SPYCLOUD RESOURCES

Okay. Great. We see a lot of participants. So, let's go ahead and get started. Thanks for joining today. Today, we have a live event all about minding the malware gap, about identity threat protection beyond the endpoint. Our hosts today are Damon Fleury, the chief product officer at SpyCloud, and Joe Russin, director of security research. Joe is over twenty years in various IT roles, but is now focused on cybersecurity and leads our whole security research arm. He's all about collecting all the breach and malware and fish data that we'll talk about today, and he's actively collecting data as we speak. So, a little Zoom etiquette today. Please post your question in q and a in Zoom. We'll have time at the end to address it, or we'll have live q and a depending on on how the conversation goes. But please add it to q and a. We'll make sure we answer your question on this call or afterwards. So today is all about malware. We're gonna give a brief overview of the malware landscape and what's changed the past few years. Joe will talk a bit more about what SpyCloud Labs has learned from, looking at trends malware and analyzing some of the top stealer families out there. Dane will talk a bit more about the malware kill chain and the attack life cycle we're seeing from, bad actors, but then we'll go beyond the the endpoint with spy cloud, show a bit more about how our solutions could help you, including a live demo. And then Joe will give some tips for how you can protect your workforce identities today. Thanks, Taylor. So before we get into the conversation around exactly what is going on with malware, Just wanted to give a brief overview of the kinds of data that spy cloud does collect. And so spy cloud really focuses on information that is flowing through the dark net. Like in this image, you know, we have all these data points flowing through the dark net that is on its way to actors, With those actors, you're using this information and this identity related information in order to attack your enterprise at the end of the day for account takeover, for online fraud, for ransomware, for a variety of other types of attacks. And when we are looking for data, when SpyCloud is looking for data that becomes the basis of our products, we're really looking for three forms of data. What we're known the most for is this box in the middle here for breached data that we've been collecting since the beginning of the company, and we have more than forty thousand distinct third party breaches. We're adjusting hundreds of new breaches that we find throughout the globe every single week. So we have a lot of data that comes from third party breaches. We also have data that comes from successful fishes. So when you when one of your employees or an individual clicks on that link and just just falls prey to that trick once again, and they actually give up their data, I mean, the the actors are using that information for their own for their own agenda. We are collecting that data, and we'll have some webinars on how that works coming up. But what we wanna talk most about today is another core element of what we collect, and that's malware victim logs. So when individuals do accidentally install malware or somehow malware does get installed on that system, then those bad actors are collecting as much as they can from that system as quickly as possible, funneling that into the dark net, and that's where SpyCloud picks up that data. So just wanted to set the stage for these are the different types of data. So when you're a SpyCloud customer, you gain access to all of these. But we know a lot of lot of customers and a lot of folks are interested in what's going on with respect to malware data specifically, and how that can be used to help protect your enterprise, the data that we find. So with that, I wanna turn this over to Joe to talk much more about the malware landscape. Thanks, Damon. Good morning, everybody. Two thousand twenty four was a great year for collections in Spy Cloud Labs. We have, nearly eight billion third party records ingested, and those are the breaches that Damon was talking about or the breach data assets. And we also have, five hundred and forty eight million malware records that were ingested. This is actually what we're talking about today, and that's across sixty four malware families. We also had a good one point five million, Telegram messages collected, and those might include things like combo lists or phishing data or even sometimes the third party records that we were talking about earlier and even some malware records for, stinger logs. So these things are actually something that we're looking to leverage more in the future and hopefully be able to have quite a bit more data as we increase our assets. But we also had, speaking of assets, a good, fifty four billion or so, new assets ingested. So that's quite the number. We're we also have a pretty decent, report, if I must say so. The two thousand twenty five spike cloud identity report, you should check it out if you haven't already online. I thought it was extremely well written, and there's a lot of good little tidbits of information. We have basically a couple things here that we want to go over that's related to this particular, scenario today, which is, ninety one percent of orgs reported some sort of identity threat in the last year. And then stolen credentials were actually part of eighty percent of the breaches, that we basically saw that were related to malware, in malware or combo list. And, honestly, with combo list and what we call, URL login and password or U LPs, those basically all kind of our source from combo or excuse me, from malware. The stealers that are actually involved, basically, are usually parsed out by the threat actors, and they make up these specific type lists where we can basically then, where they target certain organizations or certain vertical sectors. The other thing that we wanted to mention here is that the Infostealer malware, basically had been involved in fifty percent of corporate user infections. So as you see here in in this slide, we had quite a bit of red line in two thousand twenty four, and you also will see Rizepro and, Steel Seed, Meta, and LUMA kinda at the bottom. But here's the big thing that changed, basically, in this, near New Year. Basically, as of two thousand twenty five, even in the first quarter so far, we have seen Luma really take off. Base if if you could see here, the increase is huge compared to what we had in the past. You're looking at a twelve thousand, eight hundred or excuse me, twelve thousand eighty three percent, or twelve hundred eighty three percent, excuse me, year over year luma increase. And as you could see also, the other Steelers kind of all kind of, fell by the wayside. We think that this particular issue or what we see here is because of red line's takedown with Operation Magnus in October twenty, excuse me, October twenty ninth two thousand twenty four. This basically led to LUMA kind of taking over the underground and being the stealer of choice or the commodity malware of choice. So, going back to the heyday of monolithic botnets and kinda going back to two thousand seventeen or even earlier, in the past, what we saw was a single owner, that were a group of owners that had a modular code base. We're talking about botnets like Quackbot, Emotet, Trickbot, these types of things. The way that the malware kind of, worked at that time, it was pretty centralized, and it actually had trite infection vectors. You probably have all seen it in the past where you get an email, it's a phishing email, and it tries to get you to execute some sort of macro code on your machine. The technology basically is now or excuse me, has was at that time more centralized and and susceptible to LE action. And law enforcement agencies actually executed takedowns of Emotet in two thousand twenty one, and also in two thousand twenty two, and then Quietbot in two thousand twenty three. And then we saw, operation endgame, which took down Iced ID, Bumblebee, Peekabot in two thousand twenty four. All of these things kinda had a very heavy weight on the, underground infrastructure for criminals. They, were no longer able to utilize these things for the initial access brokerage. So, essentially, the attack chain also was expensive to, maintain. They had to do every angle or every part of the whole attack chain themselves or somehow package it within their c two infrastructure. Social engineering also was the main thing that was getting them, access or their lures in Microsoft, as we mentioned earlier, had basically macros, that we're allowing by automatic or default, executions on local machines. It was pretty easy for users to click one box and infect themselves. That changed in July two thousand twenty two, and we basically had the new infection vectors, that they tried to use afterwards. Not so effective. Things like l n k's or ISOs or JavaScript where they were fifteen some different steps you had to do, and it was unlikely that users were basically going to do the whole chain of events in order to infect themselves. So what we have today is, as a result of that law enforcement action in bad actors having to adapt, They started to look towards things like commoditized malware and taking things off the shelf. Things like info stealers were already on the rise. They were basically coming up and becoming more sophisticated, but this actually really accelerated that. What really mattered to the endpoint actors, in order for them to be able to install some sort of ransomware or to extract things is just the access. That's all they care about. They need to basically get those different victims listed so they can actually attack them. So one of the ways that the teams or the people that do the actual initial access, brokerage for them was they started to use malvertising. And this is where you have common apps that you might have on the Internet where people look and try to find some sort of a download for maybe Zoom or Slack. And these types of things were leveraged by threat actors to create fake ads, and the ads always show up at the top of the list when you do a search. And since end users are accustomed to searching for things, they just pick the first thing. And that way, the actors can set up a fake website, essentially, that is a mirror of a real download website for Slack or Zoom, and then they have their malware that's actually injected as part of the process. The technology was essentially no longer as centralized as it was, with the old take downs of the past. So for the most part, they were more resilient to being able to be taken down, although we still seen some action to it. They also, are leveraging a mature ecosystem of criminal services. There's best of recode. There's a whole criminal infrastructure that essentially is, partners or a web of partnerships where people trade services. So this leverages that. Speaking of those services, some of the independent services that were out there, like Ghostox, have had some very, burgeoning partnerships with modules for the info stealers. So the impact is basically we have, an expanded and diversified malware economy. It broadens the threat actors, community access with common tooling, which is very important because then people can move from team to team in order and have the actual exact same tools that they're accustomed to using. In the users, actually, as we mentioned, infect themselves because they're searching for apps to install. And when they go to install the app, actually, it does, in a lot of cases, install it, but it is also putting some malware in there for along the ride. So here we have basically an example of the one of the partnerships. Ghostox has been working with Luma, and we had created a blog on this that we'll send out to you afterwards. But, the main idea here is that LUMA has a second punch now where most of the cases in the past, Infostealers would run once, and they'd be done after ex exfiltrating all the data from your system. In this particular instance, the threat actor can, from the c two panel, actually decide to install Ghostox on a particular victim, and then that victim has a persistent backdoor on their machine. What will happen then is that the threat actor can essentially run commands and browse through that, SOX proxy. That SOX proxy, could be used to do spam or fraud, or they will sell that access to somebody else. And then that basically is just another issue for your environment. Here's an example of basically some of the law enforcement take downs and how it's leveraged, essentially by large ransomware type groups. Bypass, you probably heard about, had a issue recently where they their chats were released, and, we took some time to announce do some analysis on the the chats. We found that, basically, when operation Duck Hunt took down Quackbot, which was in August two thousand twenty nine, of two thousand twenty three excuse me. Basically, we had, essentially, the threat actors have a, oh, crap moment because they didn't have any of those initial access vectors coming in anymore. They had to find something other than quackbot in order to get their foot in the door. So as you could tell with the listing of the different chat topics here, this is a map of what the chat topics were over a period of time in with September first being after the takedown. As you could see with the Steelers, it actually starts to increase over time. Eventually, Black Vesta decided to move more towards brute forcing, but this is from another blog that's gonna be coming up soon. So look out for that, which gives you a more in-depth, sort of overview. But Black Vesta did have in their panel a Steeler module. So what's in a Steeler log? Why are these such an issue? Well, you can kinda see, what we have here in this page is at the bottom, we have a a, atomic stealer. Basically, the log that shows you the key chain access, and the key chain access for your macOS is essentially where you save all your passwords. Also, you could see there's autofills in there. There's some brute force ideas. Sometimes there's more than zero bytes in there. That one just happens to be empty. But, you can also see cookies. You could see things like desktop files inside of this or browsing history or even desktop screen captures of what you were doing when you installed the malware. The, really critical thing too is from a financial perspective, it also will pull out credit cards from the browsers or it'll pull out cryptocurrency wallets from different apps. It will also, basically look at different common application installs to see what may be saved for credentials. So the really important thing and something to think about how you could pivot or very easily get into a corporate system if if a user at home installs essentially, a malware that is an info stealer that pulls data from their remote desktop application, whether that's VNC or something else. They can then basically get the access to that remote system. So if they use that in order to remote into their workplace or their enterprise, you could see how that would be a big problem. Some of the common apps you can see on the right, there is AnyDesk, Telegram, TypeVNC that are listed at the top there. That actually is a Luma c two, log that's shown. So let's meet the, top malware, Essentially, inside of our, our top list, I guess you could say, on the Windows side, you see Lumacy two. By far, it's the most common sealer infection we've seen in two thousand twenty five. We expect this to continue. LumaC two has seen some constant, development. There's been a lot of, things where different browser, creators will try to lock down things like cookies or stuff like that with encryption, but then matter of days, this developer from Lumacy two comes back and has a workaround for it and still has access to it. The it's essentially a cat and mouse game with detection. We have we we have quite a few different pieces of the ecosystem where the actors are able to take their malware, send it to a particular encryptor or a loader service. And from that point, it has a whole new attack vector and is able to get in quite easily. The as we already mentioned, we pull unique configs on the configuration with Luma c two, and we also have that GOSOX partnership we already talked about. So if we have, essentially, Max, are we okay? Well, not so much. If you take a look at what we also have in the ecosystem, we have Atomic Steeler. And what we've noticed so far is that this is growing and is increasing in size in the amount of, atomic steeler logs that we're able to collect in the dark net. And this is probably one of the fastest growing even though Luma is growing so fast from what I see. The same type of malvertising is used for, basically, these third party, apps vectors, where if you're trying to install, for instance, a particular Mac OS application, they will be out there mirroring those download sites and doing malvertising to get you to choose them first, and then they come along for the ride. One thing to that's really important to note with the malvertising is, just to touch on it again, we see basically some of these packages that they put together installs this info stealer, but it also installs the real app. So the end user doesn't realize something has actually happened. Logs are also including the keychain info, as I mentioned earlier, which is pretty critical. And now I'm gonna send it over to Damon. Thanks, Joe. And I see there's a question, in the q and a that actually segues perfectly into the next part of our conversation. And that question is how good are EDRs at preventing malvertising from being successful, and can they bypass EDRs? And I think the unfortunate reality is even though EDRs are fantastic and critical parts of your protective mechanism, you absolutely we do absolutely have issues where some of these different technologies and malware are bypassing the EDR. And, you know, this number on the screen is specifically talking to that. In the first quarter of this year, we discovered we pulled in from our dark net sources ten point seven million infections of systems, and sixty six percent of those had an endpoint security product of some kind, an AV or an EDR, deployed on that device at the time of infection. And so the unfortunate reality is that there isn't a silver bullet in stopping malware. There isn't there isn't something that could stop every single case. And we'll talk a little bit more about what some of those what some of the reasons might be for this. But our reality as as individuals that wanna protect enterprises is that we, you know, we have EDR. We have to have it. It's a critical piece of that solution, but we have to realize that some things will get passed. And are there ways for us to understand, and what can we do in those scenarios? And so I wanna talk for a little bit about this kind of larger ecosystem of of malware. You know, I think Joe just gave us a great, bit of insight into what we're seeing, particularly in the info stealer part of malware. But I think it's easy to get kinda lost in. Well, we talked about all these different variants. I think we'd last year, we had sixty four variants of of Infosys we are tracking. We're up to seventy five different variants already this year. How does all that fit into when an actor is trying to target an enterprise or trying to to gain access and find a way to make money off of one of our companies. Like, what's going on, and where does LUMA c two or any of these infrastillers fit into that? And how can SpyCloud get this data, and what can you do about it when that happens? And so, so all, you know, all endpoints, endpoint security solutions, and really all kind of malware detection solutions are trying to find any place in the attack cycle that an actor is trying to take advantage of a weakness, and you wanna detect that and you wanna stop it. And so when you think about the attack life cycle, many forms of malware may play a role, and the things Joe just talked about are just one of those bits of malware. So if you think about somebody trying to attack an organization, it always starts with the entry to that organization. You see in this first column on the left, they could get in through a phish. They could get in just with stolen identity and credentials, which is something that we we see quite a bit from spy cloud's perspective or social engineering. There's a variety of ways to get entry to a system, and that typically happens very quickly. And once they gain entry to a system, they immediately move into what I like to think of as the recon phase. They're trying to establish some level of control so they can run more malware or some level of connectivity. It's often automated. There's there's sometimes not, you know, any additional steps. And then they're trying to figure out where are they? What have they gained access to? Running an info stealer has become the primary way of getting an inventory about that computer and about the rest of the system. They wanna know things like, are they on a domain? What kinds of applications are installed? What do these users have access to? Do these look like administrators? Like, where have they landed? Right? And they at at the beginning, they don't know. And an infostealer is a really well established set of infrastructure that allows an actor to run this tool really quickly. It goes up to a command and control or to a panel, and then they can gain access to that data right away. They'll also run other tools to do network mapping or to to run domain enumeration. So they're trying to figure out where have they landed, and that infostillers a key piece of it in most of these attack scenarios. Then they move to the entrenchment phase. Right? And so they know a little about where they are, and they now wanna move laterally within that organization or they wanna disable security apps. They wanna figure out, can they get to privilege escalation? They form a back door back to their command and control. You know, I'm not gonna read all of the boxes, but there's a lot of steps that they'll take to entrench themselves within that organization and to make sure that they can then move to the next step. A lot of times, once they've entrenched themselves, that's the point that they might sell access to another actor. That's a point at which they might, you know, go to an initial access broker, sell it, and then a ransomware gang might purchase that access, or there's a variety of ways that access can then be distributed. And then they move to the the disruption or the monetization phase, right, where they've got access to that organization. They wanna steal something they can sell through IP theft, or they want to, lock you out or, you know, domain lockout, admin lockout, data theft, data encryption. All of these core components are what often make up a ransomware attack right at the end of the day, usually with many forms of malware. And so we're talking about how do we understand this entire life cycle. And what Joe was talking about is, you know, we've been able to, with our interaction with the actors, gain a lot of access to this info stealer part. And if we can detect and see that info stealer event, it can help us to know that the controls haven't stopped them from getting this far. And can we then take the take steps to get ahead of the entrenchment and the disruption phase? And the sooner in this life cycle that we can stop the threat, the the cheaper it is for us to fix it. And so endpoint security is an absolutely critical part of this. Right? You know, regardless of of whether spy cloud sees that info stealer, you need this endpoint security solution to help you try to detect the entry, detect the reconnaissance phase, detect the entrenchment phase, and then stop a ransomware. I know we have a lot of endpoint security products and EDR products now. They have tools to stop the actual encryption activities. All those things are critical. And like I said earlier, the sooner that you can detect it, if you can detect it at entry and stop that phish from being successful, well, you're stopping the rest of this life cycle. You're protecting your business from that damage. So all of that is really important. But, nonetheless, no security solution is foolproof. Right? There are mechanisms. It's a as as Joe said, it's a cat mouse game. The actors are always working against us. They are always they themselves are installing the popular EDRs. They are finding ways to get around them or to suspend them. I know when I spent a lot of time in incident response, the first thing we would see with these these, these attacks would be that they would go after immediately whatever the EDR was and take steps to disable those processes or to find that registry configuration that would make it so that, signatures got turned off or they would take whatever steps they could to somehow limit that that that technology, and that game is only escalating. It's not it's not getting simpler. And so what can we do with the kinds of things we've been talking about today? Where can we apply knowledge of an info stealer event? And so in that recon phase, you know, as you see on your picture here, so we have the attack entry. In that recon phase, if a successful info stealer, successful from the actor standpoint, does run and gather that data, that data gets sent to the criminal underground. And then often within minutes, Spy Cloud can gather that information and feed it to our product that we call Compass, which provides malware protection. As soon as we get that data, often within five minutes, we could deliver that to, to our customers through our integrations. And then we have integrations with popular endpoint detection or response platforms such as CrowdStrike, such as Defender. We can immediately take that information, either make your SOC aware, or if configured, we can quarantine that device. And the goal is to take the knowledge that an info stealer did run, run it through the spy cloud compass product, get it to your EDR, give you the ability to take steps before it can reach the entrenchment phase or before it can reach the disruption phase. And the sooner we can figure that out, the more we can protect you from that that eventual disruption. And so why why is this happening? Right? This is a pretty common question of, you know, I I've invested in a very strong EDR solution. I know it's blocking things. I'm getting the alerts. You know, how is this still happening? And the reality is this is happening to all EDR vendors. Like, we we have the data. We can see what's installed on those systems because the logs tell us that no vendor is immune to, you know, to these types of events that that do slip through at times. Why could it happen? We certainly see issues in systems management such as an out of date endpoint software, failure to install security updates, systems sporadically online, or sometimes policy management issues. This is way more common than you might think where something is being interfered with by the endpoint security solution or at least you think it is, and an administrator might turn it off for a little while and then just never get a chance to go back and to reconcile that particular issue, leaving that system vulnerable. That's a very common scenario. I know when I did a lot of IR, that was way too often what was actually happening. But then there's also just the reality that, those actors are always working against the endpoint security solutions. Zero day exploits, do exist. Unpatched vulnerabilities are out there. There are there are always innovations in malware such as memory only malware or specifically EDR targeting malware or polymorphic malware. And I think Joe talked to some of the things. Luma c two has made a business, to finding ways to get around these detection mechanisms. And so all of that fits into a a spy cloud architecture that includes Compass. So the Compass feature set allow us to gain access to these the malware logs that can be connected directly to your domain, and it that information about the infected user along the top can then be used directly to respond to your employee systems or to, other people that have access to your network. That could be directly integrated into your active directory guardian where, sorry, to your Active Directory system through our product called Active Directory Guardian that can automatically take action to reset passwords that are found that that are found through these malware logs that could be used against your enterprise. It can also be integrated with your SIM and your SOAR so that you could take automated actions that are unique to your enterprise. And then on the bottom of the screen, we have this integration with the endpoint detection response system, which we're gonna talk a little more about of how this information can be fed directly into the EDR so that you can then take immediate action in order to protect your enterprise. And so using the Compass product, you can detect unseen infections. We provide you conclusive evidence that there was a malware infection. And it's important to realize that, these infections occur on on enterprise system or enterprise controlled or managed devices that are managed by EDR. But we also often discover infections that occur on unmanaged devices. Maybe an employee went home and had to log in from home due to some critical issue. Well and they didn't realize that their kid's computer was also used to install mods for Minecraft or Fortnite, which provided that opportunity that Joe mentioned for someone to accidentally to you know, not accidentally at all. For Mowers to maliciously put, some type of insert into that package. This is way too common of a case that we see. Your favorite skins on Fortnite are, you know, the thing that cost you your corporate credentials. And then you have things like, you know, password sharing that can make passwords move between people's computers when you log in from multiple places. So all of those things lead to information that ends up getting shared, and those come through unmanaged devices. We cannot resolve those with the EDR because you don't most companies don't have policies that re that require the installation of that EDR on their home computers. But you can at least detect those, and you have conclusive evidence of whether it's an unmanaged device or whether it's a managed device. When it is a managed device, you can also take advantage of automating your response to make sure that that corporate device is protected. And then your goal in all of this is to block that entrenchment phase as early as possible and hopefully to stop ever reaching the disruption phase. And so let me show you what that looks like, when it comes to, our you know, how you can see it in the spy cloud interfaces. And so what I'm showing you here is the spy cloud enterprise protection portal, and, you know, there's a wide variety of features that we could walk through. But today, we're just gonna focus on the Compass set of features where we have this little section here, the Compass compromised device list. And what you'll see when you look at your set of compromised devices is each of these represents an infected computer, that, that gives us information about an infection that happened and all the information that was stolen by whatever that infection is. And let me also say at the get go here that what I'm showing you is sample data. This is data that we create for the purposes of showing how the product works. We're not showing you any sensitive data. If you wanted to specifically see how this could impact your organization, we would love to set up a demo for you. Feel free to reach out. But as we're looking at this sample data, wanna walk through just a quick example of here's a place where we see a computer that was infected that has a name that looks like something I might see in my enterprise. So if I click on that specific one, I can see the types of data that was stolen by this. And let me just just continue to reiterate here. We have no access at all to this computer desktop eighteen ninety six. What we have is access to the information that the bad actors stole about this computer. So we know the system name. We have a little bit of data about the system owner. We can tell it looks like it could be a work computer because it's a Windows ten device. I can then say, well, what's the likelihood that this was actually, you know, fits within my world? And I could see when it was infected, and I could see additional details about the country that it's likely to be in. And down below, I can see the list of applications that that login details were stolen from when they stole the data off of this specific computer. So if I go back to that just to show you another way to view this same type of information, you can also look at this in a graphical form, and this just gives you another way to view that we have a computer that was infected, and we have access to, the list of applications that were accessed by that computer. And you can see often there's there's things that are interesting. The fact that the one login credentials were were, stolen. This hopefully, multifactor authentication was deployed for this enterprise. But even if it was, you just went down to one factor, and, you know, you're depending on that MFA step, to protect you. So you would love to reset those password credentials, which you could do in an automated fashion. And then, you know, you could see the other list of applications. You could see that this user also had a GitHub account. Gives you an opportunity to make sure that all of your applications are in fact managed by your SSO and that you don't have, you know, some credentials slipping out for some type of shadow IT or or access that you may not be aware of. And so this is just a view into we have a computer. It's desktop eighteen ninety six. It does, in fact, appear to be infected or experience an infection moment. And so then you can also see how that would integrate into your endpoint detection. So we offer, as I mentioned before, very straightforward integrations today with CrowdStrike and Defender with more to come. And what you're looking at is the configuration page for our integration with a CrowdStrike deployment that is managing this sample data, the sample environment we call spare factor dot com. And here you can see beyond just basic configuration, the types of things that we can do is that when you have this this configuration enabled, we are always running. We are responding to the detection of new malware events. When we see those, we have the ability to send a daily report to to folks that need to see it. We can also, configure to send notifications at the moment of detection so that what you're really getting is a check between I see a spy cloud event. Does it match to a CrowdStrike managed device? If so, send an email or open a ticket. You can see we support sending tickets into Jira or ServiceNow with more to come. We'd love your feedback on what else we need to add. And then if we see that match, we know there was an infection of that that that could impact or did impact a managed device. We also support automatically isolating those devices when they appear. This is an option that some of our customers are interested in. Many are not quite ready to do that isolation depending on the impact that it has, but that is an option should you need it. And, of course, if you want that, you have to you make you go through a few steps to make sure that we do understand you. You understand the implications of automatically quarantining devices, and most of you have EDRs. You're familiar with this, you know, this conversation. And just to show you what this data could look like, moving to the part where we can show you what is matching between what the spy cloud data looks like and what the CrowdStrike access has. In this part of our configuration, we show you these are the latest compass matches, the data coming from spy cloud. And then down here in this table, we'll show you which ones do map directly to crouch to endpoints that are managed by CrowdStrike. We can see here that desktop eighteen ninety six we were just looking at with a specific username was in fact matched as a managed device. And then I can, you know, I can understand that. A notification would have already been sent. But if I wanted to, I could come in here. I could click that option, and I could say confirm. Please do quarantine that device, and I've now taken a manual step. Of course, you could have done that through CrowdStrike as well if that was your if that was your preference, but we wanted to give you one place to understand it and to respond as quickly as possible. And so at the end of the day, it's a straightforward connection between the data that we have and the ability to respond to it within your own EDR. So I'll stop sharing, turn it back to Joe. Thanks, Damon. Yeah. That's really cool how that works. I'm really impressed with the integration between that and, you know, CrowdStrike. Awesome. Yeah. I wanted to do a little slide here just to kinda go over some things to basically help you with, these threats even if you don't buy our products. This is something we wanted to do just to help everybody. So enterprise tips basically that I have for you are, an advertising threat is quite the the vector here. And it seems like, you know, we had this happen in the past where you had, essentially, maybe in two thousand, you know, eight or so, there was malvertising injected from, you know, ads in ad brokers. But now we've kind of evolved where the actors are stealing, like, AdWords accounts for Google or Bing advertisement accounts, and they are very often putting it in those search bar, essentially searches where they're the top thing for the install of a particular app. And from that standpoint, you definitely want to try to use some sort of ad blocker, and that seems to be like the primary thing that I found in in environments in the last decade or so that really help on this. Also, you definitely want to have your users know where to go to install their applications. They should be basically going to their corporate app store, especially on their corporate machine. They shouldn't be allowed to install random things, just from things that they download from the Internet. Endpoint management solutions can obviously help with this, but, having that known place where where to go or be able to push apps to or official approved apps is very critical because that cuts this off from being an issue. Obviously, as well, if they don't have that particular app in the App Store, they might go and find a pirated version of it. That is also very bad. That's like the number one vector, basically, for these things to get installed for an Infostealers to come along for the ride. And, again, with Infostealers, they just upload that data to a c two. And a lot of times, they don't leave anything behind, and you won't really know that you're infected, especially if they have been ingenious with their deployment where it actually installs something at that same time. It looks like it worked to the end user. The other thing is the holistic identity lens. Basically, if you can have, visibility or as much visibility as possible into their an end user's past, present work, or personal data, this actually helps you. We have a product called, investigations that gives you a deeper dive access into a particular person and what they might use for passwords and things like that. That often is something I found even in my years of do being a sysadmin that comes back to haunt them where they use the same type of password. It's always their dog's name or whatever, and that actually could be used to attack the enterprise. Password hygiene, speaking of which, ensure passwords are not reused and similar with across the enterprise. This is something I keep seeing where, uniqueness is not necessarily enforced at a level where people are having to make a really unique password, and they could just depend different characters onto it. So make sure you do those password policies. And then, of course, MFA. MFA is basically the biggest issue. Security is an onion. You need these layers. Not no single layer is going to solve the issue, but having that extra layer there, I can't tell you how many times I've seen it save people. And then we wanna talk about some of the end user devices and personal devices. Again, pirating is really bad. This is something that I would definitely give education to your users that installing pirated software is almost always going to give you some sort of thing along for the ride. Otherwise, what's the incentive for actors to basically put this stuff together and send it out there? It's basically the number one thing. And, again, installing the ads or through ads is a bad idea. Please try to train users or remember, to understand that in if you search for something in the search bar, because everybody goes and types something, I wanna I want Zoom. Right? Go to the search bar and I type that in. Boom. You get an ad for Zoom install. Well, why not go to the real Zoom site or just type Zoom dot com in? Because that actually is the right way to usually define things. And then, again, as Damon was already talking about, like, skins for different software or rather games or cheats for games. I've seen in YouTube where different actors have actually put very intricate sort of, sort of, I guess, you could say promotional videos for their malware, where you have the ability to get a cool skin or essentially a cheat for a game, and then they go have you download from, what they call their deployment site or their install site. And, essentially, it's just, again, another malware thing. And then also separating personal and work, don't mix passwords. Once again, I think it's a good hygiene thing for everybody to get kind of in the habit of. Password managers are also pretty good. That's basically something that I usually recommend for everybody from a Hoho user. And, again, ad blockers are very good. Going back and keep driving on that one, I think that even though you do get blocked when you go to certain sites, remember, when people come back and say, oh, I I don't use that because I can't read my news articles. Well, you can make exceptions for that news article site, so don't forget that part of it. And then finally, MFA forever ever. If you can do MFA, do it. It's that extra layer that usually saves you. Wonderful. Okay. But we have some time for some live q and a. A few questions came in. There were some issues we're seeing in the demo on the Zoom video. So we'll make sure to send out a recording of the sessions so I can see the spy cloud demo in action with Compass and the endpoint protection integration. So go ahead and please ask your q and a. We have time with Joe and Damon, but there's two that came in. And the first one be for you, Joe. More about the evolution of info stealers and this cat and mouse paradigm. So how would that impact future prevention strategies if the technology is always evolving? So the Infosteeler, community or the these particular types of criminal ecosystems are usually trading secrets amongst themselves in order to get around any endpoints like Damon was referencing. So you really need a layered solution, and you need basically an idea that you will catch certain things at certain times, but you want to also be able to monitor and actually do your own recon instead of them doing recon on you. And, essentially, that's where we try to position ourselves to layer in there to be that check to prevent, those unique things that they basically come up with in the back end or trade amongst themselves from actually making it successful into your environment. This way, if they do get in, now we can actually tell you about it, and and you'd probably be able to go back and figure out why and then plug the hole. A few more live questions are coming in for Damon and Joe. More about infostealers. Any more tips for enhancing prevention and early detection? And then, some information about how to actually triage when you get an alert from your EDR that an infostealer is present. So as far as tips for best practices, I'm interested in your thoughts too, Joe. I mean, I think the reality is enabling your EDR to be as draconian and strict as possible, the less likely you will be to install malware. I mean, we all live in a in a company, and we all, you know, face the restrictions where the companies won't let us install software packages or run macros and those types of things. The more you can, you know, constrain what they're allowed to install, the better. And, you know, sir well, the better from that perspective. I can't, you know, I can't comment on the complaints you're going to get from, you know, from your users because we all face that too. You're also you know, the more that you can, kinda make sure that you're keeping up with the the updates and that you're responding very critically to any alerts from your centralized control that a system has been taken out of band. Right? I mean, I've I've I know from my experiences, I mentioned I've done a little IR. There was usually an alert that system x y z stopped responding to heartbeats from the centralized control of the EDR, and there wasn't necessarily a playbook to to deal with that, right, or to understand how to manage that. So things like that, really give you an opportunity to know that something something is amiss. It also means you're responding to a lot of things, like they went to a weird hotel and the Internet CO service sucked. And so, you know, there's a little bit of downside with with those as well. Any other thoughts there, Jim? Yeah. I I think, actually, you're definitely on the right track with everything there because the more you monitor the situation, you kinda get a pulse for things, and you want to use the, basically, the filtering in in your seam or sore in order to essentially get an idea of what really matters and what doesn't. Everything is gonna require tuning, but that's where the expertise comes in, and that's where the humans come in to be able to help with the automation to find the unique things, things that are novel, things that are out of the ordinary, because there's always gonna be what I call confirmation errors. Absolutely. And then to the the second part of that question, what are the best steps to triage and if a stealer threat that's been alerted by, by the EDR? I think we recommend you quarantine immediately. And then I think that usually, the next steps we would recommend are the same next steps that your EDR vendor is going to give you. Quarantine that device, scan for additional malware, look for the things, the indicators. Often, we see an Infos dealer will run and then delete itself, and leave no trace that it was ever there. But, yeah, that's hard to tell the difference between that and a very good maliciously hidden, piece. And so what you'll have to piece of malware. So what you'll have to do is, you know, you'll get to the point where you've run all the tools and you've made sure that there's nothing there. We always we always recommend that you, of course, you have cleaned the system. If you can go to a full fully clean system, that is recommended as well. But then you do need to take the next next steps, which are understanding the things that were stolen by that by that info stealer, making sure you've reset all the related passwords, make sure that if they stole things like Coinbase seed phrases or any other tokens that, yeah, that are that are in there, that you've reset those and that you've also reset session cookies, that could be used to access all of your enterprise accounts as well. So all of those are great steps. There's automation that could be added for many of those, for many of those issues, to help you do that in an auto to do that quickly. Yeah. I I also want to add in. You can also leverage things, like network access control. If you actually have them on your campus, you can follow the OSI model. And what I always do is start at the physical level. If I can, I'll just shut the port off. And that way, I know they're not gonna be talking anymore. But I would also do other things too. Like, if they're outside the network, then I would revoke all their cookies, and all their logins would change and immediately be locked. So there's things like that that you can do, and you can kinda go up the the level depending on what kind of controls you have available. We have a few more questions. Damon, you mentioned cookies, and, this might ask, what are you seeing in terms of the amount of stolen cookies and stolen passwords and how they're being used by bad actors? Yeah. Excellent question. You know, if you just looked at the proportion of the stolen cookies stolen, versus passwords, it's easily ten x the number of cookies are stolen on a on a given device. And I don't have that specific number, but it's way more than ten x. We're getting on a single device, thousands of cookies are stolen that give a lot of information about that user's behavior as well as, often cookies that can be used to bypass multifactor and to bypass all these these great improvements we made in, passwordless technologies. And so, but I still think so I don't have specific numbers for you, so I'll give you an anecdotal, you know, my view of it. And, Joe, you should offer your opinion as well. Right now, we still see passwords are still the number one vector. Right? They still work way too well. And then social engineering to get through MFA if it's in the way, but there's still so many places where MFA is not implemented, not implemented correctly or fully. Passwords are still the key vector. We'd love to say it's not the case, but, I mean, it's very much the case. Now for things like accessing financial systems and for, you know, very high value targets, we do see the the movement of actors to start using cookies. And so we have one customer that, you know, they reset thirty thousand cookies a month, just alone on the on the knowledge that they have active they found active cookies within their, in that case, consumer facing application, but you could do the same for many enterprise applications. And so we see this as a growing vector. We don't have numbers, good numbers to say whether, you know, what the proportion is of cookie usage and session hijacking is versus, versus credential usage. Joe, did you have more thoughts? Yep. I think, the other thing too is if you have control of how the cookies are issued for your internal enterprise apps, set time to live on them. Make sure that you basically make them expire or become invalid quicker. It may be inconvenient for users in some instances, but it also may save you because sometimes it takes time for the actor to actually figure out what they really have and then actually to bang on it. So if you have it expire before it's actually valid, that still is something that's going to save you in the end. And that's also why the passwords are more effective because peep people basically are looking at the password still as the first thing because it doesn't have that time based sort of thing where it has a time to live. Yeah. And the next couple of questions, Joe, are about, recommended ad blockers. I don't have specific recommendations here. I haven't looked at enough. I just had the one that I use. Do you have specific recommendations? Yep. MuBlock, light origins, is what I tend to use in a lot of cases. And what I do is I turn it up, to the max amount that they have for the support or add other, different lists to it. But pretty much the list that come with the default are pretty good. The only thing that's bad about the the light version of it is that it comes at a lower sort of level. So you there's like a slider where you can turn it up as you click on the icon as you for your extension. And that slider, if you turn it up to the top, it does a really good job, but it starts at, like, the second rung, and that's kinda, and so I I think that, there's a lot of, back and forth with the different, advertisers out there where they're trying to push back on, you know, not being, able to have these sort of things. So, again, you can always click on it, make an exception for that website, and get past it from that. But, definitely, MEW block origins lite is where I bet. Alright. Okay. Wonderful. Well, thanks for joining, Damon and Joe. We appreciate all the knowledge about malware and endpoint protection. We'll send out a recording of the session if you wanna see a bit more about the topics or watch the demo again. But, again, please reach out if you have any more questions about everything we covered today, or you wanna schedule a personalized spy cloud demo that talks more about your organization's data and your own domains. But, otherwise, we're running a a offer for the next few months. So anybody who wants to go ahead and purchase our enterprise protection solution that includes the Compass product that Damon demoed, we're eligible for discount before the end of June. So please reach out with more questions, and thank you both for joining. Thanks, everyone. Appreciate the Thank you. Appreciate your time.