The RMM protocol: Remote, risky, and ready to strike. [OMITB]

Selena Larson

Dave. Dave, look at this. It was just sitting there. Bottom drawer, no label. Not our usual show notes. No production stamp, no sender. Just a manila folder marked 032KM.

Dave Bittner

It wasn't me. I'd have left at least a sticky note. You don't think it's a phishing test, is it? Or oh, oh, oh, oh. Maybe it's fan mail.

Selena Larson

Oh, maybe. But no, it looks like an internal file. Not new either. A little worn at the edges, and someone really went out of their way to get it. Here it says, subject Malarsky, comma Keith.

Dave Bittner

Clearance, top secret status activated. Now that's a name I haven't heard in a while. Talk about a little warned at the edges. Didn't he used to be everywhere and nowhere at the same time?

Selena Larson

Oh, wait, hang on. There's a letter inside. It says, career federal agent. Recognized for significant contributions to dismantling global cybercrime infrastructure. Extensive experience in cyber investigations and international partnerships and threat actor operations.

Dave Bittner

So in other words, he's the kind of guy who joins a podcast and already knows your password.

Keith Malarsky

Don't worry, Dave. Your secrets are safe. Mostly.

Selena Larson

Keith Malarky, welcome to Only Malware in the Building. We don't have a safe house, but we do have very strong coffee and a lot of strange cyber stories.

Keith Malarsky

That sounds familiar.

Dave Bittner

So what brings you here, Keith? Burned your last alias?

Keith Malarsky

Well, I thought it was time to step out of the shadows and into the conversation.

Selena Larson

Well, you're in the right place. We've got plenty to dig into, Malware mischief, and maybe even a mystery or two. Today on Only Malware in the Building, we are going to dive into remote monitoring and management tools and how those are used by threat actors. It's actually perfect timing, Keith. I feel like you are joining us remotely and probably have a lot of fun stories about your own own experiences with remotely accessing some top secret spaces.

Keith Malarsky

I could neither confirm nor deny.

Dave Bittner

Oh, my goodness, we have a G man. What did we do to deserve this?

Keith Malarsky

Glad to be here, guys.

Selena Larson

Yeah, we're so excited for you to join us and to talk about some of your research as well that you have taken a look at in terms of how threat actors are using rmm, or remote access software tools in campaigns. This has been a sort of passion project of mine because I'm very interested in the ever changing threat landscape. So I can't wait to discuss what we have in store today.

Dave Bittner

Well, let's get into it. Set the table for us, Selena. What's the background on what we're talking about here today?

Selena Larson

What's really interesting is based off of some research that we published recently and diving into some of the activity from cyber criminal threat actors over the last few months, what we found is more threat actors are using legitimate remote monitoring and management, or RMM tools as a first stage payload and email campaigns. This is really a shift because many of our listeners are probably familiar with RMM tools. In fact, they probably use them in their day to day at work. And these are the things that it uses to monitor and fix your computer. And what's interesting is historically, threat actors have used them as part of an overall attack chain where once they get on a host, then they'll install RMM software and use that as part of the attack chain. In this case, they're being delivered similar to how they deliver remote Access Trojans or loaders. Right? So it's the first stage. It's almost acting like that first stage malware, which is something that we, we don't typically see in quite such volumes.

Keith Malarsky

When you think about that though, it's kind of brilliant because when you're thinking about like that first stage that they normally use, which would be like Smoke Loader or some other malware, there's signatures that's usually written for advanced EDR to detect that. But because these are legitimate programs, most people probably won't have detections in place for that. So it's really the brilliance of the threat actors, how they're evolving to our cyber defense going forward.

Dave Bittner

Well, help me understand here for both of you. Is this a case where the bad guys are installing this on the system that they're targeting as an initial access point, or is it a situation where someone may already have this on their system and then the bad guys are taking advantage of that?

Selena Larson

So what I looked at, and Keith can probably speak to the second point, but for the research that we're looking at, it's the first stage. So it's the thing that they're dropping instead of a traditional malware. Like Keith mentioned, Smoke Loader or, you know, historically, things like Iced ID or Peekabot, even Remote Access Trojans that we just, you know, would see a lot more frequently. Now, a lot of cyber criminal threat actors are kind of pivoting to legitimate RMM tools. And to Keith's point, it is a little bit of evasion that they're trying to do, right? So they're like, okay, well, you know, my malware isn't working. Defenses are getting better. This is a known, a piece of software, a piece of malware that will have Signatures to detect it. But if this company uses something like Atera, for example, or ScreenConnect, for example, or, you know, any of those enterprise type of R Men tools, they might not flag it as malicious. So it's kind of a clever, crafty way of getting in sort of sideways and trying to masquerade as something legitimate.

Dave Bittner

Keith, what do you make of this?

Keith Malarsky

Yeah, I just think it's kind of a brilliant move. We saw, like Selena was saying. Microsoft reported in March that there was a malvertising campaign through a redirection to GitHub, where there was malware that would host it, that would then drop a stealer and then deploy NET support, which is one of the RMM tools, alongside, to gain a foothold. So I think there was an operation called Operation Endgame last year that targeted some of these initial loaders. And I think, you know, Selina, you guys did a great article on that, on how Operation Endgame was very effective and probably affected how the threat actors were pivoting. So I just think, you know, that there was a law enforcement action and now, you know, the threat actors are pivoting, you know, to a new technique.

Dave Bittner

Is it safe or accurate to call this sort of thing living off the land of using pre existing tools, or the fact that they're dropping something that may not have already been on somebody's computer, does that put it in a different category?

Selena Larson

Using RMM tools can be considered living off the land if a threat actor gets on a host and then exploits what's already there. But for the initial access, in many cases, what we see is them actually downloading the RMM payload that doesn't already exist. So it's a new install, they're trying to get a new app loaded on a host. And this is of course from the initial access perspective. Right. So you have threat actors, especially ransomware actors, for a long time once they got on a host, abusing the existing RMM tooling or potentially downloading and installing one as well. But from a first stage perspective, they're just trying to get something there that isn't quite yet already.

Dave Bittner

Is RMM ever a target for things like credential stuffing?

Keith Malarsky

Good question, Dave, for a second. I mean, or is it too far.

Dave Bittner

Down the chain where it's likely to be something that it has installed rather than the user themselves?

Keith Malarsky

Yes, it would be something more that it probably would be installed. You know, the normal corporate person is not going to have access to RMM tools on their desktop computer. It would be more somebody, you know, in IT or cybersecurity that would have that. So generally, if you can get access to one of the systems that they're on, usually those systems have more privileges than your typical user. So if you can get access to, you know, a system that have RMM tools, you probably have better privileges on it.

Selena Larson

Yeah, for sure. And that's something that's also pretty interesting too, right? Like if you're going after domain Administration or if you're trying to go after Microsoft 365, like kind of targeting IT tools as a whole is kind of like a supply chain attack, right? So it's a little bit, you know, like there's multiple ways that threat actors can abuse remote access software and RMM tooling within an environment. If something already exists and they can elevate privileges and gain full access to a broader environment, or if they're installing it themselves and positioning for lateral movement throughout an organization, that's another option. So it's really interesting too because, like, from the detection standpoint, right, even initial access, so downloading and installing something on your computer might not necessarily flag as malicious. But also once installed, if you're looking at network traffic, if you see things across the wire, but it's just coming up as the IT monitoring and management tools that either you're already familiar with and use in your environment that might have the tendency to sort of hide a little bit. And so that's when you have to kind of get into more sort of behavioral detections and less about, you know, what network traffic it is. But what are they doing with that tooling? Like, what commands are they running? What are they trying to access? Is this outside of the baseline activity that we normally see? So while it is kind of clever that these threat actors are trying to abuse legitimate software and services, there are multiple steps that you can take from a defense in depth perspective to prevent that exploitation, even if it's a software that you do run in your environment.

Dave Bittner

Well, I definitely want to get to that part of things, you know, the defense in depth and steps against this. But before we get there, can we talk about kind of the view that you and your team, Selena, had to initially draw your attention to this. And then maybe, Keith, we can contrast that over some of your experiences of the types of stuff that you looked at in your career in the federal government, Selena?

Selena Larson

Yeah, for sure. So one of the reasons why I wanted to look at this, and actually Keith brought it up earlier, is Operation Endgame. So this law enforcement activity that targeted a lot of the initial access loaders and Botnets that are responsible for enabling ransomware. It was a big law enforcement activity that disrupted a lot of that. We've talked about this, Dave, on previous episodes. So it's obviously something that I care a lot about and I think it's really great to see the impacts. But what we saw, which was really interesting, is when threat actors lose access to their initial malware, if whatever tool that they're using, their infrastructure, the malware, the providers, the sellers, the mal, spam distributors, anytime that there's a sort of disruption to their own operations that imposes costs on the adversary and forces them to change their behaviors. And so what we've seen is a decrease in initial access loader malware that we typically would see on the landscape. Some of that was due in part to Operation Endgame. You mentioned Smoke loader, Keith, but also of course, things like ICE ID and PicoBot were also impacted by this. So we've seen this drop off of initial access malware. Interestingly, it also coincides with this increase in remote access tooling distributed as a first stage payload. What's interesting though is it's not one to one. So the actors that we saw delivering Peekabot, for example, are not pivoting to our amendment tools. It's newer actors activity that we necessarily haven't been tracking before as initial access brokers that have kind of emerged to fill a gap almost. And so we have seen a few actors that do have really high volume campaigns and will often distribute Screen Connect. That's one of the ones that has really emerged in our data since the middle of last year. Also, NET Support has always been a favorite, right? That's something that we, that we've seen pretty regularly. But then we've seen these really random, random RMM tools that we don't see all that often. So like PDQ Connect or Atera Blue Trait Light Manager, some of these things just kind of like pop up. We might see a few campaigns from them and they might go away or they might stay a little bit more consistent. But it shows an experimentation. It shows that threat actors are trying to figure out what works. And it could be in part because a lot of the access to either the malware, the operators that were there before just aren't there anymore, or it's a response to okay, they're going after malware. What if we tried something else to try and be proactive and prevent some of this future activity? So it's not necessarily a one to one shift, but it does show an example of experimentation across the Landscape. And Dave, you know how excited I get to talk about the actor experimentation and TTP changes.

Dave Bittner

I know it's what you live for, truly.

Selena Larson

I know my life is so boring. I just get so happy when they change techniques.

Dave Bittner

Keith, go ahead.

Keith Malarsky

I was just going to say, I mean, I think, you know exactly what Selena's saying is what we're really seeing in the cyber underground. Because, you know, looking at the chatter and what we're seeing on the, on the underground forums and seeing, you know, what threat actors are talking about, I think, you know, what we started seeing is really beginning late 2024, we saw a number of handful actors really start talking about providing access to RMM software and setups as a service, which really kind of goes in line with what you're saying about how there's a shift of these TTPs. So, you know, for example, in December 2024, on one of the big cybercrime forums called Exploit, we saw an actor offering a service for Screen Connect to access via their on premise solutions. You know, they were selling access starting at like $3,000 per month for a single user, you know, so. And then after that we saw on another forum an advertisement for RMM software services and it claimed users would get a unique copy of the software, a personal domain, custom VPs, no limitations on their usage. So we're really started seeing a number of things and then just really, just as recently as last month, we saw another actor offering a service to provide access to officially licensed Screen Connect software hosted on a cloud based provider. We're starting to see more and more threat actors advertising this and that's probably because they're doing these phishing campaigns, they're getting access to these services and now they can monetize that, that by offering that as the initial access broker, like they would do when they were doing malware for that initial access.

Selena Larson

Stick around, we'll be right back.

Dave Bittner

And now a word from our sponsor, Threat Locker. Cyber threats are evolving fast. And if you're still relying on traditional antivirus or reactive tools, you're already a step behind. Threatlocker takes a fundamentally different approach by putting you in control of exactly what's allowed to run in your environment. It's a proactive, zero trust approach to security where only the applications you've explicitly approved are allowed to execute. No chasing malware, no dependencies on post attack threat detection, just real control that stops threats before they ever get a chance to run. With ThreatLocker, you're not limiting productivity, you're empowering your team to Work securely without compromise. It's smarter security that doesn't get in the way. Thousands of IT leaders trust ThreatLocker to protect their organizations from ransomware, zero days and insider threats. Ready to see it in action? Visit threatlocker.com to book a personalized demo. And we thank ThreatLocker for sponsoring our show. Let me ask, ask you this, Keith, as someone who, I think it's fair to say in your time in the government, you were often on team disruption, right?

Keith Malarsky

Yeah.

Dave Bittner

That was part of what you were doing. What consideration did you all give to the downstream effects of your disruption? Like Selena was saying, we saw this interruption with Operation Endgame. It's not a one to one correlation, is not causation, but how much thought was given to, you know, if we cut off the head here, three or more are going to grow in its place.

Keith Malarsky

Yeah, well, I mean, well, that's always going to happen with every disruption. People are going to pivot because really, at the end of the day, cyber criminals aren't going to go, oh, you got me guys, I'm done. You know, so, you know, so what I think what goes into these takedowns, you know, like in Operation Endgame and you know, and others that I've been part of, is really, you learn everything you can about that threat and at some point you have to disrupt it, you know, so you have to, for the greater good, you have to take action against that and take that down, knowing that the bad guys are going to pivot. But if you have good intelligence, you're out ahead and you may have good visibility. So you're saying, okay, we have good sources out there, we have undercover operations, we have private partners that are reporting on this. So now let's disrupt this and now we'll have good visibility to see how they're going to pivot in the future. So those are some of the things that kind of go in to the thinking, you know, behind these big disruptions.

Dave Bittner

Yeah, I mean, is that moment usually pretty clear for you and your colleagues? Like, okay, you know, we're coming up on the time when we have to do something here, gang.

Keith Malarsky

Oh yeah. I mean, you know, you have to. And usually how it goes is, you know, that you have to take action before you actually have a solution on how to do it. So you usually say, okay, look, you know, let's just. I'm just going to use Smoke Loader as an example. Look, smoke logo is really bad out there. We know it's really bad. Now we have to come up for how are we going to take this down. So generally it's kind of getting great people in the room from private industry to understand how the malware works. How could we come up with a technical solution to really impact this? And so there's a lot of people, you know, that are involved in that, you know, a lot of private industry people, a lot of law enforcement. And usually those are, that's month in place planning. I wish it could be as easy saying, okay, hey, we're going to go do an arrest or impact this next week. But it's usually, you know, a long time in planning.

Dave Bittner

Right. I'm going to hit the big red button on my desk and it'll all just turn off.

Keith Malarsky

Right, that easy button.

Dave Bittner

Yeah.

Selena Larson

When you're planning some of these takedowns, do you try and anticipate what comes next? So like, are you thinking, okay, if we do this, they'll probably change their behavior to this. So we have to make sure that we have visibility here or we have, you know, eyes here, or we are alerting potentially impacted organizations that this is coming. Like how forward thinking are you when it comes to operational disruptions?

Keith Malarsky

I wish I could say that we've always been that forward thinking, you know, usually from the government, you know, with a lot of admin stuff involved. You're usually just trying to impact the threat that you, you can. And there's like a lot of things that go into like Operation Endgame that you were talking about, you know that I think, I believe that was one of the very first operations where they actually did an uninstall that they had to get legal authority to actually uninstall this, you know, this piece of malware. So when you think about that, there's a lot that goes into that because you're talking about many different jurisdictions around the world. You know, the German BKA which, which, which led this Operation Endgame, know if they were going to do uninstalls in the United States, they can't. That would really be breaking the laws of the United States. So, so there is a lot of coordination and a lot of legal things that go in when you're going to do a big takedown like that. And then even once you get that technical solution, like really how are you going to sink coal and make the victims not, you know, so there's really a lot of coordination that that goes into that. So I think more in the takedowns you're thinking about those things as opposed to really kind of where the bad guys pivoting unfort usually wrapped in some of those things.

Dave Bittner

Well, I mean, let's dig into the prevention and mitigation here. Selena, what did you all come up with here in terms of strategies?

Selena Larson

Of course. So one of the most important things obviously is, and we always say this about phishing, is user training and understanding what the landscape looks like and making sure that your users and your organization is aware of this also, and perhaps especially, especially from an IT perspective, kind of knowing what the landscape looks like, knowing and understanding what some of the social engineering is. So, you know, if someone gets asked a question like, hey, I got this, they're prepared with an answer. The other thing too is to make sure that, you know, your users aren't allowed to sort of download and install some of this remote access software, right? Like really restrict the download and installation of any of these tools that are not approved and confirmed by an organization's IT admins. I think that that's something that is just general best practices. Don't install things that are not approved. But also from the perspective of like, if you're thinking about SOC and implementing defense and thinking about behavioral characteristics, so looking at some network signatures or some traffic abnormalities that you can write signatures on to see if those are detected within your environment, obviously having a sort of baseline behavior that is known and understood by your network security protection, and if it deviates from the baseline to be alerted. But I think it's really also kind of comes down to this idea of how and why people are kind of like downloading, installing this stuff. And from a user training perspective, I think it's so helpful to know what the landscape looks like and you can tell your security teams, you know, really what to look out for. And I think too, this, we're talking a little bit about kind of like forcing change. And this was an activity that was forced change like that, that defense made them change their behavior. And I think once it gets to a point where, okay, organizations are aware that RMM tooling is being abused and they're implementing some of these best practices and making it a lot harder for RMM tools to be an initial access method, they're going to kind of pivot to something else. And what that something else is I think is still, you know, it's still out there. But information stealers are obviously kind of gaining a lot of traction in the landscape. Different types of malware that are a little bit less complicated, but the attack chains are a little bit more clever. So knowing and understanding and sort of anticipating, like, what comes next is the job of us as threat researchers and hopefully being able to anticipate and provide solutions for when that happens. So when we see these emerging threats come on the landscape, we say, hold on, this is what's happening. Here's how you can defend yourself. But Keith, I'm curious, do you have any additional thoughts in terms of how organizations can prevent themselves through RMM exploitation?

Keith Malarsky

Absolutely. I think it's really the key of what you're saying. You need to have intelligence drive operations. You need to really understand who your adversary is that you're going up against. You know, so really understanding how there's this pivot and then being able to use and understand those TTPs in your threat hunting, in your compromise assessments, you know, having alerts in your sim when you're just out there hardening your networks, you need to know what the threat actors are doing and abusing and setting up the detections and be looking for that. So knowing your adversary, having intelligence to drive operations is really the key to this.

Selena Larson

I have a question, you guys. Do you think it's gotten harder to be a security practitioner at a large organization since Microsoft disabled macros by default?

Dave Bittner

That's an interesting question because I was going to say, has anybody ever said that having macros enabled by default made anyone's life easier?

Selena Larson

Well, no, but I feel like that is kind of what has kickstarted this current sort of era of experimentation and fracturing of different attack chains and collaboration between various threat actors who are responsible for each new component of the attack chain. Because it used to be just like, oh, the security, you know, like, like, what do we do against this threat? It's like, well, don't download macros. Like, don't, don't enable macros, like disable macros.

Dave Bittner

Right?

Selena Larson

Yeah, but now we have all of these different, like, delivery attack chains, all these different malware types, or even like Dave, you were mentioning earlier, like living off the land binaries and scripts, like a lot of these other techniques. So I don't know, I'm just curious as you're both much more experienced than I am.

Dave Bittner

Well, one of us is. It's not me.

Selena Larson

You've been in the game for considerably longer. Yeah, I'm just curious what your thoughts.

Dave Bittner

Are you subtly just trying to point out how much older we are than you, Selena? Is that what's going on here?

Keith Malarsky

I think that's what's going on, Dave.

Dave Bittner

So, I mean, not that there's any denying it, but gosh, I mean, you don't have to come right at us. The well worn edges the well worn edges. Yeah. Believe me, believe me, they are fraying.

Keith Malarsky

It's funny just to share a story, you know, I was at a conference last week and, you know, usually I was always one of the younger guys at the conference. And it's been a while since I've been at the conference and I just looked around, I'm like, I'm the old guy now.

Dave Bittner

That's right. Yeah. Isn't it great? Isn't it great? Your day will come, Selena. Your day will come.

Selena Larson

I mean, hey, it's already coming. I am, you know, like all of the zoomers out there who are taking over the cyber landscape with their TikToks. I can't compete well.

Dave Bittner

So, Keith, do you have an answer to that about the macros?

Keith Malarsky

I really don't, you know, have an assessment other than what you guys have said. You know, I think you guys are spot on in your assessment.

Dave Bittner

Let me ask you this. Do we have thoughts? If I'm responsible for defending my organization, if I'm, you know, in a leadership position to do that, and I'm looking at my choice between block lists and allow lists for installing software, my initial sort of, you know, uninformed thought would be, well, I want to go with an allow list, so. Because who knows what's out there that I haven't thought of, you know, so I want to make sure so that they can only put the things on their computer that I pre approved. On the other hand, oh, I have to manage all those tickets. Right. So how do you balance those things?

Keith Malarsky

Yeah, I mean, I think whitelisting is definitely the best way to do it. But I mean, the problem in, you know, is in this case is if you whitelist some of the RMM tools. So you really just have to look at it as going back to that least privilege, who should have access to this and who should be able to use that and really having that least privilege across your network to really limit not only the installation of these tools, who's using that, but who's able to then pivot across your network.

Dave Bittner

Selena, you concur?

Selena Larson

Yeah, I think definitely the principle of least privilege, I also think this idea of threat actors going after identity over just in general, trying to be better about social engineering to have a higher efficacy rate and going after the identity, whether that's through account takeover that then be pivoted and install malware, or if that's, you know, posing as an IT admin to try and gain access to a specific user, whether that's kind of preying on A little bit more of the human side of things as opposed to just blasting at large millions of emails to try and gain initial access or just password spraying at scale. I think there is a little bit of that idea as well. And so in terms of a solution, obviously restricting as much as possible in this idea of defense in depth, there is no one silver bullet for anything. And it's important that you as an organization are, you know, mindful of the risks. Right. Because not all organizations are going to have the same, you know, the, the same risk and the same resources to manage them. Of course. But this idea of, okay, understanding that it is likely that you might get hacked, but what, what controls are in place to prevent the exploitation as much as possible. And so obviously you want to train users and make sure that they're not doing things. But okay, yes, let's say if they did click on a malicious link, for example, that led to the download of a Visual Basic script, does your organization allow that script to be downloaded and opened in anything but a text file? So having mapping, figuring out what are the areas of exploitation and making sure that you have gates at each step of the way can go pretty far. So I wouldn't necessarily say like allow listing or block listing is the, is definitely the solution. It's one component of an overall strategy that I, I mean like defense in depth. Like every time you have to say like, take a shot or something, like.

Dave Bittner

It'S just Right, right. Multi factor authentication.

Keith Malarsky

Drink.

Selena Larson

Yeah, like secure by design.

Dave Bittner

Don't click the links.

Selena Larson

Yeah, but like, but in reality it's making sure that you know at, at each step of the way. Like if you think of like an organization as your home, and certainly not my home because my home is currently flooded as we are recording this podcast. But in a home that is secure and well maintained, you have locks on your doors. But you also don't necessarily, like, leave your computer unlocked. So there's, you know, if somebody does get in, they're not going to be able to know your password and put in your password. Maybe they won't be able to get to a lockbox or you're keeping your documents in a container that's like hidden away and password protected. So, you know, there's like, at each step of the way, imposing cost to an adversary, I think is really important. And so it's. Yeah, I think, you know, there used to be this idea that like indicators of compromise and just block everything was like the best solution, but now, like, it's so much, it's shifted so much away from IOCs to threat behaviors. And again, like, living off the land is so common. And so you need to know the malicious behaviors, not necessarily the malicious binaries, because they're not. They're using, you know, like legitimate, legitimate scripts and binaries in your environment. So, yeah, it's, it's. I don't. I feel like it's gone harder. I don't know.

Keith Malarsky

Yeah, I don't think it definitely hasn't gotten easier, for sure. Just like what you were saying, Selena, really, that behavior is really the key. If you understand who your threat actors are, who's going to attack. You really kind of understand a lawnmower attack framework, how that threat actor is going to pivot for their attacks. Because, look, for the most part, every now and then, there is something very unique and novel that we'll see an attack maybe once or twice a year. But for the most part, the majority of the attacks that we're going up against are routine that we see over and over again. So if you understand really who your adversaries are and how they're going to attack you along mitre, ATT and CK framework, you can put those behavior things in place. You could put the network detections in place to make yourself secure. Is anything ever going to be totally secure? No. Because really, at the end of the day, a person's on the end of the keyboard, and we all know that that is really the weakest link, I think would be the perfect. You are the weakest link.

Dave Bittner

So nothing is foolproof for a talented fool.

Keith Malarsky

Indeed.

Selena Larson

I think the solution is to live in the woods.

Dave Bittner

Hey, I'm, I'm there. The cabin. Go look. Yeah, go. Go live in a cabin in the woods with a. With a friendly Sasquatch and just call it, call it a day.

Selena Larson

There's more to come after the break.

Dave Bittner

I think we've covered it here, guys. This is interesting stuff. And thank you, Keith, so much for joining us here. I'm looking forward to having you back next time.

Keith Malarsky

My pleasure.

Dave Bittner

And Selena, always a pleasure. I learned so much and, you know, you guys remind me just how much I have to learn. So, always a pleasure.

Selena Larson

This is so fun. It's great chatting. And Keith, welcome to Only Malware in the Building.

Keith Malarsky

Glad to be here, guys. Thanks for being, you know, for inviting me and glad to be part of the team.

Selena Larson

And that's only Malware in the Building. Brought to you by N2K CyberWire. In a digital world where malware lurks in the shadows, we bring you the stories and strategies to stay one step ahead of the game. As your trusty digital sleuths, we're unraveling the mysteries of cyber security, always keeping the bad guys one step behind. We'd love to know what you think of this podcast. Your feedback ensures we deliver the insights that keep you ahead of the ever evolving world of cyber security. If you like the show, please share a rating and review in your favorite podcast app. This episode was produced by Liz Liz Stokes. Mixing and sound design by Trey Hester with original music by Elliot Peltzman. Our executive producer is Jennifer Ivan. Peter Kilpe is our publisher.

Dave Bittner

I'm Dave Bittner.

Keith Malarsky

I'm Keith Milarski.

Selena Larson

And I'm Selena Larson. Thanks for listening.

Dave Bittner

And we thank ThreatLocker for sponsoring our show. ThreatLocker application allowlisting, ring fencing, network Control, and EDR solutions enhance cybersecurity postures and streamline internal IT and security operations. Learn how@threatlocker.com.