Hello and welcome to the Friday August 15th, 2025
edition of the SANS Internet Storm Center's Stormcast. My
name is Johannes Ullrich, recording today from
Jacksonville, Florida. And this episode is brought to you
by the SANS.edu Bachelor's Degree Program in Applied
Cybersecurity. And talking about our bachelor's degree,
we do have another guest diary by one of our undergraduate
interns. This time Joseph Noa is writing about how AI tools
help Joseph to better understand some of the events
during the internship where our students are typically
analyzing alerts that they see in their honeypots. This
particular case looks at some issues like, for example,
analyzing logs or analyzing little scripts that were found
by the honeypot. So for example, better understanding
what certain commands mean, do and how their impact may
necessarily sort of affect the particular honeypot
environment system. Here we have a very typical example in
this blog post about command injection attack and details
like the nohub command, for example, in Linux. What this
does is, well, yes, you could probably figure it out with
Google as well, but much easier to sort of get it
explained in context by various AI engines. As usual,
in particular, as a beginner, be careful, verify your
results that you are not sort of ending up with a very
plausible but wrong hallucination from the AI
system. And onlab is reporting about an interesting new way
how proxyware malware is being distributed. In this case,
it's a YouTube video download site. What's happening here is
that you have websites that allow you to essentially
quickly download a YouTube video, the actual video file.
One example here is YTMP4, basically YouTube MP4. You
provide it with the YouTube link and in turn, you'll be
able to download an MP4 file with the video, or at least
that's sort of how the site is supposed to work. In this
case, what you end up with instead when you're
downloading this file is, well, a malware. You are
ending up with a setup script that will then install the
proxyware. If you're not familiar with proxyware, it's
not a type of malware we're really talking a lot about,
but it's certainly quite popular and common. And it is
basically used to turn your PC into a proxy. And then the
attacker will essentially rent out your PC to allow other
attackers or just people who want to watch sports online or
such to actually use your PC essentially like a VPN via the
installed proxy. This often has then, of course,
detrimental effects on your system. And of course, they
can at any time also install additional malware on your
system. For the affected user here, this is probably one of
the sort of, you know, less critical piece of malware that
you could possibly have on your system. But keep in mind
that it's often used for illegal activity, which of
course then may also get you in trouble as the traffic is
being reversed back to your IP address.
And Horizon3 is added again with a great write-up with
details regarding vulnerability, actually two
vulnerabilities in Xerox's free flow print management
system. This particular set of vulnerabilities, external XML
entity vulnerability as well as a path traversal
vulnerability will get you full remote code execution on
the vulnerable system. I particularly like the
discussion here of the external XML entity
vulnerability because I think they are actually quite a
common but often overlooked and not really sort of often
well understood as far as what their severity goes. So
definitely a good write-up here if you're not sure what
you're going to do. If you're not using Xerox's free flow
core update
now, the patch for this vulnerability was only
released, I think it was last Friday, it was on August 8th.
Well, and it's Friday and I have yet again another Sans
.edu student to talk about their research project.
Darren, could you introduce yourself, please? Yeah,
absolutely. I'm Darren Carstensen. I'm one of the
MSISE graduates and a fellow co-worker in the security
realm. Are you done with the degree now? I'm sorry. I am. I
just finished up last month. So people can trust you now,
but your paper was Zero Trust. So what was the paper about?
Can you just summarize that a little bit?
Yeah, yeah. The paper was born out of a bit of frustration I
had where I was being tasked with helping solve customer
problems and one of those was around zero trust network
access, which in the name implies zero trust. But I
found in reality there was some big differences in what
was actually being executed. So I decided to build a
research paper around how you can actually measure the
amount of zero trust in a zero trust network. Great. And now
zero trust, of course, one of the problems is it's actually
not as much anymore, but it used to be one of those hot
topics. And now it probably is how to use AI in zero trust.
But the and there were sort of a couple of definitions going
around. In your opinion, what's one of the critical
things from a technical point of view that you look for to
see if certain trust is actually implemented?
Yeah, it's it's basically going back to understanding
that you need to go away from the trust but verify principle
and move more towards the never trust always verify and
be doing that across the entire IT spectrum. So not
just focused on doing it networking or only an
identity, but doing it across really the five different
pillars, which would be identity devices networks
applications. So how do you measure it? It's like we
always look for something you can measure in our research
papers.
Yeah, so I mean, ultimately, the government, the
cybersecurity infrastructure security agency or CISA came
out with a decent way of measuring your maturity level
within zero trust, and they call that the zero trust
maturity model version 2.0 is the latest iteration of that.
And it really helps break down not just are you doing zero
trust, but at what maturity level are you at, you know,
going from just one example is okay, say you're doing
identity security practices, and you have multi factor.
That's great. That's great. But do you have things like
the fishing resistant multi factor authentication to help
measure Oh, you're not just doing MFA, but you're doing it
in a better stance than everyone else. That's actually
that's a little bit of favorite topic of mine right
now that it's a fishing resistant part. Can you just
tell us quickly how common multi factor authentication is
not fishing resistant?
Sadly, it's still, I would say fairly common from my
perspective, what I've seen in you know, with the real world
and in production environments. Some cases it's
legitimate reasons like we've got folks that don't have
equipment that can support that that other times it's
cultural, but oftentimes we still see you know, allowing
things like SMS, allowing things like basic push
notifications that don't have a lot of context or data or
information presented to the end users. So I would I feel
like in the number of conversations I have with
customers, it's almost 50 50 folks that are beginning or
are doing some fishing resistance, but also the other
50% still. And what about fishing resistant multi factor
authentication that look like?
It gets rid of a lot of some of the older things that can
be taken advantage of the easy and common examples around SMS
messages that would give you those one time passwords. Um,
where essentially it's giving you that password, but
oftentimes people will fish, um, or fish users to try and
get that token and get them to pass that on to the attacker
so that they can leverage that as well. Um, so moving away
from that and moving more towards things like biometrics
or even push notifications that can include more context.
Like it's this person's identity coming from this geo
location at this time, this IP address. Yeah. Yeah. Yeah.
Yeah. So phishing is like, you know, one of, uh, the attacks
here that zero trust kind of tries to address. Uh, of
course, we're not implementing security controls without any
real threat that we're actually blocking here. Uh, as
part of your research, uh, what kind of, what type of
attacks did you consider?
So I tried to cover a variety of different things. Um, I, I
went through each one of the pillars and just picked a
simple, uh, well, relatively simplistic example, and it
ranged from identity, uh, on that side. I did some
simplistic things like, can we just do role-based access
control? Um, and then also can we do step-up authentication
with multi-factor to say, oh, if a user is accessing a
sensitive resource, can we based on that sensitivity do
step-up authentication? Uh, I went into the device side and
measured, okay, can we evaluate, uh, does the device
have disk encryption? Is it have healthy endpoint
protection and antivirus definitions? Um, I went into
other areas and one of the more interesting ones or two
interesting ones, was around the application layer where I
did some SQL injection to see, is it application aware? Can
we actually see what's going on there? Uh, and also passing
malicious content to see, can it identify when someone's
passing in one specific instance, like a mature
printer payload or reverse shell payload? Uh, is that
able to be detected and picked up upon? Are we looking truly
at the, at the payloads? And then the data layer, which I
thought was going to be straightforward, was looking
for data loss prevention. Can we just pick up simple things
like PCI or PII data, um, which is pretty common in most
environments. And can we do some actual detections and
preventions and blocking, uh, around that one? That last
step with, uh, DLS prevention, how did that go? Did, that's
it. It was a little bit surprising. Um, I, I picked
five different vendors. Um, three of them are leaders in
the zero trust network access space. And then I picked a
more niche one and I picked a small, medium business one.
Um, almost nobody was able to pick up on the data loss
prevention. And the simplistic test that I had established
was a remote user just trying to access and upload and
download sensitive data from a Windows file server, you know,
using, using SMB protocol. And, uh, only one player or
one provider out of that space was able to actually do the
PII and PCI. Um, but they didn't pick up on, on
malicious content. And the one provider that I thought was
going to be the most robust because they advertise having
enterprise DLP. And, and I put that in air quotes. Um, they
actually, their enterprise DLP only covers HTTP, HTTPS
traffic. So they completely missed the sensitive data
being transferred over a Windows file share, which,
which kind of was, I guess, you know, once you get to zero
trust, I guess they assume that you blocked port four,
four, five. But, or
maybe, maybe they just assume nobody does Windows file
shares anymore. Probably. Yeah. These days you never
know. Yeah. I have seen like, uh, DLP, of course, a lot of
people joke a little bit about DLP. It's hard. It's a hard
problem to do. Uh, like sometimes, even if you, if you
do look at the HTTPS, then you look at web socket and, uh,
some of those things that, uh, can still be used for, for
exfiltration. Even if you are fairly tight, uh, but, uh,
yeah. So, uh, did it at least show who did it kind of,
because that's the other games of a serial trust is that,
that authentication part, uh, like, uh, if it doesn't
prevent the attack, does it at least show who, uh, originated
the attack or.
Yeah. Yeah.
Yeah. So even if it didn't pick up that it was malicious
or that it was an attack, you could at least go back. And if
you had some other, like a SIM or some other analytical tool
that would pick up on that, great. The data was there, but
in some cases it wouldn't even identify that and it wouldn't
trigger and you wouldn't have enough insight. Now you
wouldn't have enough logging, um, context to be able to put
that together. Well, there's more detail in the paper and
the link to the paper will be in the show notes, but, um,
any final words? Is it worth doing so trust or.
I think it's absolutely something that some of us are
doing naturally as, as security practitioners. I
don't find enough folks are doing, uh, deeply enough.
They, they were like, oh, I bought a product like zero
trust network access. So that checks the box, right? It has
zero trust in the name. So the, the one takeaway that I
would, I would recommend or, or put out there is that, uh,
again, kind of like zero trust implies don't trust, try and
verify. And if you're looking at solutions that are going to
increase your security and reduce your risk, test it out,
um, evaluate it against your environment or your own
criteria and, and confirm that it is going to meet your
expectations. Because oftentimes the, the market
texture, as we call it is, is ahead of what, where they're
at from an execution. Yeah. Great final words there. So
again, the link to the paper will be in the show notes. If
anybody has any questions, there's also contact
information for Darren in the paper. So thanks for listening
and talk to you again on Monday. Bye. Bye.
