The episode: 170 – Sig Security about the practical use of Threat Intelligence
Recorded: 2022-05-17 (publicerat 2022-05-22)
Participants: Erik Zalitis, Jesper Olsen and Christoffer Strömblad
This episode is made in cooperation with SIG Security.
Listen to the episode, now – Threat intelligence
While listening to this episode – Threat intelligence
English, again? Yes. I thought it would make it easier to pull together with two Swedes and a Danish. I talk about nationalities here, not food, just pointing that out. Anyways, we have a old friend, Christoffer Strömblad, who was in this podcast in 2019 and a new one, Jesper Olsen. Christoffer has since left the Swedish Police and joined TrueSec, a Swedish IT-security focused company.
Jesper is Danish and works for Palo Alto Network, a very welknown creator of security appliances.
IT-admin, know thyself!
The subject is interesting, and simple goes:
”If you know the enemy and know yourself, you need not fear the result of a hundred battles. If you know yourself but not the enemy, for every victory gained you will also suffer a defeat. If you know neither the enemy nor yourself, you will succumb in every battle.”
It used to be a bit suspicious with security people quoting Sun Tzu, as it was more bravado than actual product. But here, and in this warlike state of business that is the Internet, it fits very well. We are in the middle of a coevolution between hackers and defenders.
Christoffer and Jesper talks about what the properties of common victims are and have three rules to go by to assess the situation:
- Archetypes – who gets attacked?
- Vulnerabilities – How to they get attacked?
- Recognizance – How to they find you?
This may seem like the same discussion like it always was, and yes, to a certain point it is. But it’s 2022 and the methods they describe are pretty new as in ”a new way of doing the same”. In the IT-security business, this counts. Brand new, never seen attacks are few. But new takes on old tricks, is what we see all the time as attackers try to remain in control. They crawl around our latest defences. Right now, TrueSec has seen an uptick in USB-drive attacks. Why? Listen to the podcast. It’s around 19 minutes into the show.
But don’t worry, we also got a new development for you:
Initial Access Brokers
At 20:57 I ask Jesper about IABs. That is hackers selling access to organizations instead of data. As the business of hacking matures, it gets more specialized as I wryly note. This is at least new for me and the big development is not how something appears for the first time. Rather when it becomes a thing. You can’t go full hipster and say ”I knew about that attackvector before everyone did! Dude, like they sold out!”.
Worse than the decease – the Therac 25
On or about 19:00 I mentiod an X-ray machine killing a patient. It was a device known as Therac-25 and had a bug that sometimes, very uncommonly delivered deadly doses of radiation. The software bug was eventually found, but it was nearly impossible to reproduce the conditions until you knew them. The device had multiple failsafe, but in the end, it did not matter. I’ll add a link in the bottom of this page, where you can read the story. But this qoute should scare you:
What they found was shocking. The software appeared to have been written by a programmer with little experience coding for real-time systems. There were few comments, and no proof that any timing analysis had been performed. According to AECL, a single programmer had written the software based upon the Therac-6 and 20 code. However, this programmer no longer worked for the company, and could not be found.
Links – Threat intelligence
Errors and omissions
- Nothing to report at this time.