The RMM protocol: Remote, risky, and ready to strike.

Dave Bittner

You're listening to the Cyberwire network, powered by N2K.

Selena Larson

Dave. Dave, look at this. It was just sitting there. Bottom drawer, no label. Not our usual show notes. No production stamp, no sender. Just a manila folder marked 032KM.

Unknown

It wasn't me.

Keith Milarski

I'd have left at least a sticky note.

Unknown

You don't think it's a phishing test, is it?

Dave Bittner

Or ooh, ooh, ooh, ooh.

Keith Milarski

Maybe it's fan mail.

Selena Larson

Oh, maybe. But no, it looks like an internal file. Not new either. A little worn at the edges. And someone really went out of their way to get it.

Unknown

Here it says, subject Malarsky, comma Keith clearance. Top secret status activated.

Keith Milarski

Now that's a name I haven't heard in a while. Talk about a little war at the edges. Didn't he used to be everywhere and nowhere at the same time?

Selena Larson

Oh, wait, hang on. There's a letter inside.

Unknown

It says, career federal agent. Recognized for significant contributions to dismantling global cybercrime infrastructure. Extensive experience in cyber investigations, international partnerships, and threat actor operations.

Keith Milarski

So, in other words, he's the kind of guy who joins a podcast and already knows your password.

Dave Bittner

Don't worry, Dave. Your secrets are safe. Mostly.

Selena Larson

Keith Milarsky, welcome to Only Malware in the Building. We don't have a safe house, but we do have very strong coffee and a lot of strange cyber stories.

Dave Bittner

That sounds familiar.

Keith Milarski

So what brings you here, Keith? Burned your last alias?

Dave Bittner

Well, I thought it was time to step out of the shadows and into the conversation.

Selena Larson

Well, you're in the right place. We've got plenty to dig into, malware mischief, and maybe even a mystery or two.

Unknown

And now a few thoughts from our sponsors at ThreatLocker. The tactics used by cybercriminals are becoming more and more advanced every day. The shift from a default allow approach to a default deny is more critical than ever. This is where ThreatLocker comes in. Stay tuned for how ThreatLocker allow listing and ring fencing as your back.

Selena Larson

Today on Only Malware in the Building, we are going to dive into remote monitoring and management tools and how those are used by threat actors. It's actually perfect timing, Keith. I feel like you are joining us remotely and probably have a lot of fun stories about your own experiences with remotely accessing some top secret spaces.

Dave Bittner

I could neither confirm nor deny. Oh, my goodness.

Keith Milarski

We have a G. Man. What did we do to deserve this?

Dave Bittner

Glad to be here, guys.

Selena Larson

Yeah. We're so excited for you to join us and to talk about some of your research as well. That you have taken a look at in terms of how threat actors are using RMM or remote access software tools in campaigns. This has been a sort of passion project of mine because I'm very interested in the ever changing threat landscape. So I can't wait to discuss what we have in store today.

Keith Milarski

Well, let's get into it. Set the table for us, Selena. What's the background on what we're talking about here today?

Selena Larson

What's really interesting is based off of some research that we published recently and diving into some of the activity from cyber criminal threat actors over the last few months. What we found is more threat actors are using legitimate remote monitoring and management or RMM tools as a first stage payload and email campaigns. This is really a shift because many of our listeners are probably familiar with RMM tools. In fact, they probably use them in their day to day at work. And these are the things that it uses to monitor and fix your computer. And what's interesting is historically threat actors have used them as part of an overall attack chain where once they get on a host, then they'll install RMM software and use that as part of the attack chain. In this case, they're being delivered similar to how they deliver remote access Trojans or loaders. Right. So it's the first stage. It's almost acting like that first stage malware, which is something that we don't typically see in quite such volumes.

Dave Bittner

When you think about that though, it's kind of brilliant because when you're thinking about like that first stage that they normally use, which would be like Smoke Loader or some other malware, there are signatures that's usually written for advanced EDR to detect that. But because these are legitimate programs, most people probably won't have detections in place for that. So it's really the brilliance of the threat actors, how they're evolving to our cyber defense going forward.

Keith Milarski

Well, help me understand here for both of you. Is this a case where the bad guys are installing this on the system that they're targeting as an initial access point, or is it a situation where someone may already have this on their system and then the bad guys are taking advantage of that?

Selena Larson

So what I looked at, and Keith can probably speak to the second point, but for the research that we're looking at, it's the first stage. So it's the thing that they're dropping instead of a traditional malware like Keith mentioned, Smoke Loader or you know, historically, things like Iced ID or Peekabot, even remote access Trojans that we just, you know, would see a lot more frequently. Now a lot of cybercriminal threat actors are kind of pivoting to legitimate RMM tools. And to Keith's point, it is a little bit of evasion that they're trying to do right? So they're like, okay, well, you know, my malware isn't working. Defenses are getting better. This is a known a piece of software, a piece of malware that will have signatures to detect it. But if this company uses something like Atera, for example, or ScreenConnect, for example, or you know, any of those enterprise type of R Men tools, they might not flag it as malicious. So it's kind of a clever, crafty way of getting in sort of sideways and trying to masquerade as something legitimate.

Keith Milarski

Keith, what do you make of this?

Dave Bittner

Yeah, I just think it's kind of a brilliant move. We saw, like Selena was saying. Microsoft reported in March that there was a malvertising campaign through a redirection to GitHub, where there was malware that would host it, that would then drop a stealer and then deploy NET support, which is one of the RMM tools alongside, to gain a foothold. So I think there was an operation called Operation Endgame last year that targeted some of these initial loaders. And I think, you know, Selina, you guys did a great article on that, on how Operation Endgame was very effective and probably affected how the threat actors were pivoting. So I just think, you know, that there was a law enforcement action and now, you know, the threat actors are pivoting, you know, to a new technique.

Keith Milarski

Is it safe or accurate to call this sort of thing living off the land of using pre existing tools, or the fact that they're dropping something that may not have already been on somebody's computer, does that put it in a different category?

Selena Larson

Using RMM tools can be considered living off the land. If a threat actor gets on a host and then exploits what's already there for the initial access, in many cases, what we see is them actually downloading the RMM payload that doesn't already exist. So it's a new install. They're trying to get a new app loaded on a host. And this is of course from the initial access perspective. Right? So you have threat actors, especially ransomware actors, for a long time once they got on a host, abusing the existing RMM tooling, or potentially downloading and installing one as well. But from a first stage perspective, they're just trying to get something there that isn't quite yet already.

Keith Milarski

Is RMM Ever a target for things like credential stuffing?

Dave Bittner

Good question, Dave, for a second. I mean, or is it too far.

Keith Milarski

Down the chain where it's likely to be something that it has installed rather than the user themselves?

Dave Bittner

Yes, it would be something more that it probably would be installed. You know, the normal corporate person is not going to have access to RM tools on their desktop computer. It would be more somebody, you know in IT or cybersecurity that would have that. So generally, if you can get access to one of the systems that they're on, usually those systems have more privileges than your typical user. So if you can get access to, you know, a system that have RMM tools, you probably have better privileges on it.

Selena Larson

Yeah, for sure. And that's something that's also pretty interesting too, right? Like if you're going after Domain Administration or if you're trying to go after Microsoft 365, like kind of targeting IT tools as a whole is kind of like a supply chain attack, right? So it's a little bit, you know, like there's multiple ways that threat actors can abuse remote access software and RMM tooling within an environment. If something already exists and they can elevate privileges and gain full access to a broader environment, or if they're installing it themselves and positioning for lateral movement throughout an organization, that's another option. So it's really interesting too because like from the detection standpoint, right, even initial access, so downloading and installing something on your computer might not necessarily flag as malicious, but also once installed, if you're looking at network traffic, if you see things across the wire, but it's just coming up as the IT monitoring and management tools that either you're already familiar with and use in your environment that might have the tendency to sort of hide a little bit. And so that's when you have to kind of get into more sort of behavioral detections and less about, you know, what network traffic IT is. But what are they doing with that tooling? Like what commands are they running? What are they trying to access? Is this outside of the baseline activity that we normally see? So while it is kind of clever that these threat actors are trying to abuse legitimate software and services, there are multiple steps that you can take from a defense in depth perspective to prevent that exploitation, even if it's a software that you do run in your environment.

Keith Milarski

Well, I definitely want to get to that part of things. You know, the defense in depth and steps against this. But before we get there, can we talk about kind of the view that you and Your team, Selena, had to initially draw your attention to this. And then maybe, Keith, we can contrast that over some of your experiences of the types of stuff that you looked at in your career in the federal government. Selena.

Selena Larson

Yeah, for sure. So one of the reasons why I wanted to look at this, and actually Keith brought it up earlier, is Operation Endgame. So this law enforcement activity that targeted a lot of the initial access loaders and botnets that are responsible for enabling ransomware, it was a big law enforcement activity that disrupted a lot of that. We've talked about this, Dave, on previous episodes. So it's obviously something that I care a lot about and I think it's really great to see the impacts. But what we saw, which was really interesting, is when threat actors lose access to their initial malware, if whatever tool that they're using, their infrastructure, the malware, the providers, the sellers, the mal, spam distributors, anytime that there's a sort of disruption to their own operations that imposes costs on the adversary and forces them to change their behaviors. And so what we've seen is a decrease in initial access loader malware that we typically would see on the landscape. Some of that was due in part to Operation Endgame. You mentioned Smoke Water, Keith. But also of course, things like ICE ID and PicoBot were also impacted by this. So we've seen this drop off of initial access malware. Interestingly, it also coincides with this increase in remote access tooling distributed as a first stage payload. What's interesting though is it's not one to one. So the actors that we saw delivering Peekabot, for example, are not pivoting to our mmtools. It's newer actors activity that we necessarily haven't been tracking before as initial access brokers that have kind of emerged to fill a gap almost. And so we have seen a few actors that do have really high volume campaigns and will often distribute Screen Connect. That's one of the ones that has really emerged in our data since the middle of last year. Also, NET Support has always been a favorite, right? That's something that we, that we've seen pretty regularly. But then we've seen these really random, random RMM tools that we don't see all that often. So like PDQ Connect or Atera Blue Trait Light Manager, some of these things just kind of like pop up. We might see a few campaigns from them and they might go away or they might stay a little bit more consistent. But it shows an experimentation. It shows that threat actors are trying to figure out what works and it could be in part because a lot of the access to either the malware, the operators that were there before just aren't there anymore, or it's a response to, okay, they're going after malware. What if we tried something else to try and be proactive and prevent some of this future activity? So it's not necessarily a one to one shift, but it does show an example of experimentation across the landscape. And Dave, you know how excited I get to talk about threat after experimentation and TTP changes.

Keith Milarski

I know it's what you live for, truly.

Selena Larson

I know my life is so boring. I just get so happy when they change techniques.

Keith Milarski

Keith, go ahead.

Dave Bittner

I was just going to say, I mean, I think you know exactly what Selena's saying is what we're really seeing in the cyber underground because, you know, looking at the chatter and what we're seeing on the, on the underground forums and seeing, you know, what threat actors are talking about, I think, you know, what we started seeing is really beginning late 2024, we saw a number of handful actors really start talking about providing access to RMM software and setups as a service, which really kind of goes in line with what you're saying about how there's a shift of these TTPs. So, you know, for example, in December 2024, on one of the big cybercrime forums called Exploit, we saw an actor offering a service for Screen Connect to Access via their on premise solutions. You know, they were selling access starting at like $3,000 per month for a single user, you know, so and then after that we saw on another forum an advertisement for RMM software services and it claimed users would get a unique copy of the software, a personal domain, custom VPs, no limitations on their usage. So we're really started seeing a number of things and then just really just as recently as last month, we saw another actor offering a service to provide access to officially licensed Screen Connect software hosted on a cloud based provider. We're starting to see more and more threat actors advertising this and that's probably because they're doing these phishing campaigns, they're getting access to these services and now they can monetize that, that by offering that as the initial access broker, like they would do when they were doing malware for that initial access.

Selena Larson

Stick around, we'll be right back.

Unknown

So let's return to our sponsor, ThreatLocker. ThreatLocker is a zero trust endpoint protection platform that strengthens your infrastructure from the ground up. Where traditional cybersecurity tools require you to create a list of things you don't want to run. Threat Locker enables you to easily curate an allow list of everything you need in your environment and network and block everything else by default. With ThreatLocker allowlisting and ring fencing, you gain a more secure approach to blocking exploits of known and unknown vulnerabilities. ThreatLocker provides zero trust control at the kernel level that enables you to allow everything you need and block everything else, including ransomware. The ThreatLocker Zero Trust Endpoint Protection platform deploys in a learning mode that analyzes the operations of your company using machine learning to assist you in developing your allow list for approved applications. What they can do on the endpoint, what can interact with your data, and even east and west network traffic. We thank ThreatLocker for sponsoring our show. And of course, we want to thank this week's sponsor, ThreatLocker. Go to ThreatLocker.com HH and check out their Zero Trust Endpoint Protection platform. That's the words threat and locker with no space.com HH where you can request a demo and neutralize the threat of malware running on your devices.

Keith Milarski

Let me ask you this, Keith, as someone who, I think it's fair to say in your time in the government, you were often on team disruption, right?

Dave Bittner

Yeah.

Keith Milarski

That was part of what you were doing. What consideration did you all give to the downstream effects of your disruption? Like Selina was saying, we saw this interruption with Operation Endgame. It's not a one to one, like correlation is not causation. But how much thought was given to, if we cut off the head here, three or more are going to grow in its place.

Dave Bittner

Yeah, well, I mean, well, that's always going to happen with every disruption. People are going to pivot because really, at the end of the day, cybercriminals aren't going to go, oh, you got me, guys, I'm done. You know, so, you know, so what I think what goes into these takedowns, you know, like in Operation Endgame and you know, and others that I've been part of, is really you learn everything you can about that threat and at some point you have to disrupt it, you know, so you have to, for the greater good, you have to take action against that and take that down, knowing that the bad guys are going to pivot. But if you have good intelligence, you're out ahead and you may have good visibility. So you're saying, okay, we have good sources out there, we have undercover operations, we have private partners that are reporting on this. So now let's disrupt this and now we'll have good visibility to see how they're going to pivot in the future. So those are some of the things that kind of go in to the thinking, you know, behind these big disruptions.

Keith Milarski

Yeah, I mean, is that moment usually pretty clear for, for you and your colleagues? Like, okay, you know, we're coming up on the time when we have, we have to do something here, gang.

Dave Bittner

Oh, yeah. I mean, you know, you have to. And usually how it goes is, you know that you have to take action before you actually have a solution on how to do it. So you usually say, okay, look, you know, let's just. I'm just going to use Smoke Loader as an example. Look, smoke logo is really bad out there. We know it's really bad. Now we have to come up for how are we going to take this down. So generally it's kind of getting great people in the room from private industry to understand how the malware works. How could we come up with a technical solution to really impact this? And so there's a lot of people, you know, that are involved in that, you know, a lot of private industry people, a lot of law enforcement, and usually those are, that's month in planning. I wish it could be as easy saying, okay, hey, we're going to go do an arrest or impact this next week. But it's usually, you know, a long time in planning.

Keith Milarski

Right. I'm going to hit the big red button on my desk and it'll all just turn off.

Dave Bittner

Right, that easy button.

Keith Milarski

Yeah.

Selena Larson

When you're planning some of these takedowns, do you try and anticipate what comes next? So like, are you thinking, okay, if we do this, they'll probably change their behavior to this. So we have to make sure that we have visibility here or we have, you know, eyes here, or we are alerting potentially impacted organizations that this is coming. Like, how forward thinking are you when it comes to operational disruptions?

Dave Bittner

I wish I could say that we've always been that forward thinking. It's, you know, usually from the government, you know, with a lot of admin stuff involved. You're usually just trying to impact the threat that you, you can. And there's like a lot of things that go into like Operation Endgame that you were talking about, you know that I think, I believe that was one of the very first operations where they actually did an uninstall that they had to get legal authority to actually uninstall this, you know, this piece of malware. So when you think about that, there's a lot that goes into that because you're talking about many different jurisdictions around the world. You know, the German pka, which, which, which led this Operation Endgame, you know, if they were going to do uninstalls in the United States, they can't. That would really be breaking the laws of the United States. So, so there is a lot of coordination and a lot of legal things that go in when you're going to do a big takedown like that. And then even once you get that technical solution, like really how are you going to sink coal and make the victims notify? You know, so there's really a lot of coordination that that goes into that. So I think more in the takedowns, you're things as opposed to really kind of where the bad guy's pivoting. Unfortunately, you usually wrapped in, you know, some of those things.

Keith Milarski

Well, I mean, let's dig into, you know, the prevention and mitigation here. Selena, what did you all come up with here in terms of strategies?

Selena Larson

Of course. So one of the most important things obviously is, and we always say this about phishing is user training and understanding what the landscape looks like and you know, making sure that your user in your organization is aware of this also. And perhaps especially from an IT perspective, kind of knowing what the landscape looks like, knowing and understanding what some of the social engineering is. So, you know, if someone gets asked a question like, hey, I got this, they're prepared with an answer. The other thing too is to make sure that, you know, your users aren't allowed to sort of download and install some of this remote access software. Right. Like really restrict the download and installation of any of these tools that are not approved and confirmed by an organization's it. I think that's something that is just general best practices don't install things that are not approved. But also from the perspective of like if you're thinking about SOC and implementing defense and thinking about behavioral characteristics, so looking at some network signatures or some traffic abnormalities that you can write signatures on to see if those are detected, protected within your environment, obviously, you know, having a sort of baseline behavior that is known and understood by your network security protection and if it deviates from the baseline to be alerted. But I think it's, you know, really also kind of comes down to this idea of our how and why people are kind of like downloading, installing this stuff. And from a. Yeah, a user training perspective, I think it's so helpful to know what the landscape looks like and you can tell your security teams, you know, really what to look out for. And I think too, this, we're talking a little bit about kind of like forcing change. And this was an activity that was forced change, like that, that defense made them change their behavior. And I think once it gets to a point where, okay, organizations are aware that RMM tooling is being abused and they are implementing some of these best practices and making it a lot harder for RMM tools to be an initial access method, they're going to kind of pivot to something else. And what that something else is, I think is still, you know, it's still out there. But information stealers are obviously kind of gaining a lot of traction in the landscape. Different types of malware that are a little bit less complicated, but the attack chains are a little bit more clever. So knowing and understanding and sort of anticipating like what comes next is the job of us as threat researchers and hopefully being able to anticipate and provide solutions for when that happens. So when we, when we see these emerging threats come on the landscape, we say, hold on, this is what's happening. Here's how you can defend yourself. But Keith, I'm curious, do you have any additional thoughts in terms of how organizations can prevent themselves through RMM exploitation?

Dave Bittner

Absolutely. I think it's really the key of what you're saying. You need to have intelligence drive operations. You need to really understand who your adversary is that you're going up against. You know, so really understanding how there's this pivot and then being able to use and understand those TTPs in your threat hunting, in your compromise assessments, you know, having alerts in your SIM when you're just out there hardening your networks. You need to know what the threat actors are doing and abusing and setting up the detections and be looking for that. So knowing your adversary, having intelligence to drive operations is really the key to this.

Selena Larson

I have a question, you guys. Do you think it's gotten harder to be a security practitioner at a large organization since Microsoft disabled macros by default?

Keith Milarski

That's an interesting question because I was going to say, has anybody ever said that having macros enabled by default made anyone's life easier?

Selena Larson

Well, no, but I, I feel like that is kind of what has kick started this current sort of era of experimentation and fracturing of different attack chains and collaboration between various threat actors who are responsible for each new component of the attack chain. Because it used to be just like, oh, the security, you know, like, like what do we do against this threat? It's like, well, don't download macros like.

Keith Milarski

Don'T enable macros, like disable macros. Right?

Selena Larson

Yeah. But now we have all of these different, like deliver attack chains, all these different malware types or even like Dave, you were mentioning earlier, like living off the land binaries and scripts, like a lot of these other techniques. So I don't know, I'm just curious as you're both much more experienced than I am.

Keith Milarski

Well, one of us is. It's not me.

Selena Larson

You've been in the game for considerably longer. Just. Yeah, I'm just curious what your thoughts.

Keith Milarski

Are you subtly just trying to point out how much older we are than you, Selena? Is that what they. What's going on here?

Dave Bittner

I think that's what's going on, Dave. I think so.

Keith Milarski

I mean, not that there's any denying it, but gosh, I mean, you don't have to come right at us.

Selena Larson

The well worn edges.

Keith Milarski

The well worn edges, yeah. Believe me, believe me, they are fraying.

Dave Bittner

It's funny, I just to share a story, you know, I was at a conference last week and you know, and usually I was always one of the younger guys at the conference and it's been a while since I've been at the conference and I just looked around, I'm like, I'm the old guy now.

Keith Milarski

Yeah. Isn't it great? Isn't it great? Your day will come, Selena. Your day will come.

Selena Larson

I mean, hey, it's already coming. I am, you know, like all of the zoomers out there who are taking over the cyber landscape with their TikToks. I can't compete well.

Keith Milarski

So Keith, do you have an answer to that about the macros?

Dave Bittner

I really don't have an assessment other than what you guys have said. You know, I think you guys are spot on in your assessment.

Keith Milarski

Let me ask you this, do we have thoughts? If I'm responsible for defending my organization, if I'm, you know, in a leadership position to do that, and I'm looking at my choice between block lists and allow lists for installing software. My initial sort of, you know, uninformed thought would be, well, I want to.

Unknown

Go with an allow list so.

Keith Milarski

Because who knows what's out there that I haven't thought of, you know, so I want to make so that they can only put the things on their computer that I pre approved. On the other hand, oh, I have to manage all those tickets. Right. So how do you balance those things?

Dave Bittner

Yeah, I mean, I think whitelisting is definitely the best way to do it. But I mean the problem in, you know, in this case is if you whitelist some of the RMM tools. So you really just have to look at it as going back to that least privilege, who should have access to this and who should be able to use that and really having that least privilege across your network to really limit not only the installation of these tools, who's using that, but who's able to then pivot across your network.

Keith Milarski

Selena, you concur?

Selena Larson

Yeah, I think definitely the principle of least privilege. I also think this idea of threat actors going after identity over just in general trying to be better about social engineering to have a higher efficacy rate and going after the identity, whether that's through account takeover, that then be pivoted and install malware or if that's, you know, posing as an IT admin to try and gain access to a specific user, whether that's, that's kind of preying on a little bit more of the human side of things as opposed to just blasting at large, you know, millions of emails to try and gain initial access or you know, just like password spraying at scale. I think there is a little bit of that idea as well. And so in terms of a solution, obviously restricting as much as possible and this idea of defense in depth, there is no one silver bullet for anything. And it's important that you as an organization are mindful of the risks. Right. Because not all organizations are going to have the same risk and the same resources to manage them. Of course. But this idea of, okay, understanding that it is likely that you might get hacked, but what controls are in place to prevent the exploitation as much as possible. And so obviously you want to train users and make sure that they're not doing things. But okay, yes, let's say if they did click on a malicious link, for example, that led to the download of a Visual Basic script, does your organization allow that script to be downloaded and opened in anything but a text file? So having mapping out what are the areas of exploitation and making sure that you have gates at each step of the way can go pretty far. So I wouldn't necessarily say like allow listing or block listing is the, is definitely the solution. It's one component of an overall strategy that I, I mean like defense in depth, like every time you have to say like take a shot or something.

Dave Bittner

Like it's just Right, right.

Keith Milarski

Multi factor authentication.

Selena Larson

Yeah, I like secure my design.

Keith Milarski

Don't click the links.

Selena Larson

Yeah, but like, but in reality it's making sure that you know at, at each step of the way. Like if you think of like an organization as your home and certainly not my home, because my home is currently flooded, as we are recording this podcast. But in a home that is secure and well maintained, you have locks on your doors, but you also don't necessarily, like, leave your computer unlocked. So there's, you know, if somebody does get in, they're not going to be able to know your password and put in your password. Maybe they won't be able to get to a lockbox or you're keeping your documents in a container that's like, hidden away and password protected. So, you know, there's like, at each step of the way, imposing costs to an adversary, I think is really important. And so it's. Yeah, we, I think, you know, there used to be this idea that, like, indicators of compromise and just block everything was like the best solution, but now, like, it's so much. It's shifted so much away from IOCs to threat behaviors. And again, like, living off the land is so common. And so you need to know the malicious behaviors, not necessarily the malicious binaries, because they're not. They're using, you know, like legitimate, legitimate scripts and binaries in your environment. So, yeah, it's, it's. I don't. I feel like it's gone harder. I don't know.

Dave Bittner

Yeah, I don't think. It definitely hasn't gotten easier, for sure. Just like what you were saying, Selena, really, that behavior is really the key. If you understand who your threat actors are, who's going to attack. You really kind of understand a lawnmower attack framework, how that threat actor is going to pivot for their attacks. Because, look, for the most part, every now and then, there is something very unique and novel that we'll see an attack maybe once or twice a year. But for the most part, the majority of the attacks that we're going up against are routine that we see over and over again. So if you understand really who your adversaries are and how they're going to attack you along mitre, ATT and CK framework, you can put those behavior things in place. You can put the network detections in place to make yourself secure. Is anything ever going to be totally secure? No, because really, at the end of the day, a person's on the end of the keyboard, and we all know that that is really the weakest link, I think would be the perfect. You are the weakest link.

Keith Milarski

Nothing is foolproof for a talented fool.

Dave Bittner

Indeed.

Selena Larson

I solution is to live in the woods. Have a.

Keith Milarski

Hey, I'm, I'm there. Cabin. Go. Yeah, go, go. Live in a cabin in the woods with a, with a friendly Sasquatch and just call it, call it a day.

Selena Larson

There's more to come after the break.

Keith Milarski

I think we're, we've covered it here, guys. This is interest, interesting stuff. And thank you, Keith, so much for joining us here. I'm looking forward to having you back next time.

Dave Bittner

My pleasure.

Keith Milarski

And Selena, always a pleasure. I learned so much and, you know, you guys remind me just how much I have to learn. So. Always a pleasure.

Selena Larson

This is so fun. It's great chatting. And Keith, welcome to only Maurer in the building.

Dave Bittner

Glad to be here, guys. Thanks for being, you know, for inviting me and glad to be part of the team.

Selena Larson

And that's only malware in the building. Brought to you by N2K CyberWire. In a digital world where malware lurks in the shadows, we bring you the stories and strategies to stay one step ahead of the game. As your trusty digital sleuths, we're unraveling the mysteries of cybersecurity, always keeping the bad guys one step behind. We'd love to know what you think of this podcast. Your feedback ensures we deliver the insight, insights that keep you ahead of the ever evolving world of cybersecurity. If you like the show, please share a rating and review in your favorite podcast app. This episode was produced by Liz Stokes. Mixing and sound design by Trey Hester with original music by Elliot Peltman. Our executive producer is Jennifer Ivan. Peter Kilby is our publisher.

Unknown

I'm Dave Bittner.

Dave Bittner

I'm Keith Milarski.

Selena Larson

And I, Selena Larson. Thanks for listening.