Malware Trends, Credential Soup and Scream Therapy

‍Alex (00:03.701)
Scott, I’ve been on the road nonstop with the launch...bottling up emotions, fighting with friends, go-go-go. But we’re back with Detection Dispatch, your no-BS breakdown of what’s actually happening in SecOps. Today, we’re diving into:

• The F5 breach
• The rise of infostealers
• Beacon’s downfall
• Why stolen credentials have leapfrogged phishing

Joining me is Scott Rodgers, who last broke down prompt injection attacks and recently presented on LLMs in alert triage at Blue Team Con. Scott—what’ve you been up to?

Scott Rodgers (01:52.258)
At Blue Team Con, Kevin Gonzalez and I presented on using LLMs to analyze alerts. The key takeaway: just because you can use an LLM doesn’t mean you should. Tools like NER or regex still have their place—and scale better for some problems.

Alex (02:10.518)
Exactly. Your breakdown of when not to use LLMs really landed. Let’s get into the M-Trends 2024 Report, but first—the F5 breach on October 15th. Scott, what happened?

F5 Breach: What We Know

Scott Rodgers (05:02.210)
F5 suffered long-term persistent access. Attackers accessed Big-IP source code, vulnerability info, and config data. CISA issued an emergency directive—patch by October 22nd. That tells you how serious this is.

Alex (06:09.036)
Especially since F5 is heavily used in federal environments. They had to report directly to CISA.

Scott Rodgers (06:55.766)
We advised customers to monitor logs from Big-IP appliances. F5 released a threat hunting guide. Our team also pushed out prebuilt detections for customers.

AWS | US‑East‑1

Alex (07:24.388)
The AWS outage this week really knocked my tech stack. Not a cyberattack—but raises questions about single-vendor concentration risk.

Scott Rodgers (07:45.112)
Cloud redundancy helps—multi-region, multi-cloud setups—but complexity becomes a factor fast.

M-Trends 2024: Detection Engineering Insights

Alex (08:00.564)
Let’s talk about what really matters: malware trends from frontline incident response data—not surveys.

1. Credentials Overtake Phishing

Alex (09:14.519)
In 2024, stolen credentials surpassed phishing as a top initial access vector. Credential-based attacks are now more common than email phishing. This includes:

• Infostealers
• Keyloggers
• Credential reuse

Scott Rodgers (09:28.494)
Right. The rise of infostealers directly contributes. They're fast, scalable, and don’t rely on social engineering.

Alex (10:07.638)
Time to double down on MFA and build better detections around credential misuse.

2. Phishing Is Quietly Declining

Alex (11:10.0)
Phishing dropped steadily—22% to 14% over three years. Meanwhile:

• Credential-based access rose from 10% to 16%
• Web compromise nearly doubled

Detection teams need to update their playbooks. It’s not always phishing-first anymore.

Scott Rodgers (12:14.7)
And that’s where IAM logs and identity-centric detections come in. They’re tough, but critical.

3. Logging Gaps: A Major Blind Spot

Scott Rodgers (13:15.520)
Mandiant couldn’t determine the initial vector in 34% of incidents due to lack of telemetry. That’s a huge opportunity for improvement.

4. Who Detects First: Internal vs. External

Scott Rodgers (14:22.916)
Back in 2011, 94% of compromises were caught internally. Today? Only 60%. External sources—government, vendors—now catch 40% of incidents.

Alex (15:11.628)
More reason to invest in internal threat hunting and detection engineering. Find it before someone else does.

5. Dwell Time: Still Too High

Scott Rodgers (16:53.900)
Internally discovered attacks: 10 days dwell time.
Externally discovered attacks: 26 days.
Attackers don’t wait—detection speed still matters.

6. Malware Trends: Beacon Drops

Alex (17:07.692)
Beacon usage dropped from 28% to 5%, thanks to Operation Morpheus, which disrupted illicit Cobalt Strike infrastructure. Tools aren’t retired—they’re replaced when defenders catch up.

7. Threat Group Growth

Alex (20:12.868)
Mandiant observed:

• 737 new threat clusters
• 233 were active in engagements
• Most were unknown or criminal groups, not state-sponsored

8. New APTs: Sandworm and DPRK

Alex (25:36.897)
Two groups got promoted:

• APT44 (Sandworm): Known for NotPetya, Ukraine power grid takedowns
• APT45 (DPRK-linked): Financially motivated, possible link to job fraud campaigns

9. Cloud Compromise Trends

Alex (28:28.932)
Top cloud intrusion vectors:

• Phishing (39%)
• Stolen credentials (35%)
• Web compromise (14%)

Scott Rodgers (29:09.710)
Cloud logging is still weak. Many actions don’t generate logs. Bring in red teams to test visibility gaps.

10. MITRE Techniques: What Attackers Actually Use

Scott Rodgers (31:31.086)
Attackers used 71% of MITRE ATT&CK techniques and 40% of sub-techniques. That’s been steady for years.

Focus on what’s consistently abused. Top techniques:

1. T1059 – Command/Scripting
2. T1027 – Obfuscation
3. T1021 – Remote Services
4. T1083 – Discovery
5. T1070 – Indicator Removal

Alex (34:56.868)
PowerShell still rules the sub-techniques. This is living off the land detection—harder to spot, but essential to track.

11. Top Targeted Industries

Alex (39:16.548)
Most targeted sectors:

1. Financial Services (17%)
2. Tech
3. Healthcare
4. Government

Scott Rodgers (40:29.218)
No surprise. Money and espionage still drive the majority of attacks.

SecOps Burnout & Scream Therapy

Alex (35:33.625)
Rough SOC day? Try scream therapy. It works. Just scream into a pillow—it’s cheaper than floating in the Dead Sea.

Scott Rodgers (37:23.459)
Sensory deprivation tanks are great too. Quiet, meditative reset. But yes—screaming might be more accessible.

Final Thoughts

Alex (41:57.506)
We covered a lot—credential soup, supply chain breaches, threat trends, and even therapy hacks. Scott, you always bring the calm to the chaos.

Scott Rodgers (43:03.148)
Thanks for having me. Always a great time.