Tova Dvorin (00:01.306) Welcome back to the Cyber Resilience Brief, a Safe Breach podcast. This is our final episode of our series on Russian intelligence and proxy threat. We’ve analyzed the problem from every angle. Now today as usual, we’re here with my co-host, Adrian Culley. Adrian (00:16.012) Hi Tova and hello to all of our listeners and welcome to our first time listeners. We’re very, pleased to have you all. Tova Dvorin (00:23.258) Thanks, Adrian. Now, as a safe breach engineer, tell us how do we address this Russian intelligence threat, this multi-layered, multi-party, multi-TTP threat that we have on our hands? Adrian (00:34.702) So there’s a very simple solution and there are actionable steps. We start with adopting a CTEM mindset, continuous threat exposure management. For our listeners who’ve not heard our episode on acronyms yet, CTEM is a term Gartner coined in the past 18 months, which encompasses a holistic view of cybersecurity and connects cybersecurity tooling and planning to business risk. Tova Dvorin (01:01.24) Right, now whether you’re adopting a CTEM model or you’re looking at this from a more general offensive cybersecurity perspective, mitigating the threat here involves several steps and recommendations. Let’s go through them one by one. First off, we are recommended to harden the human layer. Now, Adrian, what exactly does that mean? Adrian (01:18.84) So we get yet another acronym, CART, continuous automated red teaming is essential. Now I personally think, and I know that’s not drawn in acronyms, but C10 CART, AEV, they’re all actually part of what may well be in three, four, five, 10 years time, an offensive cybersecurity quadrant. And we will talk in the near future about that in a lot of detail. But CART, continuous automated red teaming, includes rigorous training regarding impersonation, VoIP spoofing, but classroom training alone isn’t enough. You need to test it. You need to implement it. Tova Dvorin (01:56.172) Right, you can’t validate what you can’t test. How to see if we can do that. Adrian (02:00.984) So we use our cart capabilities to simulate these social engineering scenarios. We can test if your employees click the links, if they report the suspicious calls, we can validate the human free firewall. We also click links on your behalf. What we’re doing is we’re just to stress to people, sometimes it’s less than clear to them, we’re not doing anti-phishing training in your employees, colleagues inbox. What we’re doing is, guaranteeing that that phishing activity of a threat actor is created technically across your network, across your endpoints, across your cloud. And we’re checking whether your security controls are seeing that phishing activity. We’re validating your anti-phishing activity rather than validating your employee. Tova Dvorin (02:49.734) Wow, that’s a great and subtle point, which actually brings us to our next recommendation, which is having adaptive multifactor authentication or MFA enforcement. So just basically moving away from easily fishable MFA. Can you tell us a little more about that? Adrian (03:07.214) So yes, tokens are an ever present part. They’re not new, but they’re being issued more and more. Things like FIDO2 hardware tokens. You could refer to this as hyper factor authentication. And it really highlights how the cybersecurity arms race we’re all locked in has escalated. It’s not that long ago, two factor authentication was seen as being the pinnacle of what you need to do. Then that was acknowledged as being, well not acknowledged; it was identified hackers had subverted two factor authentication. Then the new pinnacle was multi-factor authentication. And today we’re now looking at adaptive multi-factor authentication or as I like to say, hyper-factor authentication where we’ve got lots of moving parts and it’s not a fixed system, it’s not linear. We’ll be asked for different things at different times. Why are we doing that? It’s not inconvenience. It’s for you, introducing inconvenience for the attacker. But simply buying tokens isn’t the end. You also need AEV, as mentioned earlier, adversarial exposure validation. You need to validate that your policy is actually forcing the hyper factor authentication, the token use to be used. Tova Dvorin (04:32.101) Okay, and that means essentially we can simulate a bypass. Adrian (04:36.36) exactly in one. we can simulate the techniques scattered spider for example uses or any other threat actor like session token theft or MFA fatigue and verify if your adaptive policy blocks it. If we can bypass it in a simulation so can they. That’s the whole point of our activity here. Tova Dvorin (04:58.179) That’s right. just moving on to more recommend. No, that’s not a good transition. One second. Right. I mean, we specialize in making hackers cry and also simulating what they do. So what about disrupting initial access TTPs via account monitoring on cloud and SAS? We know that that’s typical hacker technique. Adrian (05:18.316) Again, this is actually critical. They target Salesforce, they target Snowflake, they target Okta. SafeBreach has specific attack playbooks for these platforms. We can simulate an attacker trying to escalate privileges in your cloud environment. Do your alerts fire? Does your SOC see it? And always bear in mind, we have the scenarios that come off the shelf in your individual SafeBreach platform. But you also have your customer success team who have access to a wide range of other things. And if you don’t see what it is you’re looking for in the platform, please ask your customer success team or any of the engineering staff, because you’ll often find we have other things as well that we provide you with. Or if there’s something that we’re about to release, we may be able to get you a beta access. Tova Dvorin (06:11.705) That’s right. the problem is that now this doesn’t work with the flow. One second. know, another factor, by the way, is network segmentation. Adrian (06:23.566) That’s a big one, know, classic BAS, Tova breach and attack simulation, as you all know. Our research says Black Cat is being used by Russian intelligence agencies, if not they are Russian intelligence agencies to deploy ransomware. At Safe Breach, we can run a simulation using the exact behavioral signatures of the Rust based Black Cat ransomware. Tova Dvorin (06:47.705) Wait, but we run the actual ransomware on your Critical Live production systems? Get out. Adrian (06:52.568) Well, closing our name, Safe Breach, we run a safe, non-destructive simulation of it. We test, can it move from the compromised help desk laptop to the critical server? If your segmentation is working, the attack stops there. You’ve contained the intrusion. Tova Dvorin (07:10.349) and that in turn denies the Russians their intelligence. Adrian (07:13.59) Exactly. It’s effective use of the Lockheed Martin kill chain in practice. If the malware can’t reach the data, the FSB can’t co-opt it. Tova Dvorin (07:27.905) Right, and neither can their partners. How do we disrupt the intelligence sharing between these groups? Adrian (07:33.336) So that’s a really interesting point, Tova. We’re very keen to talk as defenders and interaction with the FBI, other government agencies about intelligence sharing amongst the good guys. But the reality is hostile foreign nation state advanced persistent threats, hostile intelligence agencies, intelligence share. They’re very guarded about it, but they do it. And we need to ourselves adopt their techniques for disrupting that. We need to track the convergence model. We need to identify IOCs from both the Western brokers and the Russian ransomware as a service brokers. SafeBreach constantly updates our hackers playbook with these latest threat intel feeds. When scattered spider again changes tactics, we update the simulation. Tova Dvorin (08:18.533) So the strategy is don’t guess, test, simulate their attacks, emulate their behaviors. We provide both against all three Russian intelligence agencies and explicitly off V and black cat ransomware. Adrian (08:30.938) Exactly that, Tova. These things are all sitting on the shelf in the Safe Breach platform. We’ll always co-pilot with you if you want some help or guidance, but do toughen up against Russian intelligence. The hybrid threat is too complex for paper defences. You need to run the full chain. One, simulate the entry, social engineering and card. Two, simulate the spread, lateral movement and bars. Three, validate your controls. adversarial exposure validation. Tova Dvorin (09:03.129) Well, Adrian, this has been an incredibly enlightening series. We went from debunking a conspiracy theory to understanding a very real, very complex geopolitical machine. Adrian (09:13.176) Think it’s all about clarity tova. The proxy paradox is dangerous, but it’s solvable if you take a data-driven approach, something that is very close to your heart. Tova Dvorin (09:22.629) It is, and perhaps you’ll hear about it on a later episode. But in the meantime, thank you so much for listening to the Cyber Resilience Brief. Adrian (09:30.99) And until next time, stay safe, stay safe with SafeBreach.
