8 MAY 2024 · The Discarded Podcast team is gearing up and working hard for a new season! Until then we have a special Re-Run treat--one of our favorite episodes! Enjoy! Engineering skills can play a massively beneficial role in cyber security, as Pim Trouerbach, a Senior Reverse Engineer at Proofpoint and Jacob Latonis, Senior Threat Research Engineer at Proofpoint, are able to share.  They emphasize the importance of understanding the requirements and context of security researchers to build effective tools. The conversation touches on the potential impact of AI and LLMs (large language models) in threat research. While AI tools can be valuable for entry-level tasks, the context, experience, and expertise of human engineers are essential for handling complex code and understanding threat actors' behaviors. Join us as we also discuss: [02:59] The uniqueness of engineering skills in understanding researchers' requirements for data cleaning, tool development, and working in a security environment. [11:06] How the versioning in malware samples can provide insights into the threat actors' behavior and trajectory. [13:24] How malware is simply software with malicious intent, and how practices of developers and threat actors can overlap. [17:10] The tools and techniques used by threat actors, including obfuscation and encryption methods.[21:42] The importance of context and experience in writing tools and understanding researchers' workflows. For more information, https://www.proofpoint.com/us/podcasts.

2 APR 2024 · Today’s focus is on the elusive threat actor known as TA4903. But that's not all - we've got a special treat for you as well. Our longtime producer, Mindy, is joining us as a co-host, bringing her expertise and insights to the table, as we turn the mic around and interview, Selena!  We explore recent research conducted by Selena and her team on TA4903’s distinct objectives. Unlike many cybercrime actors, TA4903 demonstrates a unique combination of tactics, targeting both high-volume credential phishing campaigns and lower-volume direct business email compromises. We also dive into: - TA4903 spoofs government entities like the Department of Transportation and the Department of Labor to lure victims - Use of advanced techniques including evil proxy for multi-factor authentication token theft and QR codes for phishing campaigns - Rising trends in cryptocurrency-related scams and other financial frauds Resources mentioned: https://www.proofpoint.com/us/blog/threat-insight/mfa-psa-oh-my (Blog) by Timothy Kromphardt https://www.ic3.gov/Media/PDF/AnnualReport/2023_IC3Report.pdf New TA4903 research: https://www.proofpoint.com/us/blog/threat-insight/ta4903-actor-spoofs-us-government-small-businesses-phishing-bec-bids For more information, https://www.proofpoint.com/us/podcasts.

19 MAR 2024 · It has been a busy first quarter for the Proofpoint Threat Research team! Today we have returning guest, Pim Trouerbach, to share his personal stories about his favorite malware and discuss the current landscape, including insights on Pikabot, Latrodectus, and WikiLoader.  The conversation explores the evolution from old school banking trojans to the current favored payloads from major cybercrime actors, and the changes in malware development through the years. Pim shares the different meticulous analysis and research efforts, and we learn about mechanisms to combat the malware.   We also dive into: - a valuable lesson about the consequences of malware running rampant in a sandbox environment - the shifts in attack chains and tactics employed by threat actors - the need for adaptive detection methods to combat evolving cyber threats Resources mentioned: https://www.amazon.com/Countdown-Zero-Day-Stuxnet-Digital/dp/0770436196 by Kim Zetter Shareable Links: https://www.proofpoint.com/us/blog/threat-insight/out-sandbox-wikiloader-digs-sophisticated-evasion  https://www.proofpoint.com/us/blog/threat-insight/ta577s-unusual-attack-chain-leads-ntlm-data-theft https://www.proofpoint.com/us/blog/threat-insight/battleroyal-darkgate-cluster-spreads-email-and-fake-browser-updates https://www.proofpoint.com/us/blog/threat-insight/bumblebee-buzzes-back-black https://www.proofpoint.com/us/blog/threat-insight/security-brief-tis-season-tax-hax  Pim’s Favorite Malware:  * Emotet: https://www.cisa.gov/news-events/cybersecurity-advisories/aa20-280a  * IcedID: https://www.proofpoint.com/us/blog/threat-insight/fork-ice-new-era-icedid   * Dridex: https://www.cisa.gov/news-events/cybersecurity-advisories/aa19-339a  * Hancitor: https://malpedia.caad.fkie.fraunhofer.de/details/win.hancitor  * Qbot: https://malpedia.caad.fkie.fraunhofer.de/details/win.qakbot  * Hikit (APT): https://attack.mitre.org/software/S0009/  * Stuxnet (APT): https://www.penguinrandomhouse.com/books/219931/countdown-to-zero-day-by-kim-zetter/  * Cutwail: https://malpedia.caad.fkie.fraunhofer.de/details/win.cutwail For more information, https://www.proofpoint.com/us/podcasts.

5 MAR 2024 · Network-based detections, such as those developed by threat detection engineers using tools like suricata and snort signatures, play a crucial role in identifying and mitigating cyber threats by scrutinizing and analyzing network traffic for malicious patterns and activities. Today’s guest is Isaac Shaughnessy, a Threat Detection Engineer at Proofpoint. Isaac shares his insights into the challenges of detecting and mitigating malware, especially those using social platforms for command and control. He emphasizes the team's engagement with the InfoSec community, highlighting the value of platforms like Twitter and Mastodon for sharing and receiving information. We also dive into: - the unique challenges of crafting effective signatures - the specifics of malware, focusing on Vidar stealer and highlighting the dynamic nature of Vidar's command and control infrastructure - the distribution methods of these malware strains, from email campaigns to unconventional tactics like using video game platforms and social media for luring victims Resources mentioned: https://www.youtube.com/watch?v=0mJayM2X6Wo w/ Issac Shaughnessy Emerging Threats Mastodon: https://infosec.exchange/@emergingthreats Threat Insight Mastodon: https://infosec.exchange/@threatinsight https://community.emergingthreats.net/t/vidar-stealer-picks-up-steam/271 For more information, https://www.proofpoint.com/us/podcasts.

20 FEB 2024 · The esteemed Katie Nickels joins us on the show today! Katie is the Director of Intelligence Operations at Red Canary, and our conversation with her explores a wide array of topics, ranging from career growth in threat intelligence to the intricacies of attribution and threat actor naming. Katie delves into her diverse career journey and transitions to advice for those entering the field, emphasizing persistence, creativity, and considering entry-level roles like SOC analyst positions. There is also talk of avoiding burnout while pursuing one’s passion, especially in cybersecurity. We also dive into: - Communication and attribution challenges including the confusion of different naming conventions - Marketing and the personification of threat actors - Strategic approaches in handling incidents and avoiding panic For more information, https://www.proofpoint.com/us/podcasts.

6 FEB 2024 · *This episode contains content warnings of suicide and self-harm* “It’s not about preventing something from happening, it’s being prepared for when it does.” This episode is filled with stories from the different scenarios that have been plaguing people with cyber security attacks. Today’s guest is Kevin Collier, a cybersecurity reporter at NBC. He joins us to discuss his experiences covering cybersecurity stories for a mainstream audience. As the first and only dedicated cybersecurity reporter at NBC, Collier reflects on the evolving nature of media coverage in the cybersecurity space, emphasizing the increasing need for dedicated coverage in major news publications. He highlights the rise of scams facilitated through text messages, emails, and zero-day exploits, emphasizing the geopolitical circumstances that enable these threats, and also helping audiences understand the reality behind the cyber threats they face. They also dive into: - The poignant reporting process on a story of pig butchering scams - The normalization of cyber threats, such as ransomware, and the role of the media in shaping public perception - The process of convincing stakeholders to prioritize certain topics - The emotional toll of reporting on sensitive cybersecurity topics and the importance of self-care in navigating this challenging intersection. Resources mentioned: trigger warning for content of suicide and self-harm https://www.nbcnews.com/tech/tech-news/how-online-romance-scams-netting-millions-self-harm-rcna85252by Kevin Collier https://podcasts.apple.com/us/podcast/obfuscated-online-threats-and-the-visually-impaired/id1612506550?i=1000630148789 Utzig https://www.cisa.gov/news-events/news/attack-colonial-pipeline-what-weve-learned-what-weve-done-over-past-two-years by CISA.gov For more information, https://www.proofpoint.com/us/podcasts.

23 JAN 2024 · Is 2024 the year of adaptability and collaboration within the security community? Let’s hope so! Today’s episode is Part Two of what to expect in cybersecurity in 2024, and our guests are Randy Pargman and Rich Gonzalez. Randy sheds light on the crucial role of the Detections Team and emphasizes the constant innovation of malware authors, and the team’s mission to outsmart them. Rich discusses the Emerging Threats team and dives into open source and paid resources as force multipliers for security teams. While some reflections were shared about 2023, namely multiple high-profile vulnerability events and the challenges posed by QR codes, the conversation focused on the upcoming year. They anticipate increased creativity from threat actors, and emphasize the constant battle between red and blue teams. The conversation underscores the need for constant adaptation, response to emerging threats, and collaboration within the security community. Other topics discussed include: - Incidents like WinRAR, Citrix NetScaler ADC, and ScreenConnect vulnerabilities - The positive impact of public-private partnerships and international cooperation in enhancing cybersecurity defenses - Hopeful vision for the industry, advocating for understanding, education, & increased diversity For more information, https://www.proofpoint.com/us/podcasts.

9 JAN 2024 · To move forward, it’s good to take a minute and reflect on what’s happened. Today’s episode focuses on insights from Daniel Blackford and mailto:adoraisjoncas@proofpoint.com, both Senior Managers of Threat Research at Proofpoint. This is the first in our two-part series looking at what’s on the horizon for 2024. Reflecting on 2023, they discuss the use of QR codes, major technique shifts from the biggest ecrime and APT actors, and the ongoing problem of ransomware. Looking ahead to 2024, the emphasis goes to the gradual shift of attacks outside corporate-managed infrastructure, leveraging personal email accounts to bypass extensive security measures. On the cybercrime side, there’s a prediction of the continued development of as-a-service models, particularly focusing on traffic distribution services, leading to more modular and challenging-to-attribute attack chains. They also dive into: - Threat actor activity during the elections and Olympics - Specific threat actor groups that caught their attention in 2023, TA473 and TA577 - Living off the Land concepts For more information, https://www.proofpoint.com/us/podcasts.

26 DEC 2023 · In this special Holiday edition of Discarded, the tables are turned with hosts, Selena and Crista, becoming the answer-ers, our returning Moderator, Mindy Semling, as the question asker, and our wonderful audience is transformed into Cyber Elves. This conversation is lively and filled with questions from a variety of engaged audience members. (Thank you to everyone who contributed). Questions range from career advice for aspiring Cyber Threat Analysts, to certain threats exploding in popularity, to a reflection of 2023. The Discarded Podcast team would like to take a moment and thank the following people for their contributions to the Cyber Security Landscape this year: - Pim Trouerbach - Kelsey Merriman - Tommy Madjar - Bryan Campbell - Greg Lesnewich - Kyle Eaton - Joe Wise - Emerging Threats team - The overall Proofpoint Team, including, but not limited to our PR and marketing teams Resources mentioned: Youtube: https://www.youtube.com/watch?v=xsqVWMTRf6g Sans Threat Analysis Rundown https://www.sans.org/cyber-security-courses/cyber-threat-intelligence/ https://www.networkdefense.co/courses/investigationtheory/ https://www.nbcnews.com/tech/tech-news/how-online-romance-scams-netting-millions-self-harm-rcna85252 https://medium.com/mitre-attack/attack-v14-fa473603f86b https://medium.com/katies-five-cents/a-cyber-threat-intelligence-self-study-plan-part-1-968b5a8daf9a https://medium.com/katies-five-cents/a-cyber-threat-intelligence-self-study-plan-part-2-d04b7a529d36 https://www.atlanticcouncil.org/in-depth-research-reports/report/sleight-of-hand-how-china-weaponizes-software-vulnerability/ https://www.wired.com/story/gadget-lab-podcast-621/ https://www.wired.com/story/mirai-untold-story-three-young-hackers-web-killing-monster/ For more information, https://www.proofpoint.com/us/podcasts.

12 DEC 2023 · Tis the season for understanding TA422’s latest activity AND for singing podcast guests! Today’s returning guest is Greg Lesnewich, Senior Threat Researcher at Proofpoint. He sheds light on the tactics, techniques, and procedures (TTPs) employed by TA422. The conversation touches on the significance of the high volumes observed starting in late summer, the exploitation of vulnerabilities for NTLM credential harvesting, and the brief usage of the WinRAR vulnerability. They touch upon the potential reasons behind the group's choices, considering factors such as resourcing, tactical decisions, and a shift towards speed and efficiency. There is also consideration about connecting TA422's activities to broader trends in threat actor behavior, such as a shift towards living off the land techniques and a focus on social engineering for initial access. The conversation continues on the following topics: [11:17] TA422 Recent Activity [13:30] Campaign’s using CVE 2023 23397 [18:35] Winrar activity [22:50] October & November activity [26:50] Guest Singing Spotlight [29:30] Noticeable differences in campaigns Resources mentioned: TA422 Proofpoint Blog: https://www.proofpoint.com/us/blog/threat-insight/ta422s-dedicated-exploitation-loop-same-week-after-week Google TAG Report on WinRAR Exploits: https://blog.google/threat-analysis-group/government-backed-actors-exploiting-winrar-vulnerability/amp/ Selena’s Cyber Tunes Playlist: https://open.spotify.com/playlist/7GqH7SefgiI1UtYNjQ5svg?si=vO2Ao-lTTSuCCVfgfgcUfw&pt=97da5ebbd320a4f79014b1f205fc8438&pi=u--xbfwSuHSE-T Wired story on Sandworm: https://www.wired.com/story/sandworm-ukraine-third-blackout-cyberattack/ For more information, https://www.proofpoint.com/us/podcasts.