Threat Emulation with Andrew Costis

Security risks are dynamic. Projects, employees, change, tools, and configurations are modified. Many companies utilize PEN testers on an annual basis, but as quickly as systems are revised, you may need to implement threat emulation for regular monitoring.

Today's guest is Andrew Costis. Andrew is the Chapter Lead of the Adversary Research Team at Attack IQ. He has over 22 years of professional industry experience and previously worked in the Threat Analysis Unit Team at Firmware, Carbon Black, and Logrhythm Labs, performing security research, reverse engineering malware, and tracking and discovering new campaigns and threats. Andrew has delivered various talks at DefCon, Adversary Village, Black Hat, B Side, Cyber Risk Alliance, Security Weekly, IT Pro, Bright Talk, SE Magazine, and others.

Show Notes:

• [1:14] - Andrew shares his background and what he currently does in his career at Attack IQ.
• [3:49] - At the time of this recording, there has been a major global security panic.
• [6:06] - There are many programs that we use on a regular basis that we don't always consider the security of.
• [8:09] - Historically, companies would pay for an external pen test. Andrew describes the purpose of this and how they usually went.
• [9:33] - Pen tests and threat emulation do not need to be limited to just once a year.
• [10:45] - Andrew's team is in the business of testing post-breached systems. But they preach prevention.
• [11:55] - Attackers are lazy in the sense that they will reuse the same strategies over and over again.
• [14:13] - Many programs we use may be caught in the crosshairs of attacks and vulnerabilities in other companies.
• [16:41] - Andrew discusses the frequency of really critical CVEs.
• [19:01] - What do attackers go after when they've breached a system?
• [21:04] - The priority for attackers is to get in quickly and make the victim's data unavailable.
• [22:24] - A lot of people are under the impression of vulnerability testers. "Fire and forget it" is not a beneficial mindset.
• [24:56] - If we run every test, the amount of data will be overwhelming.
• [27:03] - In his experience, there has been client testing that has been overwhelmingly easy to breach.
• [29:07] - There are also organizations that have done a fantastic job. However, vulnerabilities will still be found.
• [30:18] - The red team is not going to be able to cover your entire organization.
• [32:15] - Threat emulation and pen testing are technically the same thing. Andrew explains how she sees the difference.
• [33:50] - How are vulnerabilities and tests prioritized?
• [36:19] - Andrew describes the things his team works on and their objectives for customers and clients.
• [38:34] - The outage at the time of this recording had a big impact. It gave a really good idea of what could happen if it were a real security breach.
• [41:37] - There are a ton of free resources out there. The primary resource at Attack IQ is the free Attack IQ Academy.

Thanks for joining us on Easy Prey. Be sure to subscribe to our podcast on iTunes and leave a nice review.

Links and Resources:

• Podcast Web Page
• Facebook Page
• whatismyipaddress.com
• Easy Prey on Instagram
• Easy Prey on Twitter
• Easy Prey on LinkedIn
• Easy Prey on YouTube
• Easy Prey on Pinterest
• Andrew Costis at Attack IQ