Don't Leave Them to Their Own Devices

A

You're listening to the Cyberwire Network powered by N2K.

B

Welcome to Threat Vector, the Palo Alto Networks podcast where we discuss pressing cybersecurity threats and resilience and uncover insights into the latest industry trends. I'm your host David Moulton, Senior Director of Thought leadership for Unit 42.

A

One of the most important thing is changing this mindset of while visibility is the foundation, it's not enough on its own. The organization must achieve this kind of having a strategy based on context understanding what are the critical processes they are working with in terms of it. Also maybe not only focusing on criticality, but also like what is the path that those devices could have between different devices.

B

Today I'm speaking with Asher Devla, principal security researcher at Palo Alto Networks. Asher leads vulnerability and malware research on IoT, ICS, OT and 5G technologies with work spanning binary exploitation, firmware analysis and AI driven detection. Today we're going to talk about the newly released 2025 Device Security Enterprise threat report by Palo Alto Networks and what it reveals about the state of managed and unmanaged device security, the risk of flat networks and how defenders can take back control of their expanding attack surface. Asher, welcome to Threat Vector. I'm really excited to have you here and when I look through the report, I think that this is going to be one of those conversations that is massively eye opening based on the research that you and your team have led.

A

Hi David, thank you for having me. Your podcast is really amazing. I'm really excited for being here and yeah, certainly it's been very revealing even for me to know many of these stats.

B

So before we get into the report, I want to talk to you about what drew you into this specialization and around IoT and OT research.

A

Yeah, that's interesting. I think it was not something I planned directly. I started doing some offensive security like regular web pen testing, offensive security and red teaming operations. Then I transitioned into a team like a different company. They were trying to build an in house incident response team. So they call me and say we're looking for someone that has some offensive background and can I help us out to look into what are some of the things that we need to implement and those things. And that was back in 2017 in Mexico. So yeah, I moved to that, I transitioned into that company and we started building this incident response team. But then afterwards I was not feeling like I understand that people who does incident response are super important but I was not just feeling that that was not for me and I was looking for some other type of challenges that I was more related were more feeling attracted to, like malware analysis or vulnerability research. So I saw that the foundation of that was reverse engineering. So I started looking into that and eventually I saw an opportunity on LinkedIn. It was just a challenge in which you would basically need to reverse engineer like a firmware of a camera and a malware Mirai variant, which by that time for me was something I was not very familiar with. And the challenge was just to reverse engineer it, try to answer some questions from a report like what is it doing, what kind of firmware this is? And so on. And at the end you would submit that report and turns out that that challenge was meant to be for an interview. So it was like a challenge. So you were interviewing and that company was a startup called simbox that was later acquired by Palo Alto Networks. And that company was one of the first of focusing on IoT security. And that's how I got into IoT security.

B

So I gotta ask, when you're doing an interview, but you don't know you're doing an interview, are you dressed for an interview or are you like more casual, more comfortable getting into that, that reversing that you're working on?

A

No, I was in my PJs because I was not sure what was I was doing right.

B

I love it. You know, I know that you've published and presented around the world from, you know, defcon and beyond. Could you talk to me about some of the presentations that you think have sparked some of the most discussions or reaction amongst your peers?

A

Sure. I think it was this year's RSA conference I delivered a talk on this life cycle of end of life devices, especially IoT devices that some of them are not properly decommissioned. And also some of the protocols that are outdated or deprecated and shouldn't be used anymore. So at the end, some CISOs ask questions like, okay, you talk a lot about end of life devices. What are the risks about having those in your organization? But I cannot remove them. What should I do? Right. I cannot do anything. You are proposing implementing those measures or just purchasing new devices. It's operational wise. I cannot do that. What should I do then? Then the answer might be was a little controversial, but for me it's like you need to accept the risk sometimes. But the most important thing is that you know that you have that risk in your network. Because the problem is when you don't know that you have that risk in your network, that becomes a blind spot. But as long as you know that it's there you understand that there are some risk around that kind of devices and that you know that those devices should be constantly monitored for attacks or compromises or if it's been infected with a malware. You understand that you have those problems and those challenges in your organization. As long as you know that and you sometimes don't have any other option than just accepting the risk.

B

Yeah. So, Asher, if I play that back, you're basically saying, look, you can't take it out, you can't fix it. So you're kind of stuck between this rock and a vulnerable place. I just made that up. And if that's true, then put extra visibility on it, maybe understand some sort of resilience or fallback plan if something happens, when something happens, and make sure that the organization generally knows that that risk exists. But operationally, you need to just keep moving with what you've got. And I think I've heard that before in manufacturing and certainly within healthcare, where there are sometimes where you have something that you must keep running and you cannot take it down, but you cannot make it secure. So, you know, layer security around it. Is that, is that generally. Did I get the idea today?

A

Right. Exactly as you said, implementing complementary or some ways to complement your security, like firewalls, like monitoring systems, a good policy, a good deployment of security or network capabilities, that's also really important to monitor those kind of devices.

B

Well, let's dig into that visibility. You called it known risk versus unknown risk. And I'm curious, why do organizations still struggle so much to accurately inventory their management and unmanaged devices? Here we are in 2025, and this is a conversation that keeps seeming to come up.

A

I think that's a great question. And as you can see in the report, we found roughly 80 different type of devices on an average network. So just think about it, and if you just look at your surroundings, how many devices are currently connected in your network? Just your phone, your laptop, your tablet, your smartwatch, whatever. So you have so many devices connected to your, to your network, and that's just your devices. So now multiply that for thousands or hundreds of employees in an organization that starts creating a very complex ecosystem. So you have different types of devices with different challenges, with different operating systems, different versionings. So combine that with bring your own devices. Everyone brings their own devices from personal devices to the enterprise organization, like your personal laptops, mobile phones, wearables, et cetera. So that's why oftentimes administrators don't consider the complexity of the ecosystem. And also another important thing that we have observed is that some administrators do not have the best visibility strategy. So for example, they're using all switches that do not support good span ports to monitor all the traffic that is flowing through their network. And also they don't place firewalls or sensors in the best place to obtain the best quality of the data.

B

So help our listeners understand what are some of the devices that continuously fall through the cracks in this visibility side?

A

Yeah, some of them are smartphones and tablets, especially if they are personal smartphones and they are connected to the corporate network with no any kind of segmentation. These devices often lack of corporate security. They don't have any EDR, they don't have any protection. So also in the IoT space you're going to see a lot of IP cameras. IP cameras are everywhere. IP cameras and DVRs are in pretty much every business. But at the same time they are exposed to the Internet without any kind of harmonization or protection. Especially because people want them to access them remotely. They want to be monitoring their business from remote, but they don't don't apply the correct harmonization or policies to access them correctly. Also, another important thing that for me was some of the issues that I've been observing and now this report confirms it is the virtual machines. So depending on what you are doing with virtual machines, but imagine you have a laptop and you are running a virtual machine, your laptop, because you are an engineer that needs to run a different operating system or whatever reason you need to run a virtual machine. So what happens when in your laptop your company applies different security policies like not allowing you to install specific extension from a browser or using a very specific VPN service and that is very protected in your host device. But in your VM that you're running in the VS device does not apply the same policy that can pose issues into your network.

B

Yeah, so you're basically saying that there's areas where we didn't upgrade switches, there's a cost and you don't understand that that compounds risk. And then you run into the convenience side. Right. Like I just want to be able to look at my cameras remotely and don't necessarily go through the process of hardening or getting those deployed in a way that's secure. And over time you start to forget about those things. It multiplies. People are bringing a lot of different devices in and around the bring your own device type of mindset. And I can imagine that for an administrator this becomes just this expanding problem that doesn't necessarily have a very visible Footprint. Right. It's not something that you can just walk in and see. So I'm curious. We know that it's a big problem and then the report shows that nearly 40% I think the stat was like 39% of it. Devices in Active Directory lack that EDR or XDR protection. Why is that so widespread when environments are assumed to be secure?

A

Yeah, that's a great question. I think top reasons I'm going to give you are the most common ones. But one of them is OS compatibility. Many organizations run older workstation or specialized hardware that are not supported by modern EDR or XDRs. So that makes them a blind spot. There's no way for you to install an endpoint security for many of them. Another reason is budget. You are limited those licenses, you need to purchase a certain amount of licenses. And that's also a kind of like paradigm that many administrators tend to allocate certain budgets for just protecting the most high value assets, which is at some point correct. But sometimes they are missing some important devices that also require endpoint security. And one of those reasons is budget. They don't want to purchase licenses for every single device. And also sometimes this happens a lot, especially in tech companies that you purchase server to do some testing and run some experiments or just deploy something and you put it into your organization and then that server is never used again. But the server is still connected and it is not being monitored. It doesn't have any EDR protection. So all those kind of devices make the count for that 39% and that's. Yeah, I think those are the top reasons of why they are not. Or that's the top reasons of why they are. We have this blind spot on EDRs.

B

So let's shift gears a little bit and talk about networks. I was drawn to that in the report. So when you've got these unmanaged devices that are connecting to really flat networks as manage endpoints, can you talk about the new attack paths that opens up?

A

Sure. I think similar to what I was mentioning before, it's that sometimes in an ideal world you want to have different this what is called sometimes micro segmentation, different kind of devices on just one segment of the network. But that's also not the case. Sometimes you want to share devices in the same segment of the network. For example a printer. Sometimes you have a medium sized organization, you want to share the same printer across all the employees. So you put it in the same. In the same segment of the network. Sometimes that's desired. But if you don't do it following the best practices to make sure that you have a good control on the access of who is accessing those devices that creates larger playground for attackers. Because if one of those devices that pose risk into your organization, some attacker gets into it and then they can start doing lateral movements across different devices that are in the same segment. So maybe they compromise a device that is a low value asset. But then from there, since it is in the same segment as a high value asset, then they can try to do lateral movements, credential reuse edge and all the typical lateral movements attacks.

B

I could see how that could get complex where you're looking for efficiencies or ease of deployment. But you could make some really critical mistakes where you have like a high access device that's allowing too many people in to that segment of the network. Do you have some thoughts? Is segmentation the most effective strategy in most cases or is there something else?

A

I'm going to say something that could sound controversial, but this is my personal opinion and I think that segmentation doesn't mean that you have a secure network. Definitely it's important and it's a baseline, it's a foundation. But if you have a segmented network does not necessarily mean you have a secure network. But definitely it helps and it helps a lot to have a better control of the traffic flow between them and between all the devices. You can use more granular policies like who can access what, especially if there are very specialized hardware or specialized devices that not everyone in the organization should have access to. And also having segmentation allows you to have improved monitoring so you can know if an attack happens. You can pay attention to where exactly in the network is happening, why it is happening and what is affecting. And what are the surroundings that are affected also by this incident. So definitely it helps it boost your security posture. But having a segmented network is not everything to say, okay, this is a secure network.

B

So I've always wanted to have a segment on threatvector called underrated. Overrated. And I think that having a segmented network as overrated will be your position. We'll have to find somebody to come on and debate with you. But I think your point is right. Like if you think that the silver bullet is just segmenting your network and you don't do it very well. All you've done is segment the network improperly. But not doing it is not the recommendation. I think what you're saying is do it and do it very well. Yeah, that's great advice. Let's talk about credential abuse like SSH brute force, does that still dominate ATT and CK telemetry?

A

It does, it does. Actually, it is one of the top attacks that we have observed. It's not only towards IoT, but also IT servers. And actually, recently during our DEFCON talk, we presented analysis of a malware family likely targeting Pumatronics cameras, which are a Brazilian manufacturer of traffic cameras and video surveillance cameras. And this piece of malware that was programmed in Go language, it was attacking using SSH brute force. So, yeah, definitely it is still happening. It is one of the top type of attacks that we have observed during the past year.

B

So how does that intersect with managed or poorly monitored devices if they're not managed?

A

Of course, in terms of endpoint security, cameras are almost impossible to be managed. In terms of endpoint security, however, you need to establish a good security policy, for example, minimum privilege, so you can have your cameras. But are those cameras directly connected to other servers or other ecosystems within your organization? That could cause lateral movements. You need to disable unused services. Sometimes you don't need to use all the services available in your DVRs or in your recording servers. Also, apply hardening and good password hygiene, because if you don't take care of how the passwords are used for those devices, if you keep using the default admin password, well, that's going to be a problem. Right. So in those kind of scenarios in which you have a device that is impossible to install an endpoint security or traditional endpoint security, you need to take that into consideration and apply other security alternatives, like putting firewalls in between, like putting VPNs to access them, et cetera.

B

Asher, we talk a lot about zero trust, but it assumes that device trust can be validated. How do gaps in management and monitoring undermine those principles?

A

Well, the principle of zero trust is that the device trust can be validated and should be validated. And that's absolutely fundamental for zero trust. And I think it's not the only thing. I don't like to oversimplify it because I think when you ask people, what is your trust? Oh, yeah, don't trust anyone. Well, yeah, that's the principle, but it relies more on having rich data, like intelligence of your devices, having context of definitely. If you can see a device on your network, you cannot protect it. And I think that's just something that many organizations or many people have tried to come up with this kind of like, mindset of you cannot protect what you can observe. Definitely that's true, but that's not the only thing. Right. You need to understand the context, who has access to it and what does that mean for the organization? What does that device have to do with your processes within your business? So this means that having a huge portion of your environment with no visibility or that you don't know that they are not being patched, it is what causes problems in that sense.

B

Let's shift gears and talk about lifecycle management for a minute. Why are so many outdated and unsupported systems still alive inside of enterprise networks?

A

Yeah, that's a very interesting question. And I think it is a dangerous habit in many organizations that they think like if it works, don't fix it. That's sometimes a dangerous mindset. And that's the reason that so many outdated systems are still running because they say, okay, there's nothing to to change. It is working well, it has been working for years. Why would I change something about it? And also there are other problems. Sometimes they want to change it, but sometimes, as I said, operational necessity does not allow that budgetary constraints or simply they are not considering. They never think about it. Especially companies that are not tech focus. They don't always thinking about oh I invested and any amount of millions of dollars in this. They don't want to constantly be purchasing new systems. Right. So that's one of the things. And many of those unsupported systems are running critical legacy applications. Sometimes the software that are running is so old that it doesn't even run on new devices, on new computers or more modern operating system. So migrating applications, that of those kind of applications to modern servers or modern system, they see it as a risky and expensive project that they don't want to disrupt business operations so they just decided to leave it like as it is.

B

Asher, what's the role of IT asset lifecycle governance in reducing long term exposure?

A

Yeah, asset lifecycle governance plays a critical role for transforming security into a more reactive perspective. From a more proactive into a more proactive perspective. And that's what I talked about during my last RSA presentation. That's one of the most important things when you're talking about IOT and it is you need, since you are purchasing the device, even before purchasing a device or a server or any kind of device that is going to be placed in your corporate network, you need to think about this life cycle, like how you're going to buy it for how long it's going to be there in your organization and then when it is end of life, how are you going to decommission it and how are you going to make sure that it is removed from your network properly? And it's going to be like any critical or sensitive data that was stored there is properly wiped. And some organizations don't think about it. They don't even know that they have end of light devices running in their, in their organizations. And also maybe you remember there are so many devices, but one example that is very famous is you have this kind of music streaming device that you can connect in your car in case your car doesn't have any smart infotainment so you can connect to it and stream music from it. But then I don't know, I think it was after a year or after a couple of years they just decided, okay, we're not going to support it anymore. And then there's nothing you can do about it. You just need to trash that device and that's it, there's no any update. And some of them stop working like that one, the example that I just gave. But some other are still working. And as I said, if it works, don't fix it. It is still there. It's my router, it's been there for years, it doesn't have any issues. But they don't know they're not receiving security patches anymore. They don't know there are a lot of exploitation available in the Internet that anyone can download. And even with very few very basic knowledge and technology, they can run those exploits and compromise those devices. Additionally, there are not policies that enforce that like in the US there's no policy that if you start selling a device you need to provide any kind of okay, you need to provide patches for at least four years, right? So there's nothing like that. Those are the main points that are critical. But at the same time I want to reaffirm that that is also what is important to have to define a well defined strategy when you are even before acquiring any kind of device that is going to be connected directly in your network's organization.

B

Escher what does a context aware risk score reveal about traditional severity ratings?

A

Let me talk about first a little bit about traditional risk scoring. I'm not saying this is the rule or this is what everyone is doing, but oftentimes you see that administrators or vulnerability managers, they try to focus on the most critical vulnerabilities in their organizations to fix them first. And that makes sense because you have limited resources to put in, you have limited time, you cannot fix all the vulnerabilities at once. And that makes a lot of sense. But also you need to understand that not always the most critical vulnerability is the one that is going to pose the most risk into your organization. Sometimes a medium or not so critical, but maybe medium or high vulnerability in a device that is critical within the context of your process, that's going to be even more important than fixing the most critical vulnerability or the one that rates the highest vulnerability in your organization. And attackers sometimes are not going to be targeting the most high value assets at the beginning. They want to target low value assets because it's easier to get in because they know administrators do not invest a lot resources into those devices. They're going to target, maybe, I don't know, even sales engineers, they need to be opening emails all the time. They are prone to phishing attacks, as everyone is. But since the nature of their job is to be opening emails or talking to random people, trying to create more streams of revenue, and that's what happens. And they're going to attack those roles that are more prone to attacks and they're going to target also devices that are also weak links in your organization. So that's the point that having the context of where they are placed and the kind of connections they have, what are the level of access those users have to high value assets, that's what's going to change your mindset and your strategy. And I think that's one of the most important things about this report. You need to think about not only what kind of devices like visibility. Yeah, definitely that's foundational and that's, I think every, at this point, everyone knows about it, that you need to have visibility of your, of your assets. But what is in my opinion more important than just visibility itself is the context.

B

How do you advise, how do you advise CISOs how to go through and prioritize amongst all those thousands of managed and unmanaged assets when they have this type of problem in front of them.

A

It's a very difficult and complex task. It's not something like they're just gonna go there and purchase a certain tool and gonna fix everything magically. So of course it is a context aware risk or adopting that kind of mindset, a context aware risk in which you assign a score depending not only on the criticality of the vulnerability, but also how important this is within your process, the most important process. So of course for that you need to gather data or learn from your devices and that for that, of course you need tooling. But in terms of the strategy, you need to understand that criticality not always mean the most important things to be fixed.

B

You've analyzed how attackers chain together exposures, credentials, micro configurations, unmanaged endpoints to move through networks. What's the best way to break up that chain?

A

In my opinion is moving from reactive to a more proactive approach. And for that the strategy needs to focus on understanding the attack flow all at once. Like defining correctly your crown jewels, understanding what are your most valued assets and also understanding what are the devices are directly exposed to the Internet. And try to find if there's a way to connect entry points or entry points from any directly devices exposed to the Internet that they can pivot into other users that are within the organization that eventually can get into these high value assets. So also one of the goals is to remove or to understand these building blocks that they rely on to create the full chain. And also I think if I would need to do a recommendation, some key actions that I would take is well first you need to eliminate this kind of freedom of the attacker to move laterally so we can talk about micro segmentation, we can talk about pseudo trust architecture, good password policy. And in the report you can see many organizations do not care about segmenting the network or isolating critical assets from being accessed by everyone within the organization. Second thing is that you need to eliminate blind spots. So you need to implement and place correctly your firewalls, your sensors where you are collecting network data, having modern switches, modern network equipment, so you can collect as much data as possible and also be able to install EDR or XDRs endpoint security not only in your critical assets, but also assets that are directly or indirectly connected to your high asset value, sorry your high valued assets. And finally, well, you have to eliminate any kind of directly exposed. There is going to be very few cases and you want to have directly expose devices to the Internet. So you need to consider which ones you really need to be directly exposed to the Internet.

B

So if I'm following along right, it sounds like rocking at the security fundamentals, making sure that you've got great visibility and then shrinking your attack surface.

A

Yep, that is correct.

B

Well, I'm sure that our listeners are interested in the report. We'll go ahead and have that document LinkedIn in our show notes. So whatever you're listening on, there should be a description and the URL there for you and Asher, awesome conversation today. I think this is one of those underreported areas in security, the managed, the unmanaged, the OT, the IoT devices, but one of those things that is literally surrounding us with billions and billions of these devices so super important. I appreciate you getting into the data and the report today on Threat Vector and spending a little bit of time educating me on what you found and what we need to do to be a little safer in the world.

A

Thank you David for having me here. It's been an honor.

B

Asher, before I let you go, where can folks find you out on the Internet if they want to continue the conversation with you directly?

A

Sure you can find me on LinkedIn as asherdavila or if you don't want to reach out to me there, you can search for me in X as azure underscore Davila D A V I L A I will if you drop me a dm I will try to reply it as soon as possible and feel free to reach out to me with any question or any comment or wherever you want to talk to me about.

B

If you like what you've heard today, please subscribe, wherever you listen and leave us your review out on Apple Podcast or Spotify. Your reviews and that feedback really do help me understand what you want to hear about. And if you want to reach out to me about the show, email me directly@threatvectorloaltonetworks.com I want to thank our executive producer, Michael Heller, our content and production teams, which include Kenny Miller, Joe Benecourt and Virginia Tran. Original music and mix by Elliot Peltzman. We'll be back next week. Until then, stay secure, stay vigilant. Goodbye for now. SA.