Zero Day: TV Myths vs. Reality – Unpacking Cyber Threats to Public Safety and Government

3:23

Today in the medical school’s political pillar, Zero Day, a devastating cyber attack throws the country into chaos.

3:30

A real threat on the Zero Day cyber The next point is used before a fix is available, and it is something that public spaces and local government agencies face every day.

3:40

Today we’re going to be breaking down what the TV series Zero Day got right, what it got wrong, we’ll analyze how real world Zero Day starts to impact emergency communications and local government systems, and we’re going to give you practical steps to protect your agency.

3:55

We’ll start with our host today.

3:57

Aaron Wood is Secularist Talk Manager, he has 10, 12 years of experience in cyber security and technology.

4:05

He has developed and maintained the company’s track tools.

4:08

Aaron is skilled in static and dynamic malware analysis and has found the interest of top 25 different instant responses to public safety and 911 centers in his time at Secular.

4:19

And I am Justin Ladd, I am the creator of Secularist Cybersecurity Webinar and Speaker Topics.

4:23

I’ve developed over 30 of these webinar and speaker topics for secular over the past three years I will be your moderator and co-host for today with that Aaron.

4:32

Let’s talk zero day Sounds good to me All right.

4:38

So before we get started, we’re gonna introduce a little poll first and We’re gonna ask how you feel how comfortable your organization feels about the ability to detect and respond to a zero-day cyber attack So, before we really get into that kind of thing, we’ll let you answer this question and see how everybody feels about their organization’s ability to respond to a zero day if they should face one.

5:12

We’ll leave this open for about 30 seconds or so.

5:15

We can get more people to tune in and vote.

5:21

It’ll be very interesting to see the responses to this one just to see how many people are are 100% familiar with a zero-day attack and how they think they would go about finding one and responding to one.

5:36

Give it just a few more seconds here.

5:40

Got almost everybody voted.

5:45

All right, we’ll end the poll and share the results.

5:48

So 100% of people who responded said they are somewhat competent.

5:52

So not very competent, but somewhat competent.

5:54

How do you feel about that answer, Aaron?

5:55

Do you think that’s a pretty good sign that everyone’s somewhat competent?

5:59

Yeah, and especially given that zero days have, especially this year, we’ve seen a lot more disclosures.

6:05

It’s gotten a lot more attention.

6:06

Hopefully we can help increase that confidence and not reduce it during this, but we’ll see what happens.

6:13

All right, so let’s talk about what a zero-day attack is.

6:15

It’s a cyberattack vector technique used to take advantage of undiscovered hardware, firmware, and software security flaws and refers to the fact there are no days or time in which fix the vulnerabilities.

6:28

So they are discovered usually by bad actors, unfortunately, who are able to find those vulnerabilities before we know about them.

6:39

And these are a list of zero-day attacks by year here. You can see 2023 was a pretty high year.

6:45

We did a zero-day webinar for those who haven’t had a chance to see that one. We did this back in 2023.

6:50

And that was a pretty big year for zero-day attacks.

6:54

We’ll get into some of those more today, which included, I think, Move It. That was coming off the heels of Log 4 Shell.

7:00

So you can see 2023 is pretty rough year for these 2024 also above 2022.

7:07

So a little bit of fluctuation it’s down, but still close to the highest it’s ever been.

7:12

And why are these increasing Aaron?

7:14

Why do you think we are seeing an increase in zero day exploits?

7:18

So there’s definitely a couple of different reasons.

7:22

First one, obviously being a larger attack surface as more infrastructure is brought on to, cloud services, as more things require, you know, interconnected devices.

7:36

All of those things that require communication potentially have vulnerabilities.

7:40

They can be exploited. They can be utilized in malicious ways.

7:47

And another one here being, it’s kind of a little bit of a feedback loop with public disclosure.

7:54

As more zero days are discovered, there’s more attention on just zero days in and more people are looking for them.

8:01

So it kind of feeds back into itself.

8:05

And then also with kind of tying into that with the discovery of more zero days and also as we can see the success of some of these zero days and some widespread attacks, the kind of ill-gotten gains from that can be worked back into more advanced attacks.

8:24

We see attacker infrastructure become more complicated, both through obfuscation and also through kind of ransomware as a service and phishing as a service, things like that.

8:39

Notable zero days we talked about before.

8:41

So we said move it in 2023.

8:43

That was an SQL injection flaw in a file transfer software.

8:48

That was a particularly bad one.

8:49

We had hackers who had access into Rhode Island’s public benefit system, CPS Energy in Texas had system exposed by a vendor that was related to Move It, and then Bucks County also affected by, had their CAD affected by Move It.

9:06

Log4Shell, we talked about a little bit, affected millions and millions.

9:11

A lot of places are using Log4Shell.

9:15

Beyond Trust, this was just not too long ago.

9:17

In December, a command injection flaw, and that is part of what allowed Chinese state-sponsored actors to access the US Department of Treasury, getting an authentication key.

9:29

And then the US telecoms one, I think we’ve mentioned on some of our webinars in the past, and I think everybody has probably read in their headlines, is that they’ve had access to systems for over a year through routers, through various different devices.

9:41

Aaron, these have been, I would say, pretty notable and pretty big exploits that this just kind of shows you the targets that these threat actors are finding and what they’re going after.

9:52

what they know is in third parties and vendors.

9:56

Yeah, and these are pretty scary ones as well.

9:59

But a common theme here, especially as far as zero days are concerned, is through supply chain attacks.

10:04

It’s not necessarily taking over something directly controlled by the federal government, but maybe a service or an interface that the attackers know is in the network somewhere.

10:16

So, but the impact can be terrifying with some of these things.

10:23

Here’s a little more on Mova, just so you can see kind of the breadth of the impact from that over the organization, 72.7% are U.S. based, Department of Energy, U.S.

10:35

government contractors, banks, healthcare, critical infrastructure, American Airlines, colleges.

10:43

I mean, the scope of this is pretty wide, as Aaron said.

10:46

It’s supply chain based and, you know, Mova is something a lot of people are using.

10:51

And so this allowed them to impact a lot of organizations, scrape a lot of data, affect a lot of systems.

10:58

So this is still one that we’ve seen across the board quite a bit.

11:01

And who is behind these Zero Day exploits?

11:03

I think Aaron can talk a little more to some of the threat actors and some of the reasoning here, but you’ll see on this graphic here that a lot of it is due to state-sponsored espionage, which is kind of what you go through in the TV show, Zero Day, if you haven’t seen it.

11:19

I will say, if you haven’t seen the TV show, there will be some spoilers in this.

11:23

So if you haven’t seen it and you wanna watch it, we might give you some spoilers here.

11:28

So I can’t guarantee we won’t spoil the show for you a little bit.

11:31

But a lot of commercial surveillance, you can see state-sponsored espionage and financially motivated is a big one as well.

11:39

Aaron, any surprises kind of on this graph here of all the information collected about zero-day attribution?

11:46

I’m actually surprised that the state-sponsored espionage not a larger part of this, especially with zero-days hacks.

11:53

In a lot of cases, the ability to uncover and exploit and capitalize on zero-days is a pretty considerable effort.

12:04

And so we see this a lot of times linked with state-sponsored attackers, where the funds and the infrastructure and the time that is required to make these things happen can actually be realized.

12:16

And kind of following up with that, seeing it used for espionage, data theft, data harvesting or just sitting in a network and seeing what’s there is a lot of what we see in Zero Day Attacks and obviously kind of the theme of the show that we’re going to be talking about.

12:39

But it is interesting to kind of see it broken down like this.

12:44

And here are some of the consequences of zero days that you can kind of look through here.

12:49

Obviously, you know, you’re not going to find these before months pass.

12:53

Access to back doors is what we’ll kind of talk about in the TV show.

12:57

Public trust is a big one here, too.

12:59

Obviously, if you can’t detect one of these and the public finds out, that’s always a very tough one as well.

13:04

They can lie dormant in systems for a long time.

13:07

Data exfiltration is a big one, too, and they can be traded.

13:11

We’ll talk a little bit more in the webinar about how these are widely traded secrets, these vulnerabilities are very high priced in terms of selling.

13:19

So there’s a lot of consequences to not being able to fix these, respond to these, having the agility to respond, but also taking preventative measures.

13:28

So, Aaron, let’s get into the TV show itself.

13:32

So again, spoiler alert, if you haven’t seen the TV show, we are gonna spoil some plot points here and some endings, but let’s get into fact versus fiction.

13:39

I think that’s what everybody came for, to talk about what happened in the series and what Aaron can call out as, well, that could happen, but it’s unrealistic.

13:49

So some of the TV plot points here were created, it was basically created as a story to show the country if there was another attack to the level of 9-11, but it’s a cyber attack.

13:59

The former president is played by Robert De Niro, is visited by a memoir writer to write his memoirs.

14:05

She leaves and her car is struck by a train at a railroad crossing because at the time of her leaving, there is a cyber attack that goes nationwide and affects the energy grid to all the communications, transportation networks.

14:19

There’s a massive nationwide attack.

14:21

It’s called Zero Day and ends up killing thousands and it’s a widespread outage across power grids and systems.

14:28

Other infrastructure are completely hijacked with safety systems that are somehow overwritten.

14:32

So we’ll get into a little bit of that here first.

14:34

So Hollywood versus reality in slide number one.

14:39

The Hollywood version of the show, subways and trains crash after they get switched out of the same tracks.

14:44

And then air traffic control at the same time goes down along with planes.

14:49

We see life support systems go down at hospitals and somehow even their backup generators are affected by this attack.

14:56

And then we also see mobile phones go down across the country and they display the message, this will happen again.

15:02

So and I think we could say in reality that pretty unrealistic that one zero day vulnerability is not going to affect subway trains, air traffic control system, health care and affect the mobile phones all at once.

15:16

Correct? Yeah, this is a pretty intense scene to start out with.

15:21

But, in reality, it’s a conglomeration of a lot of the different major cyber attacks we’ve seen throughout the years, stuff like Non-Petya and WannaCry, SolarWinds.

15:35

It combines all that into one big super mega attack, which while certainly scary in Hollywood, would be a pretty unrealistic undertaking.

15:46

it would require a lot more than just a single exploit, especially to hit all of these different kinds of systems.

15:57

How many would you think it would take, let’s say for a scenario here, if there is a cyber attack or an exploit, how many do you think we’re talking here, wide scale?

16:07

This has got to be a lot of different vulnerabilities and attack services to affect this many areas, right?

16:13

You know, being generous, you probably need at least one or two exploits, you know, per privacy network that you’re dealing with.

16:24

So if you’re looking at just, you know, hospitals and generators and air traffic control, that’s going to be a handful of vulnerabilities there.

16:32

Looking at even something down to like controlling stoplights.

16:38

So it would be a considerable amount.

16:42

Hard to say a number, but.

16:45

Yeah.

16:47

And number two here, after one minute of everything being down, everything goes back online.

16:53

After, unfortunately, a lot of people on the show die because of it, protests and conspiracy theories start to spark out everywhere.

17:02

There’s stuff going on in pharmacies talking about supply chain.

17:06

Obviously, if this sort of thing were to happen, a lot of panic would be induced across the population.

17:11

But Aaron, I think the real big myth in this scenario here is that everything got turned off by those exploits, whether it was one exploit, multiple exploits, but turning it back on is a lot different than turning it off due to a vulnerability or an exploit, right?

17:27

Yeah.

17:28

Yeah.

17:28

And I think I can definitely sympathize with that.

17:32

Anybody who has worked with any sort of server infrastructure knows that turning a device on and back on is not quite as simple as that.

17:40

And especially given the systems affected in the TV show, it would take a whole lot longer than just a minute to get everything turned back on again.

17:51

Yeah, and that was across all of them there that were turned back on.

17:55

Hollywood versus reality again.

17:58

So this is where we kind of get into some spoilers here.

18:01

So the attack is carried out by just a few people that ends up being kind of an insider attack that we’ll get into more.

18:07

They were able to steal a piece of malware.

18:10

It was dubbed Proteus to pull off the attack and the group was able to access different systems all at once and Erin again, I think the reality here is that it would take a lot of people more than just a few Whether it’s a group of people in terms of a cyber threat group or even just a group of insiders It would take a lot of coordination.

18:30

I think the more coordination you have to have to pull off an attack of this scale Would be a lot harder to hide, right?

18:37

Yeah, and especially, again, given the vast amount of areas of critical infrastructure that this attack in the TV show affected, you would need a company-sized team of people to undertake this because while insider threats are very real and very present in a lot of different areas of cyber security, it would be, you would need a lot more people.

19:12

And especially, there’s another note here on the fact that the attackers only utilized, they steal a single piece of malware, which is even more unrealistic there, because especially across all these different systems, you’ve got different operating systems, you have different security measures, you’ve got different programs running.

19:33

So a single piece of malware wouldn’t be able to pull this off you would need a You’d probably need a full development team here to make this kind of thing happen Yeah, good to know for reality I think The show also I thought this was kind of an interesting goof Not really a huge plot point, but it talks about switching to analog technologies And then many of the characters also continue to use their their smartphones despite the widespread compromise So one of those plot points to you can kind of point out and poke I thought this point was particularly interesting just in terms of switching back to analog technology.

20:14

Obviously, a lot of critical infrastructure has that ability, but even just in the modern day being able to utilize their smartphones and stuff like that, if it really was a major hack that shut all these things off, that probably wouldn’t be real feasible a minute or two after the attack.

20:34

Yeah.

20:36

All right, and here’s another piece of this, too.

20:39

In the series, only the government and the Zero Day Task Force created by the government is involved in remediation.

20:46

And I think, you know, Aaron, we talked about how when there’s a lot of people involved, there’s a lot of systems that go down, it would take probably a lot more than just the government to figure this out.

20:59

It would take a lot of private and public coordination to address it, would it not?

21:04

Yeah, it would be considerably larger.

21:07

I mean, anybody who has worked with the federal government or even state or municipal governments to any capacity would be able to attest to that.

21:21

Especially when just something as massive as a hack like portraying the TV show, there would be all sorts of vendors involved, there would be different government agencies, there It would be local, state law enforcement, it would be a lot of people, a lot of hands in the cookie jar.

21:41

All right.

21:42

And then our final one here, Aaron, I’m very curious to see what you say about this.

21:46

So one of the leaders of the Zero Day Task Force who’s trying to get everything back online in the final scenes of the show or final part of the cyber attack in the show says that we’re going to troubleshoot this the old fashioned way with one fail point at a time and the flaw is obviously discovered and takes just hours to respond and get systems back online.

22:09

And I’m not really sure what he meant by troubleshoot this the old fashioned way.

22:12

Maybe you can speak to that.

22:14

Yeah, if only it were that easy.

22:16

If it were to act like this, would take a lot of coordination and it would be hard to hide again.

22:20

Yeah, and if only it was that easy to respond and discover flaws like this.

22:27

In real zero day attacks, These things are undetected sometimes for months at a time, and recovery can take six months, a year, two years.

22:38

In an attack of this scale, it would probably be on the over, I would say, at least five, six years to respond because there is just so many systems, so much infrastructure that you would have to comb through to try and figure out what happened and where it happened and the specifics behind this kind of attack.

22:56

Especially when you’re talking about a lot of big critical infrastructure too with power and medical and technology.

23:06

So here’s some of the things that Zero Day did get right.

23:08

There are some things they focused on that do relate to real life.

23:13

So they focused on phone attacks because smartphones are obviously a big weakness now.

23:17

They sent that message to all these smartphones, I’m not sure how they were, you’d be able to tap into every network because you have different networks.

23:24

but, you know, it says that this will happen again, they’re using AI to hack phones.

23:29

And I thought the most interesting thing, Aaron, too, was that Russia was kind of the first accused here as the originator of the attack.

23:39

And it turns out it’s an insider threat, which we can talk about more.

23:43

But we do see pretty commonly that other entities will try to mask their vectors or their techniques to make it seem like somebody else.

23:52

Yeah, and these were a couple of interesting points that I noticed in the show as well.

23:57

The reliance on cell phones as part of an attack chain is, well, maybe not quite as we saw in the TV show, is definitely a very realistic threat, but more on the phishing and data theft side as opposed to what we saw in the show.

24:15

And then the other point here with a lot throughout the show, they talk a lot about attribution and who did it and who’s behind it and all that.

24:24

And this is definitely something we see in real life.

24:28

We kind of affectionately refer to it here as attribution health.

24:32

Because attacks, especially of this magnitude, can be very difficult to attribute to a single actor or a single group because, again, there is just, these things are incredibly complicated, they are expansive, and so there’s a lot of red herrings.

24:48

And one of the things we didn’t see so much in the show, but does happen in real life is that people who are not associated with the attack, the attack will try and take credit for it to, you know, just get the attention, things like that.

25:02

So then as far as insider threats, we’ll talk about it a little bit too.

25:06

Obviously, the attack ended up being carried out by two different groups, but it originated from inside the government.

25:15

I think most times we’ve done this in the past, we’ve done a webinar on insider threats.

25:18

So if you haven’t seen that one, go back and watch that.

25:22

Most insider threats end up being unintentional.

25:25

So this was an intentional one.

25:27

Obviously this would be a hard one to figure out because if it does come from the inside, but most insider threats end up being unintentional.

25:33

Isn’t that right, Aaron?

25:35

Yeah, and when we’re talking about insider threats from an unintentional perspective, in a lot of cases, you can just swap that out with phishing, with it being responsible for something like 90% of a lot of initial breaches.

25:46

So it always pays to be careful with how you interact with systems and kind of understanding how you as the user can make a difference in these kind of things.

26:00

And a couple other things they got right here, two cyber attacks in the same system.

26:03

So they kind of went back to the well here and research indicates that once the organization has experienced a cyber attack, they are more likely to suffer one within 12 months.

26:12

And obviously, as we’ve seen in the news, they’re targeting telecoms, they’re targeting energy grids, government have all been recent attacks.

26:19

How often, Aaron, in your experience, do you see kind of cyber attacker or, you know, cyber threat groups go back and try to attack the same system? Does that make you more of a target again, once you’ve been hit by a breach?

26:32

Like repeat customers there, and especially with kind of attacks like ransomware and data exfiltration, you know, the if a if a threat actor group sees that you’re willing to pay ransom to get your data back, they’re probably going to attack you again because now there’s pretty much a confirmed case of being able to get paid for what they do.

26:55

And then on this other point of targeting critical systems, this is also something we see in real life, especially with some of the modern conflicts going on, seeing a lot of infrastructure targeted their cyber attacks, knocking out communications, just kind of general destabilization efforts kind of through these critical areas.

27:20

And there’s a quote from one of the senators who ironically ended up being part of the insider threat group, but he had a quote after the whole thing started, he said, our interconnectedness with the world carries with it a cost.

27:31

And I think that was a very telling quote in the series and just what you were talking about is that everything is interconnected now.

27:38

And, you know, we have systems online, you have outside devices, you have, obviously, you know, parts of OT, other technology that was never meant to be exposed to the public or to the internet, right?

27:52

I think that’s kind of what he was talking about here. Aaron, what do you think about about that quote, how telling that was?

27:58

Yeah, this was this was a very pertinent quote for kind of the modern times, kind of makes me of NG911 public safety systems where you’ve got a lot of these things need to be accessible at all times and in order to best serve the communities that these 911 public safety centers cover, they’ve had to enhance their systems, utilize cloud services, and that carries some risk with it. It was maybe not there 20 years ago.

28:31

Absolutely.

28:33

All right, let’s get another poll in here.

28:34

We want to figure out what steps your organizations are taking to implement in the past year in terms of cyber security that would, you know, kind of combat or help to prevent zero-day threats or exploits that you might face.

28:50

So let’s go over some time to answer here.

28:52

Would it be risk assessments, hygiene training for staff, have you implemented that?

28:56

Have you done incident response planning?

28:58

Have you implemented some network monitoring?

29:01

Maybe you’ve done none of the above.

29:02

Hopefully no one here has done none of the above previously.

29:05

But if you haven’t done, I would say all of these at some point or other in the past year, I would think Aaron, you’d want to check all these boxes, right?

29:14

Yeah, this is something you want to make sure that at least you’re doing once a year for a lot of these. So with network monitoring, you want to make sure that that is an ongoing activity.

29:27

but stuff like risk assessment, cyber hygiene training, you know, this is cyber security is, is kind of a game of cat and mouse. So you have to stay updated with this stuff.

29:38

Get people a few more seconds here. We’re almost at all the audience voting.

29:43

See if anybody else jumps in here. Three, two, one. All right.

29:50

So you can kind of see here, everybody, 60% said they’ve done risk assessments in the last year, 80% said hygiene, 80% also said they’ve done incident response, and then 100% of our audience says that they have implemented network monitoring.

30:08

So I would say this is a pretty good list.

30:10

A lot of people are taking steps.

30:12

Yeah, that’s good.

30:13

It’s good to see these kind of things being taken seriously, too, because, you know, network monitoring, incident response planning, tabletops.

30:22

Those are pretty considerable undertaking.

30:24

So to see a lot of emphasis and a lot of focus put on there is good to see.

30:31

All right, so let’s talk about the threat landscape for public safety and government in terms of zero days.

30:35

So we know that cyber attacks against public safety are on the rise.

30:40

That we went back to 2023 and talk about how they surged.

30:43

A lot of that had to do with an increase of extortion groups conducting those attacks.

30:47

And, you know, air and extortion and data theft attacks will disrupt CAD with examples of dispatchers that will force them to operate pen and paper as a result of attacks.

30:59

We can look at Bucks County as a big victim of that from zero days and affecting them.

31:06

And we are especially given by some of the stats on this slide, seeing the extortion part of these ransomware attacks, especially tied to data exfiltration, is almost ubiquitous at this point.

31:22

If there’s a ransomware attack, it’s very likely that data is going to be exfiltrated, it’s going to be used as leverage to get the victim to pay the ransom, because once it leaves the network, once that information is on the internet, it’s very difficult to get rid of.

31:37

And so that, in a lot of cases, is even more valuable than the ransom imposed by keeping systems locked down.

31:45

And we know that in public safety in government, it’s a very high value target in this age.

31:50

So the PTSA, PSTA reported that 2023 to March 2024, there were 16 cyber attacks, typically on CAD systems and pre-staff.

32:01

And that causes an average of 15 days of downtime overall on those systems.

32:06

And that could be once a month occurring.

32:09

And then a 75% part with a part actor Accessing a partner agency outlying network that kind of speaks there into the third party aspect fly chain aspect And moving into the critical path add a piece of environment where they end up deploying the ransomware And then here’s five ways that adversaries will find your day vulnerabilities.

32:31

So a lot of this will be reverse engineering Exploiting known vulnerabilities monitoring for software factors Identify newly discovered vulnerabilities. I know Aaron’s got something on eternal blue.

32:42

It’s a little bit old, but that’s that’s one that’s really relevant.

32:45

And then obviously they’ll look for target attacks and emphasis on programs and services.

32:51

Yeah, and this list also kind of highlights why the utilization of zero days and the effort that goes into it is something that we see in a lot of cases associated with state sponsored attacks because these are not simple tasks.

33:09

Reverse engineering, especially modern software services.

33:13

It can be fairly complicated and being able to utilize, if anybody’s looked into the technical aspect of Eternal Blue, it’s a fairly complicated exploit to have uncovered or vulnerability to have uncovered and turned into an exploit.

33:31

But it’s ongoing and it’s important to be aware of this stuff.

33:38

And here’s how a lot of threat actors will go about identifying and weak points, not let Aaron kind of call out some specifics here, but legacy systems obviously are big one, segmentation, insufficient endpoint, outdated software, which is similar to legacy systems, limited training, which we’ve talked about too, and then also a lack of incident response plans, I guess, is another weak point you could find if you’re facing a zero-day threat.

34:02

Yeah, and all of these kind of point to sort of attack service management just in general, uh, you know, making sure you understand what systems are on your network, you know, how can they be patched, uh, you know, what, what the risk of each individual system represents and the information they have access to.

34:19

So, uh, it, it’s not, especially when we talk about zero days, there’s never going to be a one size fits all.

34:25

It’s always going to be kind of, uh, uh, security and layers approach.

34:31

And then as far as exploiting, uh, system weaknesses, obviously SQL injections, cross-scripting, DDoS, social engineering, remote code execution, man in the middle, these are all areas of a network that if a cyber threat actor does find a vulnerability, this is how they’ll go about exploiting them, right, Aaron?

34:51

Yeah, and especially something like remote code execution is kind of the holy grail of zero-day exploits because that, in most cases, means that you can fully compromise a system, you can use it as a both a pivot point to spread throughout the network, you can use it as an initial entry point, but if you have full control of that system, there’s one that it can be even more difficult to detect because you can hide these things, but it can get pretty nasty real quick.

35:22

And before I mentioned about how this is a big business and exploits that are sold, so now you can, cyber threat actors can trade these and sell these across networks with service kits, they can buy proof of concept.

35:35

And they’re always looking for, in the hands of nation state actors, looking for a new weapon in the global cyber war.

35:42

And these can be sold on the dark web for $5 ,000 to $250 ,000.

35:46

So they’re not, you know, especially cost adverse for a lot of these, these nation state actors, depending on the flaw in the network systems.

35:54

But what are they buying, like proof of concept there?

35:58

And what can you explain about what they’re buying in terms of buying an exploit and approve a concept?

36:04

Yeah, yeah, these things are certainly not cheap.

36:07

And a lot of this goes into kind of lowering the barrier for entry a little bit.

36:14

We see this in ransomware as a service, phishing as a service, exploits as a service where a group or individual can provide parts of an attack chain to essentially loan out groups that want or have the resources to perpetuate these attacks.

36:35

I think a great example of this kind of this idea of purchasing proofs of concepts or exploits we can kind of look at how Eternal Blue was handled.

36:46

That was a that was an exploit that was essentially kept secret by I believe it was the NSA and then was later stolen and exfiltrated by a threat group which then and was used in attacks like Petya and non-Petya, wanna cry, to devastating effect.

37:06

So there can be some really concerning things out there.

37:12

And Aaron, if you wanna kind of take us through this map too, and it says, if your network looks like this, please monitor.

37:17

And it’s a lot of where the traffic is coming from.

37:20

If you’re seeing traffic from outside of the country, you definitely wanna check on where that’s coming from and how that looks.

37:27

Yeah, yeah, and this pretty much says it all in the image, but this, it’s all about attack service management.

37:34

It’s understanding what your exposure is to the internet, how people can get in and out of your network, what it looks like.

37:42

And as we’re going to talk about a little more later, just being informed, understanding your systems as much as you can to the extent that you can set up monitoring and alerting systems for it.

37:56

It gives you the best chance of detecting these things before they can really spiral out of control.

38:02

And how often are zero days exploited?

38:04

So 80% of vulnerabilities are found before a patch is released by the company or the organization.

38:11

And they can last up to seven years and discovery time and patch time can almost be up to 22 days.

38:17

25% of them are exploited within the 24 hours and then the average organization will experience a zero day related security incident every six months. Aaron, what kind of stands out to you here?

38:30

So it really just the numbers do a lot of speaking here, but it can be kind of a cascading effect here.

38:39

If you’ve got a system that maybe has a zero day, if you don’t catch it in the first couple weeks, maybe it sits on there for the next six months, and then you have an attack that can be taking place from that point, that can take another six months, and it can very quickly spiral out of control.

38:59

And the targets here, we won’t go through all of these here, but a lot of them will leverage, Microsoft, Apple, Google, they’ll find vulnerabilities through there, and they’re used in ransomware attacks 25% of the time.

39:12

And they’ll be looking for things like privilege escalation vulnerabilities.

39:16

And then we talked about nation state actors are responsible for 80% of them, not a surprise.

39:21

And then 50% targeted by attacks or by APT groups. 55% affect third party libraries or components.

39:29

So that’s kind of goes back to log for shell. No surprise.

39:33

We actually keeping up with with current news here, there was I want to say it was just last week, there was a extremely popular package for NPM, which is a popular library for a lot of different programs, that had some malicious code inserted into it.

39:52

And that is, unfortunately, not unique.

39:56

We see this across the board.

39:58

There’s at least once a week, there’s a popular Python library or that ends up being malicious, things like that.

40:16

So it’s pretty insidious where these things can hide, and especially the effect that they can be used is pretty devastating.

40:27

And the costs are pretty high, as we’ve talked about, too.

40:29

the prices can be up to $60 ,000 to $2.5 million on the dark web, depending on the target.

40:35

And the cost to patch or remediate one of these can exceed $1 million.

40:41

Aaron, that’s a pretty big number. It’s probably just going to keep killing them. It’s again kind of a feedback loop.

40:51

The more successful these attacks are, the more money they can extort from people.

40:56

And then that goes back into making the attacks harder to detect, which again, just kind of raises the bar for how much they can charge for these things.

41:06

So even just a couple of years ago, we saw ransomware payments as an average were sitting under a million dollars and now they’re well over a million, two million dollars per attack.

41:16

So it’s only, unfortunately, gonna get more expensive from here.

41:21

And the detection piece of this is really important too because only 10% of zero days are discovered by defenders.

41:27

so they’re often discovered by adversaries, which is what you don’t want, obviously.

41:32

And 48% are detected via behavioral anomaly detection.

41:36

And the big one here, Aaron, only 5%, less than 5% of organizations are able to detect a zero-day exploit without any additional help.

41:45

Yep, and this really speaks to the power of kind of heuristic analysis, anomaly detection, things that are not necessarily deterministic, like IPs or file hashes or processes, things like that.

42:01

And again, kind of just goes back to understanding how these things, how these systems are supposed to be communicating the behaviors that they should be displaying and then being able to detect when that is not the case.

42:15

All right, we’ll do one more poll here and we’re gonna get an assume some prevention and defense techniques here for everybody.

42:23

But our last one here is, what is your biggest challenge right now in enhancing your cybersecurity efforts?

42:28

Is it limited budget?

42:30

Is it lack of training, outdated technology?

42:32

Maybe your leadership isn’t necessarily buying in enough and if there’s anything other, let us know in the chat or the comments here or questions if you have another thing that’s holding you back from enhancing cybersecurity.

42:46

I think we’re gonna see probably one specific answer come across the board here.

42:50

I’m assuming it’s gonna be a lot of budget related, But, you know, there could be a lot more answers here to this as well.

42:56

Yeah, it’s unfortunate, especially with how important cybersecurity is.

43:01

But it can be, especially with such a complicated topic, it can be difficult to portray the need to that, to the people that supply the budget.

43:13

If you have, if you’re not, if nothing’s holding you back, you can let us know too in the questions pane.

43:18

Let us know if nothing’s holding you back and let us know, you know, how you’re making sure that is nothing holding you back from enhancing cyber security.

43:25

We’ll give it a few more seconds here because not everyone’s voted yet, but we’ll see more people get in.

43:30

Um, but I’d be curious to see if anybody doesn’t have any limitations in terms of whether it’s budget or training, um, and how you’re not letting those things hold you back.

43:46

I think everyone that’s going to vote has voted.

43:51

So yeah, 67%, um, said that limited budget is, is kind of the big thing.

43:56

33% said lack of training.

43:58

We had one that said both budget and training is kind of a hold back for them in terms of cyber security enhancements.

44:06

Those are obviously big ones too.

44:07

I’m not surprised by the budget one, unfortunately.

44:10

It’s a challenge all of us kind of have to deal with in this day and age.

44:15

All right, defense mechanisms and best practices.

44:18

What can you do to prevent zero days from affecting your network and obviously these are hard to detect because it’s a flaw in a software where there’s no patch, there’s security update and a lot of times we talked about how malicious actors are finding them before we do.

44:33

But Aaron, there are some things that you can do to take some preventative measures that we have here.

44:37

Yeah, and this again can kind of be summed up as just further attack service management.

44:43

Patching here is critically important because there may be cases where you have to push a patch out to something that is exposed to the internet essentially overnight.

44:53

So making sure that those systems and processes are tested.

44:58

Network segmentation is another big one here.

45:02

Obviously, the harder it is to spread between network segments, the harder it is to kind of widen the impact of an attack.

45:10

And that kind of speaks to zero trust as well, identity access management, kind of being able to control who can talk to who and when.

45:17

And then things like threat intelligence, anomaly-based detection methods, IDS, intrusion detection, intrusion prevention systems, all kind of can contribute to providing a comprehensive way to both prevent and prepare for these kinds of attacks.

45:37

I would say also too, since we’ve talked a lot about how this is supply chain and third party related, make sure you’re talking to your vendors about patching too and how what their patching schedule looks like is those are the ones that you’re gonna be hit by the most.

45:48

And the assessment process for vulnerabilities, so identifying, defining, classifying vulnerabilities and systems.

45:57

The important note here about vulnerability assessments, I think, is that they’re not going to identify zero days, but they can help prepare for them, Aaron.

46:04

Yeah.

46:04

And even further on this point, historically, the places that zero days have been discovered, you know, four or five months down the line is through vulnerability assessments, it’s through regular reviews of infrastructure and something just stands out that turns into a full-blown compromise or something like that.

46:23

So it’s extremely important to, especially when it comes to vulnerability assessments, to keep those regular, to pay attention to the results, to continually improve and harden pretty much any kind of network infrastructure endpoints that you can against these kinds of attacks.

46:42

IT must be agile, so, and if you do face a zero day before there’s a fix, what can you do?

46:48

So, you got to ask yourself, what can, what systems can be impacted by the vulnerability?

46:54

What’s the scope?

46:55

Learning how to take systems offline safely?

46:59

And are there critical systems you cannot take offline?

47:01

And are there workarounds we can employ?

47:03

And Aaron, this is kind of a big deal for a lot of our audience, because obviously in public safety and government, you have a lot of critical systems that can’t be offline.

47:11

So you have to find workarounds for these things.

47:13

Yep.

47:13

And that’s a that’s a huge pain point with zero days is it’s a little bit of a catch 22 is if you can’t take a system offline to patch it, it might get hit by a zero day and end up being needed to be taken offline anyway.

47:25

But it this in particular in terms of the ability to patch these things to understand how they can be taken on and offline the criticality all of that speaks to having like a comprehensive incident response plan, having that be tested, implemented, and revised to make sure that when, because especially when we’re talking about zero days, sometimes it’s just a matter of not a matter of if, but when.

47:53

So being prepared to respond to these things is incredibly important.

47:58

And patch management cannot prevent zero day attacks, obviously, but it can reduce your exposure window.

48:03

If you can deploy it quickly before attackers can identify the vulnerability and exploit it.

48:07

So that’s if you can get a patch out in a couple of hours or days and always important to document or review software versions, making sure that your patches are safely applied and make sure the patches also don’t have vulnerabilities because I know I’ve seen that be an issue before too.

48:23

Yeah, and especially with zero days in some cases, you’ll see mitigations or workarounds prior to the patch.

48:29

So being able to quickly implement those and verify that they don’t impact system functionality, things like that can be critical in, especially in attacks we’ve seen like log for shell, where it’s just a matter of whether or not you get scanned when your system is vulnerable.

48:48

Incident response plans, this is one where you should have, incident response, you should have zero day responses.

48:54

So if you are impacted by a vulnerability or an exploitation of a zero day, this should be a piece of your playbook.

49:01

So make sure you’re having that in your plans as well.

49:05

That should be part of it.

49:07

And then conduct regular cyber risk assessments.

49:09

So building resilience through best practices.

49:12

CISA recommends developing and testing your incident response plans, making sure that you are implementing network segmentation and access controls as well.

49:23

There’s a couple links you could find right there to go to best practices from CISA as well as some resiliency and toolkits.

49:30

Aaron was talking before about attack surface management, consisting of four processes, so asset discovery, classification, prioritization, monitoring the total exposure.

49:43

We know that digital assets continue to increase as Aaron talked about, adopting to the cloud has put a lot of threats online that maybe weren’t necessarily meant to be.

49:54

Yeah, and this all speaks to security and layers.

49:58

It’s not just enough to have IDS and IPS, you also need to make sure that you can identify your systems, that you can remediate both non-severe and severe concerns, that you’re able to test systems as they’re brought online.

50:12

All of these little things all help build together into a stronger security posture.

50:20

And what can happen if you don’t manage your attack surface?

50:22

Obviously, all that you want to know more about all your assets that are out there, their shadow IT that can be deployed without approval on unknown assets.

50:32

Obviously, we talked about third parties that are out there.

50:34

So those can affect your infrastructure or digital supply chain. You want to know about the assets they have as well.

50:42

This is something we’ve seen, especially with unknown kind of shadow assets there.

50:46

I responded to incidents that it was the smart HVAC system that was compromised and was talking out to And it was something that the IT team had no idea was on the network, it had been there for months.

50:58

So it is, again, to give your teams the best chance of responding quickly and effectively, you have to have this information in place beforehand.

51:08

And obviously the winning combination we always talk about is, you know, Aaron talked about heuristic analysis, but I think human to human expertise is needed to help you cut through the noise.

51:17

So you’ve got obviously the monitoring option and you’ve got behavioral based and AI driven alerts and then gives you a resilient cyber posture.

51:24

I think combining the automation side with the human detection side is kind of the key piece here in all of this.

51:33

Yeah, yeah, and there’s countless attacks that have been caught by someone who is familiar with the network, seeing an interaction and saying, hey, that’s not supposed to be happening.

51:41

And that turns into a whole incident response just from that.

51:47

And Aaron, you talked before about heuristic detection and how good guys can go about discovering a zero day.

51:53

Yeah, so there’s obviously a pretty long list of ways that these things can be discovered, but heuristic detection is a great place to start looking at behaviors and patterns on systems kind of compared to a baseline.

52:06

Looking at statistics-based detection, this can be simple, something as simple as IP counts.

52:12

If you’ve got a server that doesn’t really talk to anybody and then all of a sudden it’s talking to half the internet, there’s probably something going on there.

52:20

And then another one we see, especially with larger companies like Google, Microsoft, Amazon, things like log bounties where there’s an incentive to sort of responsibly disclose these things so that they can be patched, they can be mitigated prior to public disclosure.

52:37

And usually that comes with some sort of monetary reward.

52:41

But again, all of these things kind of build together to give us strong foundation for getting these things handled.

52:50

Obviously, we always talk about continuous monitoring and NIST and the recommendations here to employ independent assessors or assessing teams to monitor controls in the system on an ongoing basis, the framework for that, and how Secular goes about reducing the risk within your security stack.

53:06

So it’s recognizing anomalous behaviors throughout the network so you can reduce your risk, making sure you’re kind of in the middle to detect all those things there.

53:14

And we always talk about the importance of cybersecurity risk assessments, you know, that follow obviously best practices from the FCC, the DHS, NIST, APCO, NINA.

53:25

That can give you things like policies, preventative architecture, techniques review, help you with your incident response plans and also analyze traffic, including nation state actor indicators, which you see a lot of in zero days.

53:39

And you always wanna make training part of the policy too.

53:41

we talked before about budget and training is something that holds a lot of people back.

53:46

So training’s also a big part.

53:48

Cyber hygiene can do a lot for these as well as incident response.

53:52

Some resources you can use as well to find exploited vulnerabilities on CISA.

53:56

We also will send out email alerts as well for cyber alerts for those.

54:00

All right, so that kind of wraps up things there.

54:02

And you got any other comments you wanna throw in here?

54:03

We can get to some questions.

54:05

If you got any questions, make sure you’re putting them in the questions pane of your tab so we can get to those.

54:11

Are you ready to move on to questions, Aaron?

54:13

Yeah, I think we’re good for questions.

54:15

All right, let’s start that first question.

54:17

So if you’re running an older CAD or radio system that can’t be upgraded right away, they wanna know what can they do if there’s a zero-day issue that impacts those, is it possible to flag a vulnerability in a system like that before something bad can happen?

54:32

So when it comes to, especially legacy systems, which we see a lot in public safety, critical infrastructure, Again, it’s just a matter of being agile.

54:40

It may be something you can’t take offline, or it may be something that might require some mitigation.

54:47

But it comes down to just understanding the risk posed by that system and what is required for it to communicate.

54:53

Because if you can lock it down, if you could maybe move it to a dedicated network segment, and a DMZ, it can buy you a little bit of time either to mitigate the zero day through vendor providing instructions or through configuration.

55:11

But it all just comes down to being prepared and understanding these systems.

55:19

How can, Aaron, next question is, how can a smaller team realistically get ahead of something that they don’t even know is out there yet?

55:25

So they don’t know a vulnerability is out there.

55:27

So how can a small team get out there and address something like that if they’re not even aware of it.

55:32

Yeah, and that’s kind of an unfortunate reality is with zero days in some cases, it’s again, it’s not a matter of if but when, so just being prepared again to respond to these, having a comprehensive incident response plan, having a good understanding of your network, taking steps to harden external facing interfaces through access lists, endpoint protection, regular cybersecurity assessments, patching, identity access management, all that.

56:05

And that kind of answers our next question too, a little bit is, if you’re unable to prevent zero days, what is the best way to reduce the impact?

56:14

Because somebody might jump in and use it to get access or encrypt your data, which is something we see a lot of when it comes to zero day flaws.

56:23

And mitigation almost always is gonna be that first step.

56:27

Unfortunately, not in all cases, but in a lot of the major zero-day disclosures, we see mitigations available within hours, if not a day or two after the initial disclosure.

56:41

So again, being able to make those changes and ensure that they don’t impact any critical services, having testing and patching all of that in place ahead of time, because when an attack is happening is not the best time to figure these things out.

56:57

You want to make sure you have as much in place prior that you can. All right. Thank you.