The Defender's Advantage Podcast

We are wrapping up our “Big Four” series with a country that has beenone to watch for quite some time: Russia. And who better to join mefor this episode than our Vice President for Mandiant ThreatIntelligence, John Hultquist.We started off this episode discussing how Russian cyber threatactivity evolved to what we know today, from the days of MoonlightMaze and Agent.BTZ. We then shifted the conversation to some of themost notable Russian threat groups and the difficulties of assigningattribution at the organizational sponsorship level. While many APTgroups from the “Big Four” may blend together various types of threatactivity, Russia has utilized a particularly interesting mix of cyberespionage, information operations, and disruptive attacks over theyears.John brought up many notable Russian incidents, including: theOlympics, the Ukrainian power grid, the targeting of elections, andthe SolarWinds supply chain breach. We also discussed some of thechallenges in communicating threat intelligence to both customers andwider audiences. To cap off the series, John delved into howorganizations should think about not only Russian threat activity, butthe operations and campaigns from North Korea, Iran, and China.You can stay ahead of threat actors like those from the “Big Four” byjoining Mandiant Advantage Free where you’ll have access toup-to-the-minute threat intelligence: http://feye.io/MA

The third installment of our “Big Four” series on China is filled withso much great information that it’s our longest episode yet. LloydBrown, Principal Analyst for our Custom Intel Team, and ScottHenderson, Principal Analyst for our Cyber Espionage Team, joined ourhost, Luke McNamara to peel back the layers of China’s cybercapabilities.Similar to past episodes in this series, we started at the beginningof China’s cyber operations—dating back to 2003. Scott and Lloyd tookus through a detailed look at all the stages of China’s operations,including the shift in 2015/2016 from being “clumsy and noisy” tostealthy. Lloyd brings up a great point that’s worth hearing abouttheir use of CVE exploits (which came into play with the recentMicrosoft Exchange server exploits).We also discussed how China’s cyber activity is driven by economicinterests such as the Belt and Road initiative, the nature of theiroperations surrounding global elections, APT41’s cybercrime activityin addition to cyber espionage, and where they think China’soperations are headed. You’ll definitely want to stick around to thevery end. Since our initial recording occurred before the MicrosoftExchange exploits, Luke decided to follow up with Lloyd to get histake on HAFNIUM and the UNC groups we’re tracking related to thatactivity.Know the threats that affect your organization with up-to-the-minutethreat intelligence by signing up for Mandiant Advantage Free:http://feye.io/MA

How does Reddit handle malicious or suspicious coordinated activity ontheir platform? Our host Luke McNamara asked Aylea Baldwin, ThreatIntelligence Lead at Reddit, to answer that question and more duringthis episode of Eye on Security.During the discussion Aylea shared a few ways Reddit is uniquecompared to other social media networks—its tolerance for varyinglevels of behavior on different communities, the lack of user datacollection, and the way posts are amplified through voting. The votingfeature is unique to Reddit and Luke was curious to know how threatactors leverage it as part of their influence campaigns. As it turnsout, the answer to that question isn’t so simple since foreign actorshave to get buy-in from people to up-vote their posts.We ended our conversation with Aylea’s thoughts on the future ofdisinformation and deep fake technology, which is a concern in thesecurity and many other industries, and something that can have a hugeinfluence on sites such as Reddit.

Did you know that women are disproportionately affected by cybercrime,cyber stalking, cyber bullying, cyber harassment, and image-basedsexual abuse? We asked Cris Kittner, Principal Analyst at MandiantThreat Intelligence, and Lillian Teng, Director of ThreatInvestigations from Verizon Media to join us for a discussion aroundtheir recent talk on digital safety for women and practical strategieswomen of all ages can take to increase their online safety.Cris and Lillian provided their reasons and motivations for puttingtogether the talk, which they first presented at the Grace HopperCelebration in 2020. They highlighted the connection between physicaland cyber stalking and the need for these conversations to benormalized. Far too often, Cris and Lillian heard from youngprofessionals that they believed the cyber harassment that washappening to them in the workplace or at conferences was “normal.”To combat the issues many women are facing online, Chris and Lillianprovided a list of practical considerations that women should follow,such as using a password manager, knowing what permissions are beinggiven to third-party applications, understanding that Snapchat imagescan be recovered, adjusting (or eliminating) location tags, and how toreport abuse happening on social media sites.Listen to the episode today for online safety strategies that can helpyou or a loved one stay safe online.

We’re back with the second episode of our “Big Four” series focused onNorth Korea, Iran, China, and Russia. We honed in on Iran for thisone, and to help explore their cyber capabilities, we invited SarahHawley, Principal Analyst for Mandiant Threat Intelligence, and LeeFoster, Senior Manager of Information Operations Analysis.Sarah kicked off the episode by providing an overview of Iran’s pastoffensive cyber activity and how these capabilities have developedover the years. Lee shared how they have also grown their usage andwillingness to use information operations (IO) and how his teamapproaches attribution and analysis of this disinformation activity.We then touched on drivers of Iranian cyber threat and their apparentincreasing willingness to target democratic processes. Sarah alsodiscussed Iran’s destructive activity going after industrial targetsin the oil and gas sectors through password spraying and spearphishing operations.As always, we closed out the episode with thoughts about what Sarahand Lee think we might see from Iran’s cyber operations in the comingyears. Listen to hear their predictions and stay tuned for ourupcoming episodes on China and Russia.Listen to the podcast now, check out the “Big Four” episode on NorthKorea if you haven’t already, and then head over to our Eye onSecurity page for even more episodes.

“Legitimate access rules the threat landscape”, says Jon Ford,Managing Director at Mandiant. In addition to loss of intellectualproperty, malicious insiders are increasingly impacting organizationalreputation, customer trust and investor confidence. There’s a lot moreto insider cyber security threats than disgruntled employees, which isthe first thing that comes to mind for most when they think of thisthreat. Jon Ford, Managing Director of Mandiant, and Johnny Collins,Director of Mandiant, joined us to break down what insider threats areand the trends Mandiant is seeing in recent investigations.Johnny began by defining insider threats—from unintended linkclicking, all the way up to human enabled technical operations (thinkmeet-ups in parks while avoiding all electronic communications thatyou see in movies). Both Johnny and Jon shared how organizations onthe commercial and government sides are thinking about insider threatsas part of their overall risk and security posture, and how clientsare approaching insider threat security from a behavior-focusedapproach as opposed to targeting or profiling individuals.Then we got to the good part: stories from recent investigationsthey’ve worked on through Mandiant’s Insider Threat Security Servicesofferings. You might be surprised by the outcomes of a few of them.Johnny and Jon went on to highlight the various tiers of Mandiant’sInsider Threat Program Assessments and Mandiant’s Insider ThreatSecurity as a Service offering with Mandiant Intelligence. Johnny andJon close with shared thoughts on the growing Insider Threat trendswe’ll see in the near future.

While many cyber threats and security issues are universal andexperienced by organizations in any part of the world, some are morecommon to a particular region than others. Host Luke McNamara invitedRyan Goss, Vice President for Latin America & the Caribbean, and JuanCarlos Garcias Caparros, Director of Mandiant Consulting for LatinAmerica and the Caribbean, to talk specifically about cyber securityin Latin America.Juan Carlos shares what threats we’ve seen our customers face in LatinAmerica. He also discusses the security culture in Latin America,comparing maturity of organizations to those in United States orEurope. We also explore whether attitudes are shifting around cybersecurity in boardrooms. Ryan believes it’s moving in a good direction,but that many companies still treat cyber security as an afterthought,which leads to lower overall budgets and forces security teams tofocus on solutions that are “good enough” or at least allow them to“check the compliance box”. Thus the importance of FireEye leadingwith Mandiant Services and establishing ourselves as trusted advisorsand true partners for our customers.We wrap up the episode by touching on cyber training, securityvalidation and unexpected activity from North Korea targetingfinancial institutions throughout Latin America.

We’re kicking off Eye on Security in 2021 with a nation-state-themedminiseries that focuses on the big four, which we recognize as NorthKorea, Iran, China and Russia. In this episode, host Luke McNamarainvited Fred Plan, Senior Analyst for Mandiant Threat Intelligence,onto the podcast to talk about North Korea.Fred started our discussion by providing some background on thecountry, how it operates geopolitically, and why they’ve shifted theirfocus to a cyber capability. We also review their early cyberoperations that primarily targeted South Korea and their expansion tothe U.S. private sector with the Sony hack. Since then, North Koreacontinues to be active in both financially-motivated andespionage-related operations.There are a lot of behaviors that make North Korean cyber operationsunique, due in part to the country being very closed off. Their cyberoperations have demonstrated rapid shifts in targeting, which likelycomes at the request of the regime. We most recently saw this withtheir targeting of COVID-19 research and vaccine distribution. NorthKorea hasn’t publicly reported on any COVID-19 cases, so their cyberbehavior offers us a glimpse into what might actually be going onwithin the country.As always, we like to predict what we’ll see next in a region or froman actor. In this case, Fred says it’s quite difficult to know whatNorth Korea is up to next. Find out why when you listen to theepisode.

As the COVID-19 pandemic continues, cyber threats have worsened forsome industries across the globe. Universities with medical andresearch facilities are increasingly being targeted by threat actorsbecause of the critical and valuable work they do surroundingpandemic. Host Luke McNamara invited Monte Ratzlaff, Cyber RiskProgram Director at the University of California Office of thePresident, to join us for this episode of Eye on Security so we coulddiscuss the important research they secure.Monte and Luke reviewed the types of data UC protects, which includesprotected health information, payment card data, student data andresearch data. Even with all that data, the threats UC faces are stillquite similar to what many other organizations face: phishing,ransomware and nation-state attacks.We shifted our discussion to the challenges of securing COVID-19research; especially at a time where ransomware is particularlyrampant. Monte emphasized the critical need for organizations to knowtheir environment and have plans in place in case attacks get throughdefenses.Listen to the episode to hear insights on securing medical devices andwhy Monte wouldn’t be surprised to see an uptick in insider threats asa result of a larger remote workforce.

With 2020 coming to an end, we’ve released our 2021 cyber securitypredictions report, videos with our senior leaders and more. Our host,Luke McNamara asked General Earl Matthews, VP, Strategy for MandiantSecurity Validation to join him on 'Eye on Security' to discuss whatwe can expect in the cyber space heading into a new year based on thethreat activity we’ve seen recently.Ransomware isn’t going away any time soon, so Luke asked GeneralMatthews how he’s seen executives react to this new type of threat andif that has impacted how they think of security. We also explore theincreasing risk ransomware poses to operational technology based onsome of the ransomware campaigns we have seen this year.We also talk in depth about third-party risk—a risk that’s been aroundfor a long time, but that we’ll see increasingly exploited by threatactors. General Matthews also shared some personal stories about histime as a CISO that you won’t want to miss.General Matthews and Luke finish their chat with an interesting lookat which industries have adopted security validation and the benefitsof this solution for providing proof of security effectiveness.