The RMM protocol: Remote, risky, and ready to strike. [OMITB]

Summary

Podcast Summary: "The RMM Protocol: Remote, Risky, and Ready to Strike"

Podcast Information

Title: Hacking Humans
Host/Author: N2K Networks
Description: Deception, influence, and social engineering in the world of cybercrime.
Episode: The RMM Protocol: Remote, Risky, and Ready to Strike
Release Date: May 6, 2025

Introduction

In this episode of Hacking Humans, hosts Selena Larson and Dave Bittner delve into the evolving landscape of cyber threats, focusing on the increasing misuse of Remote Monitoring and Management (RMM) tools by threat actors. The episode features a special guest, former federal agent Keith Malarsky, who brings invaluable insights from his extensive experience in cyber investigations and dismantling global cybercrime infrastructures.

Discovery of the Intriguing File

The episode kicks off with an unexpected discovery by Selena Larson and Dave Bittner. Selena finds an unmarked manila folder labeled "032KM" in a bottom drawer, sparking curiosity about its origins and contents.

Selena Larson [00:05]: "Dave, Dave, look at this. It was just sitting there. Bottom drawer, no label. Not our usual show notes. No production stamp, no sender. Just a manila folder marked 032KM."

This mysterious file leads them to Keith Malarsky, setting the stage for a deep dive into RMM tools in cybercrime.

Introducing Keith Malarsky

Keith Malarsky, a career federal agent recognized for his significant contributions to dismantling global cybercrime infrastructure, joins the podcast to discuss the strategic shift in cybercriminal tactics.

Keith Malarsky [01:22]: "Don't worry, Dave. Your secrets are safe. Mostly."

His arrival is marked by a playful exchange, highlighting his discreet yet impactful role in cybersecurity.

Shift to RMM Tools in Cyber Threats

The core discussion revolves around the recent trend of cybercriminals leveraging legitimate RMM tools as initial access points in their campaigns. Traditionally, threat actors employed malware like Smoke Loader or Iced ID as first-stage payloads. However, there's a notable shift towards using RMM software to bypass traditional security measures.

Selena Larson [03:42]: "What we're talking about here today... they found that more threat actors are using legitimate remote monitoring and management, or RMM tools as a first stage payload in email campaigns."
Keith Malarsky [04:43]: "When you think about that though, it's kind of brilliant because... these are legitimate programs, most people probably won't have detections in place for that."

This approach enhances evasion, making it difficult for security systems to detect malicious activities since RMM tools are inherently trusted within organizational infrastructures.

Impact of Law Enforcement Actions: Operation Endgame

A significant portion of the discussion centers on Operation Endgame, a pivotal law enforcement initiative that targeted initial access loaders and botnets responsible for ransomware attacks. The operation's disruption of malware like Smoke Loader and Peekabot has forced threat actors to adapt by exploring alternative methods, including the use of RMM tools.

Selena Larson [11:35]: "Operation Endgame... disrupted a lot of initial access malware... which coincides with this increase in remote access tooling distributed as a first stage payload."

Keith elaborates on how the operation led to a diversification in cybercriminal strategies, with newer actors experimenting with various RMM tools to maintain their foothold.

Cybercriminals Offering RMM Access as a Service

Keith Malarsky sheds light on the underground cybercrime economy, where threat actors are now offering access to RMM software as a service. This monetization strategy allows them to sell access to legitimate RMM tools, enhancing their operational capabilities and revenue streams.

Keith Malarsky [16:10]: "We're starting to see more and more threat actors advertising this... offering access to officially licensed Screen Connect software hosted on a cloud-based provider."

This trend underscores the sophistication and adaptability of cybercriminals in leveraging legitimate tools for malicious purposes.

Prevention and Mitigation Strategies

The hosts and Keith Malarsky discuss robust strategies to counteract the misuse of RMM tools:

User Training and Awareness:
- Selena Larson [22:08]: "One of the most important things... is user training and understanding what the landscape looks like."
Restricting Unauthorized Software Installations:
- Implementing policies to prevent the download and installation of unapproved RMM tools.
Behavioral Detection and Network Monitoring:
- Shifting focus from mere network traffic signatures to analyzing behavioral patterns and anomalies.

Keith Malarsky [24:58]: "You need to have intelligence drive operations... understanding how these threat actors are attacking helps in setting up effective detections."

Debate on Security Practices: Allow Lists vs. Block Lists

A notable segment of the episode debates the efficacy of allow lists (whitelisting) versus block lists in enhancing organizational security:

Dave Bittner [28:42]: "If I'm responsible for defending my organization... should I go with an allow list because... ensuring only pre-approved applications run?"
Keith Malarsky [28:42]: "Whitelisting is definitely the best way... but you have to implement least privilege across your network."
Selena Larson [29:20]: "Defense in depth is essential... it's not just about allow lists or block lists, but implementing multiple layers of security."

The consensus leans towards a multi-faceted defense strategy, emphasizing the principle of least privilege and continuous monitoring.

Final Thoughts and Conclusion

As the episode wraps up, the hosts reflect on the challenges and evolving nature of cybersecurity:

Selena Larson [31:36]: "At each step of the way, imposing cost to an adversary is really important."
Keith Malarsky [32:56]: "Understanding who your adversaries are and how they're going to attack you helps in setting up effective defenses."

The discussion underscores the importance of proactive, intelligence-driven security measures and the necessity for organizations to adapt continuously to the ever-changing threat landscape.

Selena Larson [34:28]: "This is interesting stuff. Thank you, Keith, so much for joining us here."

The episode concludes with gratitude to Keith Malarsky for his invaluable insights and a reminder of the constant vigilance required in the realm of cybersecurity.

Notable Quotes with Timestamps

Keith Malarsky [01:22]: "Don't worry, Dave. Your secrets are safe. Mostly."
Keith Malarsky [04:43]: "When you think about that though, it's kind of brilliant because... these are legitimate programs, most people probably won't have detections in place for that."
Selena Larson [11:35]: "Operation Endgame... disrupted a lot of initial access malware... which coincides with this increase in remote access tooling distributed as a first stage payload."
Keith Malarsky [16:10]: "We're starting to see more and more threat actors advertising this... offering access to officially licensed Screen Connect software hosted on a cloud-based provider."
Selena Larson [22:08]: "One of the most important things... is user training and understanding what the landscape looks like."
Dave Bittner [28:42]: "If I'm responsible for defending my organization... should I go with an allow list because... ensuring only pre-approved applications run?"
Keith Malarsky [24:58]: "You need to have intelligence drive operations... understanding how these threat actors are attacking helps in setting up effective detections."
Selena Larson [31:36]: "At each step of the way, imposing cost to an adversary is really important."

Conclusion

This episode of Hacking Humans provides a comprehensive exploration of the strategic shift towards using RMM tools in cybercrime. Through expert insights from Keith Malarsky and in-depth discussions, listeners gain a nuanced understanding of current threats and effective defense mechanisms. The conversation emphasizes the importance of adaptability, intelligence-driven strategies, and a multi-layered defense approach in safeguarding against sophisticated cyber threats.

Summary

Podcast Summary: "The RMM Protocol: Remote, Risky, and Ready to Strike"

Podcast Information

Title: Hacking Humans
Host/Author: N2K Networks
Description: Deception, influence, and social engineering in the world of cybercrime.
Episode: The RMM Protocol: Remote, Risky, and Ready to Strike
Release Date: May 6, 2025

Introduction

Discovery of the Intriguing File

Selena Larson [00:05]: "Dave, Dave, look at this. It was just sitting there. Bottom drawer, no label. Not our usual show notes. No production stamp, no sender. Just a manila folder marked 032KM."

This mysterious file leads them to Keith Malarsky, setting the stage for a deep dive into RMM tools in cybercrime.

Introducing Keith Malarsky

Keith Malarsky [01:22]: "Don't worry, Dave. Your secrets are safe. Mostly."

His arrival is marked by a playful exchange, highlighting his discreet yet impactful role in cybersecurity.

Shift to RMM Tools in Cyber Threats

Selena Larson [03:42]: "What we're talking about here today... they found that more threat actors are using legitimate remote monitoring and management, or RMM tools as a first stage payload in email campaigns."
Keith Malarsky [04:43]: "When you think about that though, it's kind of brilliant because... these are legitimate programs, most people probably won't have detections in place for that."

This approach enhances evasion, making it difficult for security systems to detect malicious activities since RMM tools are inherently trusted within organizational infrastructures.

Impact of Law Enforcement Actions: Operation Endgame

Selena Larson [11:35]: "Operation Endgame... disrupted a lot of initial access malware... which coincides with this increase in remote access tooling distributed as a first stage payload."

Keith elaborates on how the operation led to a diversification in cybercriminal strategies, with newer actors experimenting with various RMM tools to maintain their foothold.

Cybercriminals Offering RMM Access as a Service

Keith Malarsky [16:10]: "We're starting to see more and more threat actors advertising this... offering access to officially licensed Screen Connect software hosted on a cloud-based provider."

This trend underscores the sophistication and adaptability of cybercriminals in leveraging legitimate tools for malicious purposes.

Prevention and Mitigation Strategies

The hosts and Keith Malarsky discuss robust strategies to counteract the misuse of RMM tools:

User Training and Awareness:
- Selena Larson [22:08]: "One of the most important things... is user training and understanding what the landscape looks like."
Restricting Unauthorized Software Installations:
- Implementing policies to prevent the download and installation of unapproved RMM tools.
Behavioral Detection and Network Monitoring:
- Shifting focus from mere network traffic signatures to analyzing behavioral patterns and anomalies.

Keith Malarsky [24:58]: "You need to have intelligence drive operations... understanding how these threat actors are attacking helps in setting up effective detections."

Debate on Security Practices: Allow Lists vs. Block Lists

A notable segment of the episode debates the efficacy of allow lists (whitelisting) versus block lists in enhancing organizational security:

Dave Bittner [28:42]: "If I'm responsible for defending my organization... should I go with an allow list because... ensuring only pre-approved applications run?"
Keith Malarsky [28:42]: "Whitelisting is definitely the best way... but you have to implement least privilege across your network."
Selena Larson [29:20]: "Defense in depth is essential... it's not just about allow lists or block lists, but implementing multiple layers of security."

The consensus leans towards a multi-faceted defense strategy, emphasizing the principle of least privilege and continuous monitoring.

Final Thoughts and Conclusion

As the episode wraps up, the hosts reflect on the challenges and evolving nature of cybersecurity:

Selena Larson [31:36]: "At each step of the way, imposing cost to an adversary is really important."
Keith Malarsky [32:56]: "Understanding who your adversaries are and how they're going to attack you helps in setting up effective defenses."

The discussion underscores the importance of proactive, intelligence-driven security measures and the necessity for organizations to adapt continuously to the ever-changing threat landscape.

Selena Larson [34:28]: "This is interesting stuff. Thank you, Keith, so much for joining us here."

The episode concludes with gratitude to Keith Malarsky for his invaluable insights and a reminder of the constant vigilance required in the realm of cybersecurity.

Notable Quotes with Timestamps

Keith Malarsky [01:22]: "Don't worry, Dave. Your secrets are safe. Mostly."
Keith Malarsky [04:43]: "When you think about that though, it's kind of brilliant because... these are legitimate programs, most people probably won't have detections in place for that."
Selena Larson [11:35]: "Operation Endgame... disrupted a lot of initial access malware... which coincides with this increase in remote access tooling distributed as a first stage payload."
Keith Malarsky [16:10]: "We're starting to see more and more threat actors advertising this... offering access to officially licensed Screen Connect software hosted on a cloud-based provider."
Selena Larson [22:08]: "One of the most important things... is user training and understanding what the landscape looks like."
Dave Bittner [28:42]: "If I'm responsible for defending my organization... should I go with an allow list because... ensuring only pre-approved applications run?"
Keith Malarsky [24:58]: "You need to have intelligence drive operations... understanding how these threat actors are attacking helps in setting up effective detections."
Selena Larson [31:36]: "At each step of the way, imposing cost to an adversary is really important."

Conclusion

wavePod

Powered by Wave AI

Summary

Introduction

Discovery of the Intriguing File

Introducing Keith Malarsky

Shift to RMM Tools in Cyber Threats

Impact of Law Enforcement Actions: Operation Endgame

Cybercriminals Offering RMM Access as a Service

Prevention and Mitigation Strategies

Debate on Security Practices: Allow Lists vs. Block Lists

Final Thoughts and Conclusion

Summary

Introduction

Discovery of the Intriguing File

Introducing Keith Malarsky

Shift to RMM Tools in Cyber Threats

Impact of Law Enforcement Actions: Operation Endgame

Cybercriminals Offering RMM Access as a Service

Prevention and Mitigation Strategies

Debate on Security Practices: Allow Lists vs. Block Lists

Final Thoughts and Conclusion