The Defender's Advantage Podcast

Vicente Diaz, Threat Intelligence Strategist at VirusTotal, joins host Luke McNamara to discuss his research into using LLMs to analyze malware. Vicente covers how he used Gemini to analyze various windows binaries, the use cases this could help address for security operations, technical challenges with de-obfuscation, and more.For more on this topic: https://blog.virustotal.com/2023/04/introducing-virustotal-code-insight.htmlhttps://blog.virustotal.com/2024/04/analyzing-malware-in-binaries-and.html

Josh Fleischer, a Principal Security Analyst with Mandiant's Managed Defense organization, dives into the alarming trends of multi-factor authentication (MFA) bypass in this discussion. He reveals how adversary in the middle attacks exploit vulnerabilities, particularly through advanced phishing tactics. Josh highlights the rise of 'phishing as a service,' automation in spear phishing, and the risks posed by QR codes. He emphasizes the critical need for robust MFA solutions amid evolving threats and shares insights on detecting and remediating digital threats.

Host Luke McNamara is joined by Clement Lecigne, security researcher at Google's Threat Analysis Group (TAG) to discuss his work tracking commercial surveillance vendors (CSVs). Clement dives into the history and evolution of the CSV industry, how these entities carry out operations against platforms like mobile, and the nexus of this problem into the increasing rise of zero-day exploitation. For more on TAG's work on CSVs:https://blog.google/threat-analysis-group/state-backed-attackers-and-commercial-surveillance-vendors-repeatedly-use-the-same-exploits/https://blog.google/threat-analysis-group/commercial-surveillance-vendors-google-tag-report/https://blog.google/threat-analysis-group/googles-efforts-to-identify-and-counter-spyware/

Mandiant APT Researcher Ofir Rozmann joins host Luke McNamara to discuss some notable Iranian cyber espionage actors and what they have been up to in 2024. Ofir covers campaigns from suspected IRGC-nexus actors such as APT42 and APT35-related clusters, as well as activity from TEMP.Zagros.  For more on this topic, please see:  https://blog.google/technology/safety-security/tool-of-first-resort-israel-hamas-war-in-cyber/https://cloud.google.com/blog/topics/threat-intelligence/untangling-iran-apt42-operations?e=48754805https://cloud.google.com/blog/topics/threat-intelligence/suspected-iranian-unc1549-targets-israel-middle-east?e=48754805

Mandiant Consultants Trisha Alexander, Muhammed Muneer, and Pat McCoy explore securing AI workloads. They discuss implementing AI tools securely, distinguishing between safety and security testing, deploying AI solutions in cyber defense, and enhancing security maturity and governance for adopting technologies.

Mandiant consultants Will Silverstone and Omar ElAhdan share insights on cloud compromise trends, living off the land techniques, extended attack surfaces, securing identities, third-party risks. They discuss the importance of strong multi-factor authentication, detecting potential attack vectors, and managing third-party risks separately.

Michael Raggi, Principal Analyst at Mandiant Intelligence, discusses ORB networks used by China-nexus threat actors for cyber espionage. Topics include the anatomy of ORB networks, how they are leveraged by APTs like SPACEHOP, and the implications for defenders. The conversation dives into the evolution of tactics, understanding and communication frameworks, and the challenges of attribution in cyber operations.

Mandiant Principal Analysts John Wolfram and Tyler McLellan join host Luke McNamara to discuss their research in the "Cutting Edge" blog series, a series of investigations into zero-day exploitation of Ivanti appliances.  John and Tyler discuss the process of analyzing the initial exploitation, and the attribution challenges that emerged following the disclosure and widespread exploitation by a range of threat actors.  They also discuss the role a suspected Volt Typhoon cluster played into the follow-on exploitation, and share their thoughts on what else we might see from China-nexus zero-day exploitation of edge infrastructure this year.  For more on this research, please check out: Cutting Edge, Part 1: https://cloud.google.com/blog/topics/threat-intelligence/suspected-apt-targets-ivanti-zero-dayCutting Edge, Part 2: https://cloud.google.com/blog/topics/threat-intelligence/investigating-ivanti-zero-day-exploitationCutting Edge, Part 3: https://cloud.google.com/blog/topics/threat-intelligence/investigating-ivanti-exploitation-persistenceCutting Edge, Part 4: https://cloud.google.com/blog/topics/threat-intelligence/ivanti-post-exploitation-lateral-movementFollow John on X at  @Big_Bad_W0lf_Follow Tyler on X at @tylabs

Jurgen Kutscher, Mandiant Vice President for Consulting, joins host Luke McNamara to discuss the findings of the M-Trends 2024 report.  Jurgen shares his perspective on the "By the Numbers" data, the theme of evasion of detection in this year's report, and how Mandiant consultants have been leveraging AI in purple and red teaming operations. For more on the M-Trends 2024 report: http://cloud.google.com/security/m-trends

Kimberly Goody leads Mandiant's Cyber Crime Analysis team, specializing in ransomware, while Jeremy Kennelly is a lead analyst with expertise in data theft. They dive deep into the evolution of multifaceted extortion, revealing a sharp rise in ransomware payments, with averages exceeding $1 million. They discuss why manufacturing and small enterprises are increasingly targeted due to limited security and assess the healthcare sector's vulnerabilities. Notably, they highlight shifts in tactics used by attackers, emphasizing a troubling trend in exploit-based operations.