest link." — Dave Bittner (34:15)
"There's like multiple ways that threat actors can abuse remote access software and RMM tooling within an environment." — Selena Larson (10:08)

Key Takeaways:

• RMM Tools as a New Threat Vector: Cybercriminals are repurposing legitimate RMM software to gain initial access to systems, bypassing traditional malware detection methods.

• Impact of Law Enforcement Actions: Operations like Endgame disrupt existing malware operations, forcing threat actors to innovate and adapt their tactics.

• Defense in Depth is Crucial: Employing a multi-layered security strategy, including user education, strict software policies, and behavioral monitoring, is essential to counteract sophisticated attack methods.

• Continuous Adaptation: The cybersecurity landscape is ever-evolving, necessitating ongoing research, intelligence sharing, and adaptive defense strategies to stay ahead of malicious actors.

Notable Sponsors:

The episode includes a segment from ThreatLocker, a zero-trust endpoint protection platform that emphasizes allowlisting and ring-fencing to enhance organizational security against both known and unknown threats.

Advertisement Highlights:

"ThreatLocker allows you to easily curate an allow list of everything you need in your environment and network and block everything else by default."
"With ThreatLocker allowlisting and ring fencing, you gain a more secure approach to blocking exploits of known and unknown vulnerabilities."

Final Thoughts:

"Hacking Humans" continues to deliver insightful discussions on the intricacies of cybersecurity, blending expert opinions with actionable strategies to help listeners navigate the complex threat landscape. This episode serves as a crucial resource for understanding the shifting paradigms in cybercrime tactics and the corresponding defense mechanisms necessary to safeguard organizational assets.