Risky Business Podcast Summary
Title: Wide World of Cyber: How State Adversaries Attack Security Vendors
Host: Patrick Gray
Guests: Alex Stamos (CIO/CISO, Sentinel One) and Steve Stone (SVP of Threat Discovery and Response, Sentinel One)
Release Date: May 9, 2025
1. Introduction and Context
In this episode of Risky Business, host Patrick Gray delves into the intricate world of cybersecurity threats targeting security vendors, specifically focusing on state-sponsored adversaries. Despite initial plans to feature Chris Krebs as a guest, unforeseen circumstances led to Alex Stamos and Steve Stone taking center stage to discuss Sentinel One's latest research on advanced persistent threats (APTs) from North Korea and China, as well as ransomware operations.
2. North Korean Threat Actors Targeting Sentinel One
Steve Stone opens the discussion by detailing Sentinel One's experience with North Korean actors attempting to infiltrate their organization through job applications.
-
Persistent Infiltration Attempts:
"[Steve Stone, 02:48]: "We've spent probably five months actively working against the North Koreans applying. We've seen almost 370 distinct personas. They've sent in more than 1,000 applications..." -
Sophisticated Tactics: Instead of discarding suspicious resumes immediately, Sentinel One engaged with the applicants to understand their intentions better. This prolonged interaction revealed patterns and strategies employed by the North Koreans, showcasing their persistence and scale.
Patrick Gray highlights the unusual behavior of these applicants who avoid on-camera interviews, possibly adapting to modern surveillance tactics. This behavior contrasts with other applicants who excel in live interviews.
3. Evolution and Scale of North Korean TTPs
The conversation shifts to the evolution of North Korean tactics, techniques, and procedures (TTPs).
-
Increased Scale:
"[Steve Stone, 05:55]: "What the North Koreans have now, which they didn't have previously, is scale." -
Adaptation of Old Methods: North Korea continues to use traditional cyber intrusion methods but amplifies them to operate at a massive scale. Their expertise in areas like cryptocurrency theft underscores their adaptability and resourcefulness.
Alex Stamos emphasizes that Sentinel One is specifically targeted due to their significant presence in the crypto industry, making them a valuable target for North Korean intelligence efforts.
4. Ransomware Operators and EDR Bypass
The discussion transitions to ransomware groups' strategies, particularly their interactions with Endpoint Detection and Response (EDR) systems.
-
EDR Console Exploitation:
"[Steve Stone, 14:27]: "They effectively are acting like a prospect or a customer... they're trying to steal credentials and log in to consoles." -
Evolving Tactics: Initially, ransomware operators would simply disable EDR systems, but now they employ more nuanced methods, such as altering configurations to hide malicious activities rather than outright disabling protections.
Patrick Gray underscores the prevalence of successful EDR bypasses, questioning how common it is for well-configured EDR systems to be compromised.
Alex Stamos responds by highlighting the vulnerabilities introduced by single sign-on (SSO) systems, where compromising administrative accounts can lead to widespread EDR control.
5. Underground Economy and EDR Testing
Sentinel One's research uncovers an underground economy where cybercriminals acquire EDR technologies to test and refine their malware.
-
Front Companies for EDR Acquisition:
"[Steve Stone, 22:48]: "There's a particular ransomware group that's actually spun up a whole front company just to acquire EDR technology in demos and PoCs..." -
Malware Testing and Deployment: These organizations purchase EDR tools under false pretenses to create environments where they can safely test and enhance their malware, ensuring it can bypass various security measures before executing attacks on real targets.
Alex Stamos adds that Sentinel One actively monitors and dismantles such setups by identifying fraudulent accounts and eliminating the associated malware.
6. Chinese APT Threats and ShadowPad Research
Shifting focus to Chinese threat actors, the conversation explores the depth and persistence of Chinese APT groups.
-
ShadowPad Campaign:
"[Steve Stone, 38:27]: "ShadowPad... we found 70 plus victims in just that blink of an eye." -
Pervasive Cyber Espionage: Chinese APT groups like Purple Haze and ShadowPad demonstrate extensive efforts to infiltrate and exfiltrate data from targeted organizations. Their operations are characterized by relentless attempts to breach security systems, including compromising IT providers to gain deeper access.
Alex Stamos remarks on the sheer scale of Chinese cyber operations, noting that thousands of offensive operators are dedicated to infiltrating major tech companies like Sentinel One, making it a relentless battle.
7. Changing Threat Environment and Tech Stack Responses
The episode addresses the evolving threat landscape and the corresponding shifts needed in cybersecurity strategies and technologies.
-
Limitations of Current EDR Solutions:
"[Alex Stamos, 43:26]: "...you have to detach the instrumentation from the detection." -
Need for Integrated Instrumentation: Traditional security products often handle instrumentation and detection separately, limiting their effectiveness against multi-faceted attacks that span endpoints, cloud environments, and email systems. There is a pressing need to unify these functions to provide comprehensive threat visibility.
-
Advanced Machine Learning: Leveraging AI and machine learning can help in aggregating and analyzing data across various domains to identify malicious activities with greater context and accuracy.
Patrick Gray points out gaps in current technology, such as browser-based attacks and the challenges they pose to traditional EDR systems. Alex Stamos concurs, emphasizing that modern execution environments like browsers create "blind spots" that require specialized detection strategies.
8. Conclusion
The episode concludes with reflections on the continuous arms race between cybersecurity defenders and sophisticated state-sponsored attackers. Both Alex Stamos and Steve Stone express optimism about law enforcement collaborations and the potential for disrupting cybercriminal operations, albeit acknowledging the persistent and evolving nature of these threats.
Steve Stone summarizes:
"[Steve Stone, 30:15]: "...If you don't know your customer well, you've just accepted a ton of risk. ... Cyber is people."
Alex Stamos reinforces the need for heightened vigilance and adaptable security measures to counteract the relentless efforts of adversaries:
"[Alex Stamos, 34:07]: "...we have to be hardened up against the human intelligence level, too."
Notable Quotes
-
Steve Stone [02:48]:
"We've spent probably five months actively working against the North Koreans applying. We've seen almost 370 distinct personas. They've sent in more than 1,000 applications..." -
Steve Stone [05:55]:
"What the North Koreans have now, which they didn't have previously, is scale." -
Alex Stamos [07:23]:
"We're a piece of that larger puzzle they want." -
Steve Stone [14:27]:
"They effectively are acting like a prospect or a customer... they're trying to steal credentials and log in to consoles." -
Alex Stamos [43:26]:
"You have to detach the instrumentation from the detection." -
Steve Stone [30:15]:
"...if you don't know your customer well, you've just accepted a ton of risk. ... Cyber is people." -
Alex Stamos [34:07]:
"...we have to be hardened up against the human intelligence level, too."
This episode provides an in-depth analysis of how state-sponsored adversaries, particularly from North Korea and China, are evolving their tactics to target security vendors like Sentinel One. The insights shared by Alex Stamos and Steve Stone underscore the complexity and persistence of these threats, highlighting the need for innovative and integrated cybersecurity strategies.