Podcast Summary: Talkin' About [Infosec] News, Powered by Black Hills Information Security

Episode: The CVE Saga - Talkin’ Bout [infosec] News
Release Date: April 23, 2025

I. Introduction to the Episode

In this episode of Talkin' About [Infosec] News, the Black Hills Information Security (BHIS) team delves deep into the intricate world of Common Vulnerabilities and Exposures (CVEs). The discussion spans the importance of CVEs in the cybersecurity landscape, the challenges surrounding their funding and management, and the broader implications for the security community. Additionally, the hosts touch upon notable industry events, including the hacking of 4chan and insights from the Sophos annual threat report.

II. The CVE Program: Importance, Challenges, and Future

a. The Significance of CVEs

The conversation begins with the team underscoring the foundational role CVEs play in vulnerability management. John Strand emphasizes, “[...] having the CVEs is one, a trusted news source that we can go to and verify that we all believe in” (09:11). Corey adds, “If there is a CVE, there is a patch or there is a responsible disclosure associated with it. It's a necessary service” (09:37).

b. Funding Issues: The $55 Million Question

A significant portion of the discussion centers around the CVE program's funding. Corey reveals, “The actual program cost was $55 million. That’s how much the contract was for” (10:32). Wade elaborates on the complexities involved in managing CVEs, stating, “Every single time I mention a new thing, I am talking about a different group and a different flowchart of how that's actually done” (11:28). The high cost is attributed to the extensive process of triaging, validating, and coordinating with vendors to manage vulnerabilities effectively.

c. Challenges in the CVE Process

Wade highlights the bureaucratic hurdles inherent in the CVE system: “There are a lot of vulnerabilities that are coming in. [...] and you have to coordinate with the vendor” (11:28). Corey points out the sluggishness of the National Vulnerability Database (NVD), noting a lag time of up to two weeks for vulnerabilities to be added, which poses challenges in today’s fast-paced threat environment (12:50).

d. Potential Solutions: Decentralization and the CVE Foundation

The team discusses potential reforms to the CVE system. Wade proposes, “I will take over the CVE program and I will run it for 20 million” (18:55), suggesting a more streamlined and perhaps decentralized approach. The notion of the CVE Foundation is introduced, aiming to preserve and potentially restructure the CVE management outside of the current bureaucratic framework. Mike raises concerns about commercialization: “If you monetize CVEs, it could lead to a complete and total mess” (30:46).

e. Impact on the Security Community

Corey reflects on the importance of CVEs, stating, “CVEs aren't going to cover every vulnerability. [...] If there is a CVE, it makes it a heck of a lot easier to fix” (22:56). However, Wade expresses frustration with the CVE system’s rigidity and its role in fostering what he describes as “mediocre computer security” (21:31).

f. Insights and Conclusions

The hosts agree that while the CVE system is far from perfect, it remains a critical component of the cybersecurity infrastructure. The potential defunding or decentralization poses significant risks, but the community is actively seeking ways to enhance and sustain the program.

III. Chris Krebs: A Hero in the Infosec Community

a. Background on Chris Krebs

Wade passionately advocates for Chris Krebs, describing him as a hero within the infosec realm. He notes, “Chris Krebs is one of ours. He worked at CISA, worked at securing our infrastructure” (33:57).

b. Resignation and Government Scrutiny

The discussion touches upon Krebs’ resignation from SentinelOne to shield his coworkers from governmental pressure. Wade criticizes the government’s actions, stating, “We should never have a government go after an individual like this in the private sector” (33:57). The community is encouraged to support Krebs, highlighting the challenges faced by cybersecurity professionals in the political landscape.

c. Community Response

The team urges listeners to stand up for Krebs, emphasizing his contributions and the unjust treatment he has received. This segment underscores the solidarity within the infosec community when facing external pressures.

IV. 4chan's Recent Hack: Implications and Insights

a. Details of the Hack

Corey introduces the topic: “4chan has been hacked, which is like a pretty big deal and not really that big of a deal at the same time” (34:02). The breach reportedly occurred on April 14th, leading to the potential exposure of IP addresses and other sensitive information.

b. Implications for Privacy

Wade reflects on the consequences: “If the data that gets disclosed is IP addresses of posters, things that can de-anonymize posters, then it's going to be real bad” (34:02). The pseudonymous nature of 4chan makes such breaches particularly concerning.

c. Industry Reaction

While the hack is acknowledged, the hosts downplay its immediate impact on the broader cybersecurity landscape: “I don’t think anyone is like, oh, this is a key thing for me” (35:47). The discussion suggests that while notable, the breach doesn’t drastically alter threat dynamics but serves as a reminder of the vulnerabilities inherent in online platforms.

V. Palo Alto/Unit 42 Incident Response Blog Post

a. Summary of the Blog

Corey discusses a Unit 42 blog post funded by Palo Alto, detailing an incident where threat actors compromised a company via an RMM tool called Atera. The adversaries then installed the Cortex XDR agent to test bypass techniques: “The attackers installed it to test their own payloads” (38:19).

b. Insights from Their Findings

The blog highlights the attackers' methods, including the use of a tool named Disabler.exe, which employed open-source code from EDR Sandblast with minor modifications. Wade remarks on the lazy approach of threat actors in signature writing, saying, “They stripped out the command line options” (39:07).

c. Implications for the Industry

John critiques the sophistication of the threat model: “So you compromise a network, then you use it just to test edr. Is it? Are you that desperate to test?” (40:01). The incident underscores the ongoing cat-and-mouse game between threat actors and cybersecurity defenses, highlighting the need for continuous improvement in EDR solutions.

VI. Sophos Annual Threat Report: Key Takeaways

a. Overview of the Report

The team reviews the Sophos annual threat report, noting its focus on medium-sized businesses: “Cyber talking about ... expanding into the SMB space” (45:06). Wade suggests that Sophos is aligning its threat intelligence with the needs of Managed Detection and Response (MDR) and Managed Security Service Providers (MSSPs).

b. Key Findings

Corey appreciates the report’s clarity on where the data originates and its detailed categorization of threats: “I also like how they call out where they got their data” (45:51). Highlights include:

• Attack Tools: Extensive analysis of tools like PS Exec, which accounts for a significant portion of attacks.
• Non-Ransom Malware: Identification of tools like Chrome Loader and Brute Retell.
• Common Attack Vectors: Emphasis on familiar techniques rather than novel threats.

John offers a critical perspective, stating, “As a blue teamer, I would look at this real quick and go completely to somewhere else you need” (47:15), suggesting that while informative, the report serves more as a marketing tool than a comprehensive guide for blue team operations.

c. Discussion on Trends and Implications

The hosts debate the prevalence of standard attack methods versus innovative threats. Corey jokes about the ubiquity of PS Exec: “20 of all attacks use PS exec” (49:06), while John finds reassurance in the report’s indication that common defenses are effectively mitigating a large percentage of attacks.

Wade critiques the report’s practical applicability, pondering why certain vulnerabilities persist in customer environments despite being well-documented: “Why are we putting so much time and money coming up with new bypass techniques when all we really need to do is... [address existing vulnerabilities]” (50:16).

VII. Pen Testing and EDR Vendors: A Symbiotic Relationship

a. EDR Vendor Practices

Wade shares experiences with CrowdStrike, highlighting their proactive approach in monitoring and neutralizing bypass techniques: “Once a bypass worked, they would let that bypass continue to work and then they would shut it down for all of their customers” (42:08). This collaboration ensures that EDR solutions remain robust against emerging threats.

b. The Role of Penetration Testing

The discussion underscores the indispensable role of pen testing in identifying and addressing vulnerabilities. Corey muses, “I think of CVEs as... the currency of traditional vulnerabilities” (22:56), linking the identification of CVEs to actionable security measures.

c. Challenges and Opportunities

Wade points out the challenges in coordinating vulnerability disclosures with vendors, especially for smaller security firms: “It’s a huge time suck. It’s a tremendous loss of money for us to try to coordinate that with the vendor” (07:19). The team debates the balance between automated pen testing and expert analysis, with Wade firmly advocating for the latter to maintain high security standards.

VIII. Other Notable Discussions

a. The Resilience of 4chan and Breach Forums

The hosts compare 4chan to the Rolling Stones of the internet, noting its longevity despite recurring threats: “They've been one of the longest running websites out there” (36:47). Corey humorously downplays the breach’s significance, asserting it won’t disrupt threat intelligence pipelines: “I don't think anyone is like, oh, this is a key thing for me” (35:47).

b. Palo Alto's Incident Response and Threat Intelligence

Corey and Wade discuss how sophisticated threat actors still sometimes employ rudimentary techniques, underscoring the ongoing need for vigilant and adaptive security measures.

c. Humor and Light-Hearted Banter

Throughout the episode, the hosts intersperse technical discussions with humor and personal anecdotes, such as jokes about licensing issues with CVEs and playful banter about pen testing strategies. Notable humorous exchanges include Corey inventing a CVE for a DoS attack against the CVE system and the playful suggestion of discounts based on vulnerability exposures.

IX. Conclusion

The episode wraps up with the BHIS team reiterating the critical role of CVEs in maintaining cybersecurity standards, while also acknowledging the system’s significant challenges and the community’s need to innovate beyond traditional frameworks. They express solidarity with figures like Chris Krebs and caution listeners about the evolving threat landscape, emphasizing the importance of continuous learning and adaptation in the infosec field.

Notable Quotes with Timestamps:

• John Strand (00:01):
  “I got the warning for the earthquake before it hit, which was crazy. All of a sudden, my phone blows off as, like, incoming earthquake.”

• Corey (09:37):
  “Having the CVEs is one, a trusted news source that we can go to and verify that we all believe in.”

• Wade (11:28):
  “Every single time I mention a new thing, I am talking about a different group and a different flowchart of how that's actually done.”

• John Strand (47:59):
  “Quick Assist is like the peanut butter and jelly of hacking These days.”

• Corey (49:06):
  “20 of all attacks use PS exec. How does that make you feel?”

• Wade (18:55):
  “I will take over the CVE program and I will run it for 20 million.”

• John Strand (26:04):
  “We never give up any money.”

Note: Timestamps correspond to their appearance in the provided transcript.