SANS Internet Stormcenter Daily Cyber Security Podcast (Stormcast) SANS Stormcast Friday, October 10th, 2025: RedTail Defenses; SonicWall Breach; Crowdstrike “Issues”; Ivanti 0-days; Mapping Agentic Attack Surface (@sans_edu paper)
Oct 10, 2025
Michael Samson, a recent SANS master's graduate and infrastructure security researcher, joins to discuss the intricacies of attack surfaces in AI agents. He emphasizes the need for defensive strategies focused on attacker techniques rather than mere indicators of compromise. They delve into the implications of the SonicWall breach and vulnerabilities in Crowdstrike's Falcon sensor. Samson's research reveals hidden risks in improper authorizations and the interconnectedness of agent ecosystems, highlighting the importance of mapping these surfaces for better defenses.
AI Snips
Chapters
Books
Transcript
Episode notes
Prioritize TTPs Over Ephemeral IoCs
- Indicators of compromise like hashes and IPs are ephemeral and limited in value.
- Focus on attacker TTPs (e.g., weak SSH keys, writable authorized_keys) to build resilient defenses.
Lock Down Authorized SSH Keys
- Protect and centralize SSH authorized_keys to prevent stealthy persistence.
- Make the file root-writable or manage keys centrally so unauthorized changes are easier to detect.
SonicWall Changed Its Story
- SonicWall initially blamed users for weak passwords after MySonicWall backups were stolen.
- They later admitted all backed-up configurations were compromised and that the initial scoping was wrong.
