On Location With Sean Martin And Marco Ciappelli

From Data to Defense. Behind the Scenes of the DirectDefense's Threat Report Insights | A Brand Story Conversation From RSA Conference 2024 | A DirectDefense Story with Jim Broome | On Location Coverage with Sean Martin and Marco Ciappelli

Episode Summary

Explore the dynamic world of threat intelligence with DirectDefense's Jim Broome, offering insights into cybersecurity trends and strategies.

Episode Notes

In cybersecurity, understanding the constantly evolving landscape of threats is key to safeguarding digital assets and sensitive information. DirectDefense, a leading security services provider, offers valuable insights into the world of threat intelligence through a candid conversation with Jim Broome, the Director of DirectDefense. In a recent discussion with Sean Martin, they delved into the nuances of IT and OT convergence, network separation, and the critical significance of threat reports.

Uncovering Threat Intelligence Trends

The dialogue between Sean Martin and Jim Broome sheds light on the intricate details of threat intelligence gathered by DirectDefense. Jim Broome's extensive experience in the industry, coupled with DirectDefense's commitment to cybersecurity excellence, unveils compelling narratives of threat actors, attack methodologies, and strategic responses to mitigate risks effectively.

From Penetration Testing to Managed Services: DirectDefense's Evolution

Jim Broome narrates DirectDefense's journey from its inception, focusing on core services like penetration testing and managed services. The shift towards leveraging threat reports to provide actionable insights to clients showcases DirectDefense's proactive approach in addressing emerging cyber threats effectively.

The Impact of Threat Actor Behavior on Security Posture

Through real-world examples like the Scattered Spider threat group's activities, Jim Broome highlights the direct impact of threat actor behavior on organizations. By dissecting attack vectors and lessons learned from engagements with threat actors, DirectDefense empowers clients with the knowledge to strengthen their security postures.

Collaboration and Customized Solutions

Jim Broome emphasizes the value of collaboration and customization in cybersecurity services. By tailoring alerts, response strategies, and monitoring solutions to suit each client's unique environment, DirectDefense fosters a culture of resilience and preparedness against potential cyber threats.

Empowering Organizations with Actionable Insights

The blog post underscores the importance of utilizing threat reports to gain actionable insights and establish robust security protocols. DirectDefense's approach to presenting information in a tangible and practical manner resonates with organizations seeking to enhance their cybersecurity frameworks.

Looking Towards the Future of Cybersecurity

As cybersecurity landscapes continue to evolve, organizations face the challenge of adapting to new threats and vulnerabilities. DirectDefense's proactive stance on integrating cybersecurity solutions with core IT disciplines signals a strategic approach towards ensuring operational resilience and uptime in critical infrastructure sectors.

The Essence of Collaboration and Expert Guidance

DirectDefense's emphasis on collaboration, expert guidance, and responsiveness to evolving threats underscores their commitment to ensuring clients are equipped with the necessary tools and insights to navigate the complex cybersecurity landscape successfully.

DirectDefense's conversation with Jim Broome offers a glimpse into the intricate world of threat intelligence, showcasing a blend of experience, expertise, and foresight in safeguarding organizations against cyber threats. By leveraging actionable insights and strategic responses, DirectDefense paves the way for a more secure and resilient digital environment.

Learn more about DirectDefense: https://itspm.ag/directdef-gs7

Note: This story contains promotional content. Learn more.

Guest: Jim Broome, President and CTO, DirectDefense [@Direct_Defense]

On LinkedIn | https://www.linkedin.com/in/jim-broome-88a0a02/


Learn more and catch more stories from DirectDefense: https://www.itspmagazine.com/directory/directdefense

View all of our RSA Conference Coverage: https://www.itspmagazine.com/rsa-conference-usa-2024-rsac-san-francisco-usa-cybersecurity-event-infosec-conference-coverage

Are you interested in telling your story?

Episode Transcription

From Data to Defense. Behind the Scenes of the DirectDefense's Threat Report Insights | A Brand Story Conversation From RSA Conference 2024 | A DirectDefense Story with Jim Broome | On Location Coverage with Sean Martin and Marco Ciappelli

Please note that this transcript was created using AI technology and may contain inaccuracies or deviations from the original audio file. The transcript is provided for informational purposes only and should not be relied upon as a substitute for the original recording, as errors may exist. At this time, we provide it “as it is,” and we hope it can be helpful for our audience.


00:00:00] Sean Martin: Here we are. It's a sunny day in San Francisco. Gorgeous day. It is. It is. Thanks for having me over to this beautiful spot.  

[00:00:09] Jim Broome: Yeah, you know, I had to get you off the main floor down there, right?  

[00:00:11] Sean Martin: I know, outside I can actually breathe some fresh air, which is really cool. And, uh, we'll take a selfie, because if there's no picture, there's no proof. 

[00:00:18] Jim Broome: Right, exactly.  

[00:00:19] Sean Martin: I can't prove it, so we'll do that for folks. Uh, Jim Broom is with me from Direct Defense. Jim, thanks for joining me.  

Ah, thanks for having me.  

It's gonna be a good chat. I, uh, had a good conversation yesterday, and, uh, we talked about IT and OT convergence and maintaining separation of networks and duties and all that fun stuff. 

Connect them but don't, right? Right, exactly. Connect them where you need to and have that visibility and control, which you guys do a fantastic job at. Because you have the knowledge. Yep. Of those environments.  

[00:00:54] Jim Broome: Yep.  

[00:00:55] Sean Martin: So, uh, yeah. Thrilled to have that chat. So I encourage everybody to listen to that. And, um, today we're gonna, we're gonna take a turn off the highway and, and, uh, go into threat report plan because, uh, you guys pull some interesting data together, um, on threats and I'm interested to hear what's going on there, but before we do that, a few words from Mr. 

Jim Broome, who you are, what you're up to, the Director of Direct Defense  

[00:01:22] Jim Broome: Well, for those that don't know me, you know, hope some new folks, but, uh, going into my 30th year in the industry at this point. So the gray hair is real. It's not a dye job or anything like that. Um, but, uh, yeah, uh, essentially the president and CTO of direct defense. 

Uh, we specialize in security services. So penetration testing, uh, managed services, and then the OT practice with Chris that you got to talk to.  

[00:01:45] Sean Martin: And. I don't think Chris and I got the history. I don't think we talked about that. So give me, give me the background on Direct Defense. When you were founded, what was the original objective and how did we get started? 

[00:01:58] Jim Broome: Um, really myself and Bo Shariari, who's my business partner, we came from a place called ActiVot, now known as Optiv in the industry. Um, and essentially we started our primary services day one, which is our testing services and still a considerable bit of our business today. So we really picked up with a lot of our core customers, um, that we had essentially built the programs for them to do testing at scale and programmatically test their products as they're going to market. 

And we really do have a strong base in manufacturing today across the board, which is why OT is so critical for us as well. Um, along the way, our managed services became a thing because of organic demand. So, teasingly, when I talk to customers, like, second year we were in business, ransomware became a thing. 

Uh, not everybody followed our carefully crafted deliverable from the penetration test, and our first managed service was actually managed instant response, helping get the bad guy out, or post events, when all the lawyers and everybody are gone, making sure they don't have a repeat of the same thing. So we now call that purple teaming. 

Where the red and blue team are working together to make sure they got visibility and so we would go in there and set up testing scenarios so they could see it. And ultimately our customers flat out asked us, hey, you guys do a really good job of finding solutions that work, add the service to it. And so that's how we got started. 

[00:03:08] Sean Martin: Perfect. So, all, not all, a lot of that data, I presume, are, become lessons learned, right?  

[00:03:16] Jim Broome: Exactly.  

[00:03:18] Sean Martin: Here are the threats we're seeing, that's data, here are the The attacks that we've seen happen because we didn't block the threats properly. Here is threat activity broadly outside of the organization. Is that the driver behind the threat report? 

[00:03:36] Jim Broome: Um, yes, very much so. I mean, directly what we saw, what made the news last year, like Scattered Spider, the threat actor group that was part of Black Hat Affiliate. Um, you know, they made a lot of news with the hacking of MGM. And, um, We know we went toe to toe with them on eight different occasions. Um, and we're really able to kind of take the themes and lessons learned from those attacks and turn that into, you know, into value to our services across the board. 

Um, you know, the threat report that we kind of highlight and also our message to customers is making sure that they ask for their partners to really be a partner, their service providers. And so, one of the things, you know, the themes that we come out of the data set was number one, how is that message resonating with our customers? 

Uh, you know, Case in point is, you know, we take the same core alerts with every customer, but we let them tell us which one are more important, which one is a higher priority or better yet, what's your work case on how you want this to be remediated for you? Um, we found we actually have about an 8 percent variance from client A to client B across the board. 

So from a service delivery standpoint, the challenge is definitely on us to be as consistent as possible. But with that being said, it allows us to actually do a lot of customization for customers. And we've actually, you know, uh, by all means, go look at the report, but we found. That, you know, message is definitely resonating. 

We have a core set of, if you will, cyber alerts. Uh, cyber security related alerts. But we found that about 30 percent of the overall volume going back out to clients is things they specifically asked for. That's programmatic. It's not just a cyber thing. It's a productivity thing. It's a change management thing. 

Um, that all feed into making sure a customer gets what they need. And that directly translated into the threats. That we also saw with Threat Actors Let Scattered Spider. Uh, we had, had the benefit. Of a very mature, uh, customer with a very mature MFA program. That one of the things we did for them a couple years ago was we created a standard set of rules and alerts. 

Because they had already programmatically established that they're going to roll out new MFA. It's going to default to the push notification, the pop up on your phone, the pin code. And culturally they had eradicated the use of text messaging. Which is really what we saw being abused by the threat actor last year. 

Um, if you still have text messaging turned on, Uh, in your program, that's one of the threat vectors they're using called SIM swapping. They were literally profiling your employees, picking the worst time. In most cases, uh, we saw a huge spike in summer where they were actually profiling individual employees in their social media or family's social media to target them specifically. 

Uh, and in some cases they were successful, you know. But because we had these custom alerts in place, We saw in the first 15 minutes that, you know, Bob or Sally, the admin, just added a new phone to their device and just, you know, to their MFA settings and we're able to turn those into alerts, if not proactively get in front of it. 

[00:06:18] Sean Martin: And I've actually heard, I think it was from Chris actually, at the same scenario where I'm thinking about it now. Advanced Persistence Swappers. Repeat SIM swaps, trying again and again and again. That one's not working. Let me try another screen.  

[00:06:37] Jim Broome: Yeah, I mean, they literally went through four different customers. 

Uh, or you know, four different employees in one environment. They were successful in three of those cases. Which kind of speaks to the cellular industry really needs to step their game up for protecting your phone. Because that's tied to your bank account and other things. Not just your login password. 

Right, yeah. A  

[00:06:53] Sean Martin: lot of stuff connected there. So, tell me a bit about the structure of the report. How is it organized? How do you break down the information and present it in a way that makes sense?  

[00:07:02] Jim Broome: Really, we took the themes, like I said, that we were seeing, and more importantly, the threat vectors that we saw after the, after the successful breach. 

Like, first step in, they got someone's credentials, what do they do next? And so, we really took the theme of, you know, where we went and added a lot of custom alerts across the board for clients. Uh, but secondarily is, like, what are we seeing across, you know, across that landscape. So, thematically, you know, just staying on ScatterSpider for a second. 

Uh, they're not the only one doing this. Most of them are doing it now. But They were the first ones to come in in teams. So one group was actually designed to actually break into an account. The next one was to get global admin. That global admin account would then jump over to your Azure environment and they would set up a, you know, a federated domain which gave them access to all your MFA tokens to replay at will. 

Then they would log back in as your own individual. Then another group would actually go after on prem infrastructure. That's one team. Technically that's two teams. The first guys that got in. Alright. The second one that got persistence inside the cloud environment. The third team would actually pivot over to your on premise, like your VMware infrastructure, what have you. 

Uh, and then the final team was actually going through all the Azure single sign on enabled apps, and going to each one of those, figuring out what the use, what admin user was there, and actually logging in from there. So, they were getting into ERP solutions, your own security solutions. So seeing, you know, seeing them pop up, you know, next to you, if you will, uh, you know, in the front line and, you know, having to repel them out of the security solutions that we're managing and seeing the other activity coming from. 

Uh, they were updating. Um, they also, if you use like a global VPN, you know, provider or SD WAN provider, they were hopping in there, downloading the agents and joining those, come in through the side door, if you will. Um, so again, it began, you know, really specialized on. Where can we see integration points? 

How can we see the initial signs of compromise in there? And more importantly, where can we actually start getting visibility of where they're at in the enterprise to try to slow them down, if not get them out?  

[00:08:58] Sean Martin: So that seems really difficult. A lot of that presents itself as legitimate in many ways.  

[00:09:08] Jim Broome: It can be tracked back. 

So, I mean, the main thing is really making sure you've got really good visibility. So it's not just an alert, right? No, it's a series of alerts coming through that. Okay. Yeah.  

[00:09:16] Sean Martin: So I presume that's where you guys come in and really help.  

[00:09:20] Jim Broome: Yeah, in essence, it's, yeah, for us it's really sitting down and actually creating the alerts, uh, action in them, and then actually building response capabilities. 

Like, one of the lessons learned, you know, directly was, if you're in some fintech companies, financial, you know, organizations, they have rules and regulations which a third party like us cannot have permissions to reset global admins, and yet the threat actor is walking in with a global admin account. So, one of the things we had to come up with is, you know, a set of compensating controls with the customer. 

Like, hey, you know, I'm going to work to do my best to get your attention, but you need to leave me an option to be able to help you out here and kill accounts. So sometimes we work on automation to do account lockout of higher privilege. Sometimes we just basically have a rule of engagement that if they don't respond fast enough, we can override them. 

So again, it's, you know, if you will ask for forgiveness after the fact, but you know, at least I kept your, you know, I kept them from getting any further inside the environment. So that's really where we can, we, we truly embrace the concept of partnership. Like, Hey, I'm doing, I'm going to do my best to keep them out of here for you and keep your business going, but you got to work with me. 

You know, sometimes regulations kind of need to be, you know, documented, but we still need to have a path forward to help you, especially if your team is struggling to respond.  

[00:10:34] Sean Martin: There's always an exception in an edge case. Yep. 

This is the second year. Is there anything in the report that pops out as we didn't expect to see that, or we didn't expect to see that thing at this rate, or we're looking for something and that never surfaced?  

[00:10:57] Jim Broome: I mean, the bigger themes that we were able to get from year one to year two is, again, our message of cooperation and customization definitely rang through. 

Um, and it shows in our stats, but secondarily to that was really the change in Threat Actor behavior of, you know, because they're leveraging AI to create their phishing campaigns, we saw the success rate of successful click through or employees giving up username, password and PIN code, uh, to the Threat Actor, uh, across the board rise around 25 to 35 percent. 

And that was just over the course of one quarter, uh, coming into, uh, summer last year, coming into the fall. And so, you know, that was direct, you know, we could directly go back to look at the original email that came in. It was like, yep, they got all the buzzwords right, they profiled the company. There's no grammatical errors, there's localization in some cases, because they were actually attacking employees in foreign countries from the United States. 

And so they had, you know, proper phraseology. Everything you needed to come across as authentic. And all courtesy of CHAT GPT. very  

[00:11:59] Sean Martin: much. Interesting. What do, so, this data is generated by customers, so presumably you're seeing a lot of the same things and you're interacting with them as well. Um, in the field, feet on the street, supports everything, pretty much everything you're seeing in the report. 

Are they, do the conversations mimic the summaries? Yes. Uh,  

[00:12:29] Jim Broome: I mean. What's been really interesting is, you know, in the ever evolving role and responsibility of the CISO, Mike, with your conversation with Chris, especially manufacturing cases, the CISOs are now directly being asked to be part of or protect the operation of the line because that's the money to the company. 

And that's, you know, those roles and responsibilities have actually been handed down to the CISO. And so that data, those messages around, you know, what are our use cases, such as we're, we're literally for. Uh, folks on the picture you'll see, we're actually over here at the Clarity booth, so to give them a shout out, you know, we're leveraging their technology for OT visibility. 

Cyber, however, is not our number one request. It's actually change management. So, one of the stories that their product actually does is it sees cyber issues, especially from, you know, network visibility. It sees change management issues like firmware changing on assets that could cause an impact to a line. 

It actually sees vulnerabilities, um, and it can feed a vulnerability management story as well. Thank you. Um, all of which we have rolled into it, but, you know, thematically the conversation with, like, the C suite, uh, CISOs is, yeah, I mean, your number one request to me is to tell you things that actually may cause productivity issues. 

So, change management's number one. It's not actually a cyber request. And even those themes from, like, the report as an example, sitting down and, number one, you guys are still using text messaging, by all means, stop. It's outside your control. Uh, you know, if you can't do that because it's such a cultural shift in the organization for timeliness, let's at least go back to all your admins and tell them no. 

Like, let's, you know, let's put some rules of engagement around your most privileged users, they have to use pin, you know, notification or pin code or maybe a FIDO2 key with, you know, YubiKey or whatever. Let's put some other solutions in place to just take the most privileged, you know, accounts down and monitor them better and more effectively and so forth. 

Those are the themes that come from that data, go back to real, you know, feet on the ground and conversations with executives on how to change the culture and program.  

[00:14:23] Sean Martin: Interesting, because you said, I want to pull on this string a little bit. I continue to hear the theme of resilience. And certainly when you get into manufacturing and critical infrastructure, uptime. 

Yep. Followed, if not equal to safety.  

[00:14:39] Jim Broome: Exactly. Especially on the other side of the fence of traditional SCADA. They  

[00:14:42] Sean Martin: eat. But you can't achieve those if there are weaknesses in the system. So security has to be this. I'm curious, do organizations not say security, but expect it? Or not say it and pray? Um,  

[00:15:02] Jim Broome: I mean we do still practice a lot of faith based cyber security here in the United States. 

Lord, please let them hack somebody else. Uh, but uh, you know, really the bigger change or shift. Um, around OT and around uptime monitoring. Uh, uh, Availability is the number one concern because that's bottom dollar for everybody in that scenario. But what it really translates into is we're using cyber security products to go back to core IT disciplines. 

Which is just up, you know, did you have a proper change management window? Was this patch tested before we rolled it out? Um, because we've seen, um, using one example, If that line goes down for more than 15 minutes, the CEO gets a phone call to let them know they're not making their number that quarter. 

So that direct, you know, it's a direct impact. So those stories kind of, you know, matriculate back to just core IT more than IS. Because I, you know, I'm old enough at this point to still make the delineation between the two.  

[00:15:53] Sean Martin: Oh, definitely.  

[00:15:55] Jim Broome: So yeah, thematically that's kind of where we're seeing a lot of that today is really, you know, finding or using cyber security solutions to actually give an IT conversation. 

[00:16:05] Sean Martin: Earlier you mentioned, I presume you provide guidance, but it sounds like you also seek direct feedback. Because each business is unique, where they are, what they're operating in, how their culture, all that stuff plays a role. Um, how, same question for two different audiences. Existing customers, how can the findings in the report, the data from the report, help them have a better understanding? 

Engagement with you to have that collaboration of here's what we're seeing in the report that might impact your business. Help us understand where we can kind of come in and then further help.  

[00:16:45] Jim Broome: Sure. Um, so for the customer engagement today, we, you know, ly our biggest feedback is we force them to talk to US 

Um, and so we, we do believe in collaboration. We do have constant standup meetings, and so we have, at the very least, a quarterly strategic piece. To go over these findings as they're fresh into our ecosystem. So the fact they were distilled into a report Right. No, we're constantly trying to hold their hand and get them through the process. 

Because, you know, case in point, things change every week. You know, if an organization is still using, for example, Oracle, you know, platforms. Oracle is notoriously tough to work with. Uh, they don't have the best, you know, patching schedule like the other vendors are monthly. Theirs is quarterly. So you get hit with 500 patches at once and you got to figure out which patch goes into this application stack. 

So, you know, singling out like, right. Well, I mean, singling out PeopleSoft is a great example. It's a legacy technology. They have, it's in just about every major corporation today. However, it's 18 patches individually to secure the web server. And exactly, uh, it has to be in the right order. And so if you mess up, you know, you're still vulnerable. 

And so we do see, for example. Uh, what we call priority two events, which is web shells dropping on web servers from time to time. That's your first incursion. You know, so, you know, you hope your EDR stops it. If it doesn't, then we've got secondary, you know, uh, visibility stories specifically for, you know, discovery and when they start trying to break off that machine and jump into other things. 

That's threat hunting, that scale, that's, you know, essentially what we're doing is looking for the gaps out there. And so we take, again, all this data, all this, you know, day to day and bring that back to our customers like, Hey, you're running this. Strongly recommend you deploy it this way and just, you know, give that guidance. 

[00:18:20] Sean Martin: It's huge. Yeah. So for the other audience, those who have not had the pleasure Yep. working with you and, and Chris and the team,  

[00:18:28] Jim Broome: happy to talk to everybody, give you a demo.  

[00:18:30] Sean Martin: That's right. Um, um, what should they be looking for in the report to kind of set the stage?  

[00:18:38] Jim Broome: For sure. Most of our stuff is, we try to present this very, in a very tactile and. You know, common sense manner. Number one, stop using TechNuts. I mean, you know, your bank's unfortunately a federally insured, so they're still doing it, but we're actually starting to see banks get away from using texting as an option. Now I'm going to more, you know, common things like Google Authenticator or whatever. 

Number two is really going to be, you know, be aware of your single sign on, how it's integrated into the various, you know, bits of your cloud infrastructure out there and have visibility stories. Case in point is one of the solutions we monitor is Salesforce. Monitor service now, which is a key repository of data for a lot of companies and just seeing what's logging in there We can spot, you know, not only threat actor behavior, but we can also spot spot developers not acting well Using third party apps to back up things. 

They probably weren't authorized to back up so you can see a lot of that visibility and turn that into you know, those type of you know visibility stories for the organization and number three really today is If you're definitely going to not invest in EDR, then go take a look at our buddies over at Halcyon. 

Uh, you know, they're definitely solving the ransomware problem, so if you're not ready or you can't afford, uh, to invest in enterprise EDR solutions, then yeah, you know, second, second option is available for you now, which just, just looks at solving the ransomware problem. Got it.  

[00:19:56] Sean Martin: Alright. So, read the report, connect with Jim, look at the partners. 

It's all about, uh, initial assessments. Gaining visibility through monitoring and having the wherewithal from your team to close the gaps.  

[00:20:11] Jim Broome: And just, you know, truly, uh, you know, when we talk to clients, if you're out there evaluating MDR and MSSPs right now, make sure you reserve your right for your service you're looking for. 

So my three simple questions I tell everybody to always ask the room is, will your MSSP support a custom alert? Will they triage that custom alert with a custom playbook? And will they do a custom response based off of the custom alert? It's a day's market space. If you put 10 of us in the room, only 3 of us will be left standing on average. 

[00:20:36] Sean Martin: Interesting. You mentioned playbook, that's a whole other conversation.  

[00:20:39] Jim Broome: Oh yeah, that's How much time we got?  

[00:20:43] Sean Martin: Well Jim, I'm going to leave time for folks to connect with you and I hope they do have a good chat with you and Chris. I've really enjoyed my conversations with both of you. Very enlightening and you guys are working on some good things. 

[00:20:56] Jim Broome: Appreciate it. And we got you outside in the sun. 

[00:21:03] Sean Martin: Well Jim, thanks, uh, thanks so much for that. And do, everybody do grab the report, connect with Jim and, uh, the RxEvents team. And please do continue to follow me here at RSA Conference. Uh, lots more coming your way. And, uh, we'll see you all soon.  

[00:21:16] Jim Broome: Yep, have a great show.