Beyond Trends: Practical Cybersecurity Insights for 2022 (feat. Atomic Red Team)

Working with IR firms over the last few years has been really eye opening and definitely as an outsider to, like, when terrible things happen and having to deal with them for a long time definitely always seemed like it was concentrated more around the holidays and stuff like that. And it probably still does. Even simple phenomenon. Friday is the day, apparently, that everyone decides we can’t do this ourselves. Call an IR firm almost every Friday sometimes kind of feels like Groundhog Day a little bit, where it’s just like, all right, that’s when the shoe is going to drop, and then this stuff piles on. Right? Yeah. Like Pen testing firms, you better have staff up for Q Four, because everybody’s like, oh, that thing was supposed to do what was that thing? Yeah.

Well, what we’ve noticed in the past is that we get a larger amount of support calls Friday afternoons at, like, 03:00, because that’s when Pentestors are getting all their reports written.

Well, hey, everybody. Welcome to our webinar. We are excited that you’ve joined us. We’ll go ahead and get it kicked off. We tend to kind of let people trickle in for a few minutes, but we’re excited to kind of share about beyond trends today and talk about practical insights of things that we learned in 2021 and observed and kind of how that parlays into 2022. And we were just early joking on about nothing much has happened in the last week in the security space, so we might not have much to talk about, but really excited that everybody has taken some time out of their day to join us. I’ll go ahead and kind of kick it off, and I’ll let these other fine gentlemen introduce themselves.

But I’m Dan Decloss, the founder and CEO. PlexTrac. If you’re a current customer or in our sphere, you’ve probably seen me talk before. But if not, we’re glad you’re here and excited to have keith and Adam join us. So, Keith, Adam, take it away and introduce yourselves. Sure, yeah, we’ll just go left to right. It’s Abkey, like one of the founders at Red Canary, and, yeah, longtime friend to varying degrees of these two gentlemen.

I’m looking forward to adulting a little while together. It’s going to be a lot of fun.

Well, hello, everyone. I’m Adam Maschinci. I’m the director of open source programs over at Rent Canary. And so I’m deeply involved in things like Atomic Red Team and the like. And I was all for this webinar until I heard we have to be adulting for the next hour, and I just bail out of this thing. Yeah, well, it’s been a fun and interesting year to say the least. So that’s just really what we like to do, these kind of end of year webinars, and we kind of like to put a different flavor on them, right? We like to put a different flavor, like, hey, let’s just not talk about, hey, we’re going to see more ransomware in 2022, and we’re going to see more apt in 2022, and here’s what we saw last year.

But I think we all have a good perspective on what are we seeing in the world in terms of, like, yeah, there’s always going to be ransomware, there’s always going to be APts and whatever else in the security space, and there’s going to be emerging technologies that are going to continue to get hacked. There’s going to continue to be large, globally impacting zero days that get dropped, that people lose a lot of sleep over a weekend to try and assess the damage. And I think we would have kind of addressed that today, too, in terms of what both of our companies can see in that perspective as well. But what we like to do is kind of say, here’s the trends that we saw both from the offensive and defensive security space and where we see people going and how to mitigate risk and approach their security program from a proactive perspective. That’s really what we’ve got lined out for everybody today and really excited about the conversation. So we’ll just dive right into it, I guess. Yeah, I kind of already highlighted the agenda.

Sorry I didn’t move the slide around. But these are always open for Q and A along the way, and we’ll try to address if it makes sense to address the question in line, we’ll go ahead and do that. Otherwise, we’ll hold those to the end. But feel free to use the Q and A portion of the Zoom webinar, and we’ll make sure we try and get those addressed throughout the course of the hour. But again, really excited to have everybody here and let’s dive in. So first off, I’d love to kind of see what your guys’perspective has been of, like, what we saw in 2021 and what were some of the key themes even in the last week.

Oh, boy.

All right, I’ll take a pass at it. I’ll throw myself on the grenade.

There’s a whole bunch we saw in 2021, I would say, if we’re kind of thinking like, a little less threat specific and maybe like a little bit more like a slightly higher level, like, things that, yeah, this is great. We’re off to a strong start and chat, everybody. Way to go. So what we did see, and maybe if there’s a slightly different twist on what we saw, we saw a bunch of things that we expected, right? Obviously, we saw ransomware. We definitely saw the marketplace for that become more mature. We saw the tooling and kind of the ecosystem that those adversaries use. It evolved in a lot of the ways that we expected a couple that we didn’t.

The really obvious thing that we saw last year, I think, was that we always like to say things like, it’s always fishing, and I think statistically it’s probably still always fishing. But some of the new vectors in particular, like having to become much more concerned with remote access systems, either ones that were left open has haphazardly or ones that had really specific vulnerabilities and just like, adversaries ability to identify those and to really mechanize their approach to finding them and exploiting them was interesting.

Maybe the last thing I’ll say from Greg Canary’s perspective is that a really interesting thing that we observed was that detecting most of that stuff. Even though some of those vectors were new and we’re really unique. And some of them were very closely pinned to two emerging exploits and things like that that we otherwise couldn’t have predicted. I will say detecting those things. Like a lot of detection. Kind of like primitives and fundamentals. We’re still really effective.

It doesn’t mean they’re easy. But being able to successfully detect those things, even when you actually you don’t really know what you’re looking at some of the time. You just know it’s not right. That was an interesting trend, right? Just thinking through retrospectively the types of detection and the approaches to detection that were really effective even in the face of some of these things that were very new and very unexpected.

And it’s interesting, especially when you’re looking at the scope of ye oldie detections, like things that we were looking for two, three years ago, and all of a sudden they’ll light up out of nowhere and it’s like, wait, why is this a ye old email where come online again? Why does configure still show up today? Because somebody plugged in a USB drive they’ve forgotten about. But more importantly, when we see new pieces of ransomware or whatever, using the oldie tactics from years ago, and those detectors still fire happily, and that’s something that is like, oh, that’s neat. We’re not all just wasting our time. And it’s not all just like looking at the bleeding edge of compromise, right? And I think that’s really something that’s compelling to see looking back on 2021, like, oh, the old stuff we were thinking about still works because people still try to use that. And that’s neat from an industry perspective. Like, your old detectors are still valuable. I’ll just purge them because they’re old.

Yeah, exactly. You never know when you need it. Right, and then if you do purchase, you get burned by not having it. Right, of course. No, I mean, I think it’s interesting. I would agree. I think what we’ve observed from our perspective is a lot more of the, hey, we’ve got a lot of data, right, and we’ve got a lot of things that we know we’re able to detect, but we don’t have a really good way of continuously monitoring how our defenses are working or how our controls are effectively being able to detect some of these known techniques.

And I think what we saw was definitely a larger emphasis on what I would say, getting back to the basics and getting back to the fundamentals of like, hey, we need to be doing continuous testing, we need to be identifying the key gaps, right. We’ve got a lot of tech, we’ve got a lot of data. What are we actually focused on from how is this configured correctly and how is it working? Because of things like the ransomware that hits the pipelines and affects the economy for a few days. Right. I think people could trigger like, hey, the Southeast definitely got hit, like with the gas prices and things like this. So I think that’s what’s interesting is that we’re seeing a much more, maybe not a more global impact, but definitely more global awareness. Right.

For those of us that have been in space for the longest or a long time, this is not news to us, but I think for a lot of people in the world, it’s becoming a lot more visible. Right. And actually, I think the way you say that, you brought up one of my favorite things that happened in this last year and it’s supply chain issues and to double down on it, it’s this conflation of term. So if we all work in the infosec industry, we say like, oh yeah, the supply chain issues, we’re like, wait a second, are we talking about software supply chain? And like, bad outage seems bad. We’re talking about actually boats still on the ocean that can come to the port, actually. Congratulations world, both things are intertwined now. We’re like, bad update server serves ransomware to boat server.

And now the supply chain issues have caused supply chain issues and the conflation of these terms have made it really bonkers to talk about some of this stuff here in 2021.

There’s nothing anyone can do about supply chain issues. And it’s that focus on post exploitation detections. Like, it’s just a doubling down on that because what else can you do about those sorts of problems? Yeah, and I predict that lots of marketing and lots of companies will help you in the coming year resolve your support.

I’m not sure whether it’s so much like not being able to do anything, but it’s definitely interesting. I remember just chatting when we were prepping for this, just thinking about the fact, like, coming from a background in government and DoD and intelligence right. Like supply chain issues are and have been, like, really particularly in technology space right. Have been concerns in that industry for a really long time and there are very real concerns where there are very real occurrences with very real impacts. And just seeing that come downstream to the point that effectively every company now to like some degree is at a minimum, they’re talking about it and more and more of them every day are trying to figure out what to do about it. Right. And so I think that’s like, in the same way that really high end, like Malware and things like that, they all started in the same places and those techniques eventually find their way out into the public one way or the other.

And it has been interesting seeing stuff like supply chain, which are really old problems, even in technology, very real, like very hard to deal with. Right. And they’re extremely like, they can be really costly to detect and they can be even more costly to try to mitigate. So that is an interesting, just kind of like, evolution of this stuff is like, Malware lives up here in the fraction of the 1% who have to make it, worry about it, use it, and that eventually becomes mainstream and this is no different. Right. And I think that’s probably like, when you think about burden on industry and on us, right.

It’s a really interesting challenge. Right. It’s effectively an unsolvable problem, but we absolutely have to dig in and figure out not how to make it go away, but we absolutely have to figure out how to make it better.

That’s a little bit of last year and definitely a little bit of like, what’s probably going to be many years to come. Right? Yeah. Well, while we’re throwing out buzzwords, Adam alluded to it, but I think the whole zero trust thing right. Becomes a little bit more apparent when you have supply chain issues both from and even like the log for Jason. Because it’s like. Hey. If we get hit with a zero day or a trusted provider gives us things that now have a vector into our network.

We need to be able to detect the other activities that the attackers will hackers will be doing in the environment in order to determine compromise. Right.

No, I think these sorts of things we’re going to see a tale of log for J. Right? It’s already happening. People are gripping all of GitHub for wildly used repositories that have similar flaws. Like now that this has been identified, we are going to find more of this sort of thing and that’s the nature of widely used libraries. Like they’re just embedded all over the place and what can you do about it? I think it’s tricky because Keith, you’re right. The whole let X vendor solve your supply chain issues with YP of software and amount of dollars, we’re going to see a huge uptick in that. Certainly it may not be a prediction, but to me it’s only a matter of time before we see a widely notarized incident where there’s a supply chain issue and it’s not because of some third party compromise, it’s because some lead developer got a duffel bag of money and told the right line of code.

And again, there’s no automation. You can wrap around that sort of scenario where someone’s just getting bribes to put in bad updates and it certainly happened already in smaller places, but I think we’re going to probably see a mainstream news like oh that was bad and somebody did something criminal and now everybody’s freaking out about it.

Well, it’s interesting that you say that because when I was in graduate school, which is becoming many years ago now, that was a topic of discussion. Like someone did a research paper, like their master’s thesis was like how minimal amount of code could we write a back door that doesn’t get caught? Right.

Sadly it’s not that much. Right.

It’s interesting that you bring that up. Yeah. And we look at things what was it like go to fail. That was a while ago but literally like a one liner. It’s like oops, mistakes were made. But I think this sort of thing of human cause supply chain issue will probably appear in a meaningful way and whether or not the rest of us know about it, we’ll see. But it should prove interesting as a vector into organizations and obviously if it’s something critical to the infrastructure of the entire internet, just everything will burn to the ground over a weekend and that’ll be fun too, I guess.

Yeah. So we talked about kind of supply chain issues that we saw. We talked about kind of some of the defensive measures that we’ve seen people taking. Is there anything else that you guys would highlight in terms of what we saw in 2021? Because we can certainly shift the conversation but I’d be curious if there was anything else that you saw as major themes both on the atomic red team or the red carry side.

Maybe the one that is probably like the biggest softball observation of them all and maybe as we think to moving towards things we expect to see next year is that we have their detection in general. Seems like it’s like concepts like detection engineering as a concept is a thing that you see more folks advertising for and aspiring to do in some cases and those foundational principles there that you see just becoming much more widely adopted like building things that are testable and repeatable and measurable in particular with testing just like looking at growth in stuff like projects like Atomic Red Team over the last year has been and I say growth not just like wild explosion of people and there’s been a lot of folks who have joined the project but even just the sheer number of people that are using that. The places that’s getting integrated into other products and part of that is very Atomic Red Team specific. But I think really the bigger story there is that you’re definitely starting to see an increase in a shift from red teaming used to be a big bang thing to Adam’s point like you kind of like oh crap and you do it in qu for because somewhere you committed to doing this once a year and people will yell at you if you miss it, right? And a lot of it was compliance driven. Not to say organizations didn’t have a desire to do that and learn from it. But starting to see stuff like testing and just companies recognizing the need to make sure that detection and their operations and their incident response machine works when it matters and trying to figure that out before it matters has been a really that just overall is like. I think a super positive trend that we’ve seen a market increase in 2021 in particular and just people applying a lot more rigor and a lot more ongoing effort to that.

And again, just like thinking of testing is like much less a Big Bang thing and much more of a thing that you see people building in to their program expectation of their team every day, week, months, however often they can sustain it sign of overall maturity, right? Like we’re all getting a little bit better at this and that piece in particular that’s getting better in some really cool and healthy ways that just lead to really fundamental improvements across the board. It just kind of like raises all ships and makes everyone’s life a little better and easier. If I may, I think the other side of that coin is really lowering the barrier to entry for doing regular testing. It’s not just that we have to hire a pen tester in the Q Four. We can use things like Atomic Credit Team or how the breach of the tax simulation space or the adversary emulation space or whatever you want to call it. Like that is being commoditized and there’s such a robust suite of different kinds of products and they’re baked in all sorts of different things and they run the gamut of capabilities like the commoditization of regional tech simulation as a mechanism for doing detection validation.

I think 2021 was a huge year for that. Not only do we see like all the open source EC Two’s appear which we do every nine days it seems like nowadays. But really these products in the adversary emulation space are just so good and numerous. It’s really like if anybody wants to do this, they don’t need to get a Cert to do it, they just can’t now. Which is awesome. Yeah, that was the one point I was going to bring up. I’m glad you brought up.

I think we saw a huge uptick in people wanting to at least start getting one into that continuous mindset of testing and validation. Whether you call it controls validation or Pen test as a service or reaching a tax simulation. I mean, these are all different flavors of the same thing. So I think we’ve seen that continue to focus on, hey, this needs to be constant in some capacity right.

And a lower barrier to entry, like you said, Adam, of having a lot of resources now available to be able to have this mindset. We talk about purple teaming a lot and people can abstract that or make that much more technical and deep than just depending on how you think about that term. I always like to think of it a little bit more abstractive, like just general better collaboration and deeper collaboration between people that are identifying things from the proactive side and the people responsible for fixing them. Right. And having, I would say, a deeper empathy towards being able to say how each side of the fence operates. Right. Because it’s easy as a Red team or a a Pen tester to just blow things up and say you’ve got problems and not really know from the Blue team’s perspective of how hard it is to fix those things.

Right.

Yeah. Good stuff. Well, yeah, great conversation. I mean, I think this was healthy in terms of kind of setting the stage for what we saw in 2021. And it’s interesting even thinking back to like this time last year, what we were talking about, solar winds had just come out. I feel like there was one other one that had hit pretty maybe when did cassette. I don’t know if it had hit by this time last year, but all these kinds of things right.

Supply chain and it’s just continuing to trickle in. So I think that helps kind of parlay into the next conversation. Now, what should we expect? We saw some uptick in a lot of these areas. What are some of your predictions as we head into the new year? What should we expect? Well, I think we kind of already like, we already hit on the obvious prediction, which we can absolutely expect. All of the end of your events. Honestly, from industry perspective, the first part of last year was dominated by people on the tailwinds of things like just solar winds, like all the exchange stuff that went down, things like that. And there was just this huge groundswell of activity and people trying to not just sell, but some of those huge part of it, but just like a lot of energy was put into figuring out how do we make sure this type of thing doesn’t happen again? And then that kind of like tails off and we could see that again.

I think maybe by way of just thinking through not just what we expect to see, but what we do about it. Right. There’s like an interesting and how we can help, right? It’s like one of the most if it’s both a prediction and maybe a suggestion, it’s just trying to think through as an industry, like, yeah, what are some of the fundamentals that will not just help address these tactical problems, but that will make detection and response and in particular how you close the loop on those things much more effective. Right.

And I think that’s definitely a thing we expect to see, right. If people are doing more testing now, if that’s a hypothesis, which may or may not be true, but if that’s what’s happening, we’ve talked a whole bunch of times and like, dan, you’re close to this. Right. A huge doing the testing is great and seeing that kind of evolved, like, testing tools, maturing, that ecosystem, that market and that is like the availability of that information. Now what we want to see is people doing a great job at incident management, and in particular the stuff that you do. And that happens whether it’s actually like a purple team or red team test, or whether it’s a surprise test, as we like to say, but taking those important steps on the end to really just understand root causes and figure out how to address some of those fundamental, fundamental flaws and infrastructure and things like that. Hopefully that trajectory of testing follows through to just like overall better incident management, incident response, and that whole kind of a virtuous cycle, if you get it right.

Yeah, I think to dovetail off of that, it’s asset management. It’s the least interesting part of anyone’s job. Configuration management and asset management the least interesting thing that anyone can do, but wildly effective.

Again, we don’t want to talk too much about block for J, but this thing is a needle in a haystack enough if you know what you have instead of your infrastructure. If you don’t have that either, how can you begin to know one wacky piece of software has this dependency? You don’t even know what software you’re running or what servers you have. It’s unfortunate that literally every year we say, you know what’s still important? Asset management. Configuration management, as it turns out. But it is that fundamentals ball, right. If we can get this right, as it turns out, you can actually help yourself a lot, save yourself a bunch of time. Yeah, I think it’s interesting because I effectively started in the Department of Defense Security program Management was effectively what I started doing my career in, right? And that was literally the first thing that we tried to tackle was like, how can we be tasked to protect something we don’t know we have.

And here we are 15 years later, maybe more like 17 years later now, and we’re still having the same conversation, right. And it’s just more complex, it’s different. I think that’s always going to be something that if there’s one thing that’s always going to be really hard but really important, it’s what you just said, right? And asset management, right.

Maybe following through the Infosec Nihilism thread here for a second, right? It is definitely I’m a glass half full person, but if there’s some good day, you’re right. We’ve been talking about a lot of the same stuff for a long time and I think there’s also the basics.

They’re basic and they’re in arguably important, but they’re really freaking hard, right? Inventory asset management, really freaking hard.

The complexity grows exponentially as the company grows, right? Going from 20 people to 200, you’ve got ten x the problems that you had, not just in terms of people or just systems, but that complexity just balloons like crazy.

So on the one hand, yeah, that’s true, I do think and maybe even just kind of like piggybacking on Adam’s observation, like breaching attack simulations getting better. That’s awesome, right? That’s a good thing. It kind of lowers the barrier of entry for that. Like more people can do it. The other cool thing that happens is those breaching attack simulation companies can start focusing on really hard and unique problems, right, and not focusing on a lot of the kind of really low hanging fruit or table steaks approaches to that stuff. And so hopefully the same thing is true when we think about inventory and asset management just to pick on that one space. But it’s like that we may be able to focus on that now.

And part of the reason will be because the fundamentals we’ve got like application control and things like that that are really moving upstream, like more of an app store and tightly controlled approach to what goes on to devices. Right? Those things, yes, we’ve got some new challenges. Supply chain stuff, really, really hard, like software, bill of materials, really cool idea that’s going to be really hard to make it happen. Inventory asset management, really hard.

Those problems didn’t get easier, but we absolutely, I think we’re making more space for them, which is great. And so when I pick on Infosec nihilism, it’s like, yeah, we are still talking about some of the same things, but every year we get closer to being able to make really good, meaningful progress on them, which is cool. And that’s because a lot of the stuff, application manager, application control might be a really good example. Like application whitelisting was for the 1% of the 1% for 20 years and now it’s a feature effectively of everything that you buy.

I don’t know, that’s like just trying to eject some optimism in this conversation and not that you all. Are being encounters at all. But it is definitely easy to kind of fall into that pit of despair. It is really hard. Well, it is making great progress, which is awesome, right? Yeah. I was going to say one.

If you were to just go say, I’m going to go solve our asset management problem you’re never going to do that. Right, but I’m just saying I think that’s going to be an effort that you’ll eventually reach this point of diminishing returns where you’re trying to identify every single possible asset. Not that it’s not important, but I think the way the industry is starting to adapt is that we’re helping solve those problems in other areas. That leads me back to that proactive assessment mindset where people that will identify assets you didn’t know about are pen testers right. And other attack scenarios. Right. So I think that it helps continue to say like, hey, we think we’ve got to handle on this, but what are their gaps and really shifting into a proactive mindset, I think is it going to continue to be a trend in 2022, whether that’s through breaching a tax simulation, pen test automation as well as combined with your internal external pen testing teams, just more proactive.

I think probing even deeper from an audit and risk management perspective. I think people are starting to wisen up and actually that’s probably the wrong term. People are starting to go a little bit deeper like, hey, you say you’re compliant, you say you do these things. How are you doing that? Not in an accusatory way of like, let’s really make sure we know what we should be doing to try and help avoid that big thing happening.

It’s like Moore’s Law but for detection and response and stuff. There’s like a security operations equivalent to that. That’s a cool thing to think through and hadn’t really occurred to me until you said it. But if you kind of think about the fact that we are starting to get some fundamentally better controls in a lot of places and testing is becoming more readily accessible and some really cool companies are starting to do work in really hard areas like inventory and asset management. Not for the first time, but I think we’re moving the needle for the first time and that’s like all that stuff. If you want to talk about conversations we’ve had for years, it’s that like the adversaries like Udaloop has definitely been faster traditionally than defenders, right? And it feels like we’re getting there, right? Like we’re starting to tighten the loop on just like getting better at things faster. And that would be a really cool thing to see take hold and to kind of keep an eye on because that’s how you make fundamentally really huge revolutionary change and not just like get like 1% better every year.

We need to get 10%, 20% better every year, right? That’s like a survival tactic now.

I think for better or worse, vendor consolidation is actually a big boon here, right. Like as large, like super vendors get more and more tools in their toolbox and acquire more companies to do more things in one. Oh, well, you EDR is now also your asset manager and it’s also your SIM and it’s also all these other things and it’s like, well, it just makes everything that much easier. And then because when super vendors get this way, we have that benefit now, like, oh, this one customer got compromised in a really bizarre way, but now there’s detections for it. It’s fed up into this larger ecosystem and bang, everybody’s blanket detected. And so that monopolization of vendor tools and resources into these megacorporations that are really just here to protect people and also make money. But that as a thing, as more and more capabilities get packed into a single tool, that’s pretty neat.

There’s some compelling use cases that can be driven out of that and it just makes the defender’s life that much easier, theoretically. Yeah. Well, I like how we’re starting to normalize and kind of standardize on more standard communication around how we talk about detection and attack. The minor attack framework I think is a fantastic example of an open framework that really resonates with the community of like this is how we can now speak to where we might have gaps right. And what the attackers are actually doing.

And there’s just a community behind it, obviously, that’s I think a large focus of Atomic Red Team is being able to speak to those things. Right. Well, and I think that’s another both reflection and prediction, right. There is this ability for us to be, as an industry, to be adversarial minded and to think about adversaries and quantify them in certain ways and give them literal technique IDs and batch them together in that way and to be able to translate that across organizations. I mean, that’s been a huge win. And now when we talk about vendor integration, it’s like, well, does that thing Speaker Attack might think speaks Miter attack we just need is it XML, RPC or JSON now? We’re done these sorts of conversations I think are really critical that from a tooling perspective, everybody’s really starting to speak the same language more and more and more and that only benefits end customers and operators. Yeah, there’s a commercial here, I think for I would say there’s like Miter for starters and how that flows down into things like vendor tools and like Atomic Red Team and all of these just kind of like this whole groundswell.

And we’ve had Mitre as this kind of great common language.

We can start talking about the same things using the same words and it kind of just gets rid of a lot of the ambiguity and confusion. And now you see Miter starting to mature that stuff and how they think about it. We put out a threat detection report every year. And it’s just like a lot of that is a focus on straight up prevalence, not what’s interesting, even though that’s a component of it, but what is most likely to happen and in particular what’s most likely to harm you and to have an impact.

Lots of folks put those out right there’s like DBIR and MTrends and all of these, right, and those now can structure around that common language. And now you’re looking at Mitre, who’s breaking off some really big and cool projects right now and into next year to help standardize the language that we even use to talk about prevalence, right? And now that’s like huge on locks where we’re not just talking about things adversaries do using the same words, but when we say, hey, these are the top end techniques in this context or in this environment or targeting this technology, like standardizing that language and that unlocks a whole bunch of things, right? You can assign value to the data that you collect, to the tools that you buy that help mitigate those things and you can really assign value and quantify red team and purple team exercises and all the motion that goes into that. You can focus them in really different ways.

That’s really cool to see the language evolves, but also just how we all use that language to make better decisions and better investments.

Those things are like, you want to talk about revolutionary changes in the industry. It’s just like it levels the playing field mainly for consumers who are just trying to figure out what the heck do I buy and how do I think about the value of things x, Y, or Z or even for like a CISO who’s like, what do I invest in and how do I assign value to teams A, B and C? And those are super exciting to see happening, right? Well, go ahead, Dan. Yes, go ahead. I was going to say so as we drift into kind of an executive mindset, and I don’t know if it’s a reflection of prediction, but one of the things we’ve seen about investment, right, investing in security, we just kind of in recent times saw the cybersecurity insurance industry split out ransomware as its own thing. And that to me seems like it’s going to have a lasting impact on the way money gets thrown around inside of organizations. To date, when we look at some of the largest cybersecurity incidents, it’s like, oh, we just were compromised in the biggest possible way. The board says here’s a blank check, never let this happen again.

But now if we look at the cyber insurance market and now that they split out ransomware as its own thing, I’m curious what you all think will be the long tail impact of those as we look at 2022. Well, yeah, that actually tease up what I was going to say. I think we’re going to have deeper conversations at the stakeholder level, right. And being able to quantify to a degree where the risk actually lies within the organization with better data, right, in terms of like, here are the actual gaps that we have and the fact that you can now do ransomware simulations and simulations in your environment. You can actually even speak to that because the insurance companies, they have data that shows, hey, we’re paying way more out on these insurance policies based on ransomware tax than anything else that’s getting reported. So that’s what’s going to drive it. I think that’s a good call out and I think when we can standardize language across the whole industry and not just verticals, I think that that’s important, right? Then security professionals at large can help, can start to quantify the risk to the board and to the directors and stakeholders where budget should go and things like that.

So I completely agree, the insurance angle is fascinating because we’re all basically in the risk management business, I guess, right, but it was kind of like a really hard calculus, particularly if you’re advocating for really maturing and improving your defensive posture and your ability to do that, like security operations and things like that, right? Because it was always like, well, we’ll invest in this to a point and then we’ll just insure against the rest. And insuring against the rest is becoming increasingly narrow. Right. There’s ransomware, which is split off, I think just last week, right, like Lloyd’s, who is I think still one of the biggest insurers in the world, they for the first time kind of like defined like what is cyber war and they’ve started to back away from covering things like attacks orchestrated by what they consider to be like nation or state adversaries, right.

Insure against the rest is getting harder and incentive to mature when all these things we’re talking about, right, like breaking off inventory, asset management, like going and doing testing, like incentive to mature, fundamentally that’s going to grow like crazy because the thing you counted on to save you if you didn’t invest that’s just slowly, like we’re learning more about the costs and business is business, right? And so you’re increasingly on your own. And I think that approach where if you invest a little bit more in maturing, in those fundamentals, like you said, stakeholders like the board and that the CFO level and stuff like that, that pressure is very real now, right? And the consequences are pretty clear. And I think maybe not a completely conflated use case, but a very similar one would be an M Ana activity and just diligence from investment, right? We’re both venture back companies, so we have to go through diligence when anytime we get an investment round. And then obviously when companies are acquiring other companies or having merger activities, there’s probably documented and then undocumented, probably a lot of undocumented cases around how some of these bigger breaches might have happened based on activity on the acquisition side, I think similar to the insurance being able to try and quantify the risk, I think that M and A activity and people doing diligence on investments. I think that’s going to be a similar vein in terms of how they’re going to speak about it, how they’re going to talk about it. I have at least one anecdotal used case of a friend of ours that they went through an investment round as a start up and the price of the deal, the valuation they got, actually went down based on some of the security issues that were uncovered. And they were not a security company.

Right. So it was kind of all new to them. Right. They’re just building a startup and solving a problem in their own space and then, wait, what were we supposed to be doing? And now we don’t get valued as high as a company. Right? Yeah. That’s awesome.

Conversations happening in places they didn’t before. Right? Yeah. Like, that in a similar vein of interesting but not awesome.

The increased use of Extortion where versus ransomware and like the use of Xfill as a thing. It’s like, I don’t even need to encrypt your stuff anymore. I’m just going to Xfill it to wherever and if you don’t want this in the wild money, please. That is a very interesting I think that’s a really interesting trend.

It’s a little less turnkey for a threat actor, I would imagine, to a certain extent, for now at least. But that’s business impact right there. What is your IP worth? What are these private emails worth to you? And it’s not that your business isn’t limping along now. It’s not that every file is gone. A threat actor was here. They took all of our stuff. Now what do we do about that? Right? That’s a very vertical specific problem, probably more so than not up, but I think we’ve seen ransomware kind of drift towards that Extortion, and I think that’s probably going to increase as well and the impact of that.

While we’re talking about business problems. Yeah, go ahead.

I was on a chat with a customer the other day who had this fascinating observation that they had a DLP program for ten or 15 years, right. Or something like that. Again. Kind of like app whitelisting. They’re in the financial industry. They were doing all this stuff before. It was cool, but it never really had like, the ground swell or the importance that it has now because of what you just described, Adam, and you want to talk about.

We say flipping things like just go do inventory and asset management. We also say flipping things like understand where your data is and tag it and know the value of it. Cool story. Turns out that’s impossibly difficult for almost every modern organization.

But another really good example of like those are like, really that’s a fundamentally hard thing to do. But now it’s important for the business to answer questions when someone says, hey, X, Y and Z were taken and if you’re a C, so or like a trust officer being able to answer that, to respond to that by saying, yeah, here’s the value of X, Y and Z and here’s my recommendation, but having some basis in data and some rigor behind that. I don’t know if that’s going to happen next year, like maybe bookmark that for next year’s webinar, but it is, again, like conversation that was not never happening before, but definitely not happening in anywhere but like the top few percent of organizations. Right. And just not even an option.

Go ahead.

No, I think the conversations that are shifting, I mean, let’s take the log for J thing, for example. I think it’s not so much, how quickly are we patching this? I mean, there’s always going to be those questions like, hey, we need it. What’s our tax surface with this? And how quickly are we getting it patched and what’s the mean time to resolution on this thing? That’s something that the stakeholders are always going to want to know. But I think it’s also how are we able to detect the activity if it were popped? Right? Because that’s just like the initial vector in and I think we’re going to start seeing more of those questions. Which I think it tease up why we’re talking about this in terms of proactive assessment and having data behind. Like. Hey.

We think if they had gotten in from this type of a vector. We’ve done assessments that would simulate that kind of attack. Whether it was a known vector or not. And so you can at least speak to greater or less assurance of like, no, this is going to be really bad if they got in this way or there’s some gaps that we need to make sure we’re identifying right away versus like, well, we don’t know if they’re in and we patched it.

That’s thinking of the fundamentals ball. Like, here we are talking about do you properly label and identify what data that you have in case it’s extorted from you or whatever? But let’s boil it down. Would you notice if somebody started X filling gigs of data off every endpoint in your infrastructure? Would you even know? Probably not. You can’t even begin to talk about APts. You can’t begin to think about threat actors that use jitter and delays of 40 days and like, forget that. Would you notice if somebody was stealing like 50 gigs off of every endpoint? And if the answer is no, maybe worth the thought. Maybe start testing that.

Yeah, okay, now this is great. We’ve got about ten minutes left or so. I would like to kind of say, hey, if you got any questions from the audience, we’d love to know them. But I think we just kind of keep chatting about, like, I saw George throw in the question around, is everyone going to have this patch by January 2022? Keith, I like yours, like, how many times right? Questions at this point, right? Those are very real problems, right? Yeah. Well, I think it is really interesting to look back while people are thinking of questions, to look back at the impact of some of the ODays and end days that we saw this year, especially, obviously, log for J is an easy one, but look at the Imessage stuff that’s come out. There’s been a few of them, and it’s like, no, it’s not that the user needs to click a thing anymore. Like someone sent them, a thing came over.

Right? We’re beyond phishing at a certain point. And it’s just that the degree of these O days are so critical and the users require nothing. Just like, oh, I had a phone and it’s compromised because I received a thing. That’s crazy.

One thing I do think I think we can talk about too, is these are the predictions. These are where we see the trends going. But what are some practical ways that people can what are some practical things people could take away from? I think obviously, coming from a pen testing background and a proactive assessment, I’m evangelizing that all the time, right? Is that, hey, we need to constantly be more proactive in how we’re thinking about what activity can go on in our environment that could get us breached and then helping the response team understand those document the IOCs, all of that stuff. I think there’s a lot of resources out there. I think. Obviously. Atomic Red Team is a great one.

But getting into that mindset of just start small somewhere. Right. And just start doing it and starting to identify. We call the purple teaming concept. Being able to say. Like. Hey.

I think I have a gap here and I can go pull down some TTPs to test for minor Atomic Red Team or other tools to just say. Like. Hey. Here’s what we’re going to test. Did we see anything happen? Right? On the responsive side, that’s just something I always try to emphasize to folks, ways to get a little more proactive if they haven’t started yet, without having a full blown pen test. And it is staggering. Like, one of the first questions we always get from an Atomic Red Team perspective is like, okay, I want to start with something, right? Where do I go? What do I do? Where do I start? And I think the threat detection report is like the place I always point to is like, hey, would you notice if one of your users on any of your endpoints cracked open a command prompt and did some encoded PowerShell? The tip top of the iceberg? Would you notice if Steve and HR was running encoded PowerShell commandments? Right? Because if you wouldn’t, there’d be dragons.

And I think that fundamentals ball that you’re talking about Dan, of like anybody can do these tests now, any of them. So why not? You could all do this with copy and paste, it’s that easy and there’s enough resources to help you get started with it. Hopefully we see a bigger uptick in that as a thing integrating that’s taken that simple data. I mean Dan. I remember one of the recent conversations we were having. Which is inside of your space where people are doing purple teaming and you’re trying to synthesize stuff a Red team found or stuff you like. But also like feeding in your actual incident data and then vulnerability management and even just the synthesis of like hey.

What’s most likely to happen or what’s most impactful. Particularly things like a technique standpoint where there’s something really you can point to and then just in all of these other ecosystems that historically haven’t taken threat prevalence or technique prevalence into account right? Like vulnerability management has typically been focused on is It exploitable, actively exploited. There’s been a small number of ways to carve up those otherwise huge data sets and now just being having the power of platforms and stuff like that where you can say hey, this came up in the context of vulnerability management through some goofy scan that you’re otherwise you have no idea how to prioritize other than some of those big buckets. But now you start to layer the stuff in and be like hey, and by the way, this technique is widely prevalent in successful intrusions and breaches and now you can help people. It’s just like another dimension on that data and starting to bring some of the stuff you learn on the defender side, the stuff you learn on the Red team side, some of the motion from big expensive activities like bowl management, synthesizing that stuff together is absolutely huge. Right? And that’s a really, really cool and positive thing to see happening, right? Yeah. We got a few questions.

I like this one that just came in. How does a smaller company like with a small It staff begin to add Blue Team activities into their day to day? Right? I’ll speak from my experience when I was at a smaller company before I started PlexTrac or these dove in full time was we had smaller team but we had some good investment in a lot of the defensive technologies like Firewall. We’ve contracted with an MSSP for 365 coverage or at least monitoring. But we kind of sat down and we said, okay, we’re going to spend 25% of our time on the proactive stuff for now and we want to shift that percentage up as we kind of what I call kind of clean out the backlog of the legacy issues. And we just said, hey, we think we have some gaps in lateral movement detection so let’s just start testing some of those techniques to just see where we’re at. So that’s what we did from a very practical perspective. I’d be curious, like, what you guys advice would be.

Take your vitamins, man. That’s the advice, right? That’s an awesome question. Right? You say stuff like incorporate Blue Team activities. Sorry, like marbles in my mouth. That sounds huge, but what you just said is, like, just pick one thing. I don’t care if it’s like, our threat, go pick anybody’s threat report. Find the stuff that happens most often.

Go to Atomic Red Team or to wherever. Figure out how it happens. Like, how do you actually make this technique go boom and do it and just write it down and literally that simple. Like, that is a super interesting and cool like, you can do that during lunch every day and you can see, like, did I even see the thing happen in the first place? Did I get an alert? Did a preventative thing go off if I have MDR, whatever, did somebody call me and tell me, hey, we got a problem? Super cool way to just think through how to do that and just like, really bite size chunks, right? You don’t need a team to do that. Awesome way to think about it. It’s just like, anybody in it can do that. Absolutely.

Yeah.

I think one thing specifically is you don’t need to use live bad samples of malware. I’m glad to see that the industry is kind of not doing that as much anymore. Like talking about a positive trend we don’t need to use defend samples of stuff. Like, don’t go there. Use the prevalent techniques and see if you notice them.

Even, like, if you’re a PlexTrac customer or want to do it. There are resources out there, obviously. Atomic red team. Miter has the threat. Emulation plans sites out there threat Thursdays. So there’s a free resources out there to go and just establish like, a cadence of like, hey, we’re going to go test these things. And then you can actually start to measure your progress over time, right? Yeah, no, that’s good.

Let’s see. I think we can do well, I guess we’re right up there. We’re out of time. I lost track of track at that time, but hey, any last one? Thank you so much, guys, for taking time out of your busy schedules as we near the end of the year to kind of just spend time reflecting and then looking forward. I think this is always valuable for the industry and community and any last thing that you want to share? Anything exciting going on from your perspective that you want to broadcast beyond Happy New Year.

It’s been a slow week and a slow year, so nothing else to add. Thanks a lot for having us on. Yeah, thank you, Dan. I really appreciate it. Yeah, absolutely. Well, thanks everybody from the PlexTrac side. We’ve got some other resources out there.

We just published a report on just the value of purple teaming. It was some research that was done. So feel free to go out to the website and get that white paper on how people are utilizing Purple team in their environments. Very in the same. Very apropot of our discussion today about being more proactive in identifying how to make progress in your security posture. But if you have any other questions, you know how to reach us, and we’re always happy to answer them. Adam, Keith, thanks so much and definitely wish you happy holidays and a happy New Year.

Thank you. You too. All right, thanks, everybody, and enjoy the rest of your day. Hey.