• the #thoughtops blog
  • Posts
  • [TRANSCRIPT] Threats that may have gone unnoticed by organizations during the pandemic

[TRANSCRIPT] Threats that may have gone unnoticed by organizations during the pandemic

Casey Ellis:... in terms of what the users might be bringing back into the office, we've also seen a sharp rise in ransomware. Even the Solar Winds stuff, there was a lot of stealth and persistence and thought given to lateral movement that can behave very differently if it's on the same local network what it's capable of doing if it's connected via a VPN. So yeah, all those scenarios, I think, are relevant to play through. The challenge is, and again, it comes to this core idea of creating a set of hypotheses for threat hunting that are most relevant to your organization and burning down through those. Because part of the goal is almost to prove a negative, which you can't do. You're trying to get it to a positive as quickly as you possibly can, which means you have to think about the threat. You have to think about what's actually likely, which is going to depend on what you're doing as an organization and what you're doing it with.Joe Uchill:Is now the time to start a new threat hunting program or is waiting until everyone gets back the time to do it?Casey Ellis:Yeah, I think now is the right time to start table topping and thinking that stuff through at the very least if you actually execute on threat hunting off the back of that and try to prove the thesis true or false. Again, it depends on what all else you're trying to deploy a resource on as a security team. And if you're not doing the basics properly, then maybe don't divert attention from getting that stuff sorted out first. But the whole idea of just being able to think through what the different threat scenarios look like, it's a good time to actually stop and think about that right now. Because you're absolutely right, I think the general consensus, even where I am right now in Australia, is that the pandemic is rounding a turn, we're going to start to return to whatever we end up calling normal in the future.Casey Ellis:So now is a pretty good time to start thinking about, what's happened over the past 12 months that we might have missed? And then also, what do we expect to see as a threat over the next six to 12 months as we adjust to that new way of doing stuff?Joe Uchill:I'm sure right now the threat that people will be hunting for will be Solar Winds dependent, or at least that chain of all of those different linked together Russian attacks.Casey Ellis:Yep.Joe Uchill:Usually, almost always, people tend to start with the assumption that you don't need to start with the APTs, that it's probably the criminal. Are we at the rare moment where maybe you start with the APT?Casey Ellis:Yeah, that's an interesting one, because I think it's still coming out in terms of how widespread actual targeted use of the attack was. And the initial stuff was pretty focused in terms of how it was reported out on federal government targets and whatnot. But because it's a supply chain attack and you're owning the supply chain, you catch up a whole bunch of other folk in the process. It's an interesting question to answer I think in what Solar Winds demonstrated is that APT can get to everyone and they will.