CISSP Cyber Training Podcast - CISSP Training Program

CCT 358: EDR Bypass Ransomware: The Gentle Killer Threat Every CISSP Must Know

Shon Gerber, vCISO, CISSP, Cybersecurity Consultant and Entrepreneur Season 3 Episode 358

Use Left/Right to seek, Home/End to jump to start or end. Hold shift to jump forward or backward.

0:00 | 43:02

Send us Fan Mail

Your endpoint tool can be world class and still get taken out first. That’s the unsettling reality behind a new wave of “EDR killer” capabilities being packaged inside ransomware-as-a-service platforms, where affiliates can plug in advanced evasion without building it themselves. When attackers can blind endpoint detection and response before the ransomware payload runs, the old comfort of “we have EDR, so we’re covered” turns into a single point of failure.

We unpack the reporting on a highly active ransomware operation and its toolset, then zoom in on the technical path that makes this work: BYOVD, bring your own vulnerable driver. With admin access, attackers load a legitimate but vulnerable signed driver, escalate into kernel mode, and terminate security processes from below the privilege stack. From there, we shift to what matters for real security programs: defence in depth, kernel integrity protections like HVCI and KMCI, strict driver allow and block policies, and aggressive driver hygiene to reduce attack surface.

Then we put on the CISSP lens. We tie the scenario to Domain 7 security operations (EDR limits, incident response, monitoring), Domain 3 security architecture and engineering (layered controls, hardening), and Domain 1 security and risk management (risk = threat × vulnerability × impact, plus threat landscape shifts). The big takeaway is simple: your job isn’t to find the fanciest tool, it’s to build a program that still works when one control fails and to communicate that risk clearly to leadership.

If this helps you think like a manager and study smarter, subscribe for weekly CISSP-focused breakdowns, share the episode with a teammate, and leave a review so more people can find the show.

Gain exclusive access to 360 FREE CISSP Practice Questions at FreeCISSPQuestions.com and have them delivered directly to your inbox!  Don’t miss this valuable opportunity to strengthen your CISSP exam preparation and boost your chances of certification success.

Join now and start your journey toward CISSP mastery today!

Welcome And Schedule Change

SPEAKER_00

Welcome to the CISSP Cyber Training Podcast. We provide you the training and tools you need to pass the CISP exam the first time. Hi, my name is Sean Gerber. I'm your host of the Action Active Formative Podcast. Join me each week as I provide the information you need to pass the CISSP exam and grow your cyber checker in knowledge. Alright, let's get started.

SPEAKER_01

Good morning, everybody. It's Sean Gerber with CISSP Cyber Training, and hope you all are having a beautifully blessed day today. Today's Monday. And today we are going to be talking about the CISSP exam and some questions related to the CISSP. Now, if you all been listening to my podcast for a while now, you know that I used to be doing two podcasts a week. And I'll be honest, I've it was a hard thing to do. Two, two podcasts a week is a lot. It really, truly is. And so, as of therefore, to be able to provide you the level of quality that I feel you need to have, I went down to one podcast. So if you're hearing this and you're going, well, where was the one that was last week on Thursday? I have stopped doing the Thursday podcast. But what I've done is I've morphed them together into something that is a bit more useful in that regard. And it also makes life a bit easier on me. Just that because with everything else going on between consulting, between our businesses, um, and uh also helping them putting forward a brand new cohort for the CISSP, I just needed some time. And that's the purpose behind it. So that being said, there's still a lot of information that's available to you. I do on a weekly basis here as well as on YouTube that is some somewhat a little bit different than what I'm putting on the podcast as well. So it's a little bit of the same, a little bit different. So you can check it out both on the podcast and on YouTube as well, or on my website at CISSP Cyber Training. All right, so I just want to kind of set that expectation and that that gauge at the

A New Ransomware Problem Emerges

SPEAKER_01

beginning. But what we're going to talk about today is something that I saw in CSO magazine. Now, as you know, I like CSO magazine because it's a lot of the information that comes to you is based on thinking like a manager and thinking like a leader within an organization. And CSO does a really good job of bringing some things around that. They also have some great technical pieces that are there as well. And this is from John E. Dunn. Uh, this is an article around there. Threat actor adds advanced EDR killer tools to ransomware as a service platform. So it's that's brand new out there. And I it's interesting. I read this article and I was like, oh, okay, this is something a little bit more different than I had seen before. So it's just a kind of an interesting thought process around this. So what it is, is a ransomware group just made it dramatically easier for cyber criminals, even the unskilled ones. Now, to completely blind your endpoint defenses before launching an attack. This is kind of a scary thing if you think about it. So it's if you have your EDR as your last line of defense, today's episode is going to be a little bit of an introduction and a wake-up call about what can happen to you and your organization. So let's kind of get into what the article is about. So a cybersecurity research firm called ESET, that's Echo Sierra Echo Tango, just dropped a report about a ransomware group known as the Gentleman. Okay, it sounds very sophisticated and it sounds quite nice, the gentleman. Well, it might be a little bit different kind of thought process around this. And it was, I read this, I'm like, whoa, there are actually these folks out there. So despite sounding like they might be running a speakeasy, these folks are one of the most active and financially successful ransomware as a service operations in the world right now. And if they're reading what they're doing from a business perspective, I can see why. And uh if more companies, I should say more ransomware groups decide to do this, um, it can be very lucrative for them as

The Ransomware As A Service Model

SPEAKER_01

well. So here's their business model. And I want you to kind of pay attention to this because it's brilliant. I mean truly, it's very, very smart from an economic standpoint. And as I operate businesses, I kind of learn to see a little bit things that are good in businesses and some that are not so good. This one is pretty good. Uh so they operate what is called a ransomware as a service platform. And we've talked about this on CISSP cyber training before. Is ransomware as a service is something where you come in and you will be willing to pay a bunch of money, and then they will launch an attack for you, or they'll give you some things to be able to create a ransomware attack structure. They create the infrastructure, they have all that in place. So the gentlemen they build and maintain the ransomware infrastructure, and then they recruit the affiliates to do this. So basically, mercenaries, right? Freelance cyber criminals, they to do the actual attack. So they do all the hard heavy lifting on this. Now, this sounds great, right? I'm one of these people that thinks that, hey, more power to you. However, the one challenge with all of this is kind of interesting, is that like I've mentioned before, when you're dealing with cyber criminals, um, these this kind of opportunity is great, sounds great, uh, but there is a small downside. And the downside is that you break big rocks into little rocks, which means basically saying you go to prison and you're there for a long time. So I I love their entrepreneurial thought process, but this is just bad, plain bad. So the affiliates keep a whopping 90% of the ransom paid. So if you're an affiliate and it costs, I don't know, say $100 just to make it easy, right? $100 for this one launch. The affiliates will keep 90%, and the gentleman will only take 10%. So they're just doing basically a fee, a finder's fee kind of thing. So what a great model it truly is, right? This is an unusually generous revenue split, and they've figured this out is the fact that they're looking by sheer numbers. And I'll use this as an example with shaved ice or coffee, right? Sometimes my prices, I'm not making a lot of money on my my drinks, but I'm looking for sheer volume. Sheer volume will take over for a price of a cup of coffee. And many people think I had a young lady just on a quick digression, she called me up and she said, We went to this event and your price of your coffee was so much higher. Why is that? And I said, You are so right. Because I've got to pay my margins are small, and then I got to pay somebody else. And so the point of it comes into is I was designing to dough off pure sheer volume. Same concept here. These guys are getting rich off of volume. They pass all this money onto their people, onto the affiliates, and then they keep a small percentage of this. So it's a very good, generous revenue share. It really, truly is, and it's attracted a lot of affiliates. So researchers estimate that the platform has been used in roughly 300 different ransomware attacks. Now, here's where it gets even more interesting.

Criminals Get Hacked And Leak Tools

SPEAKER_01

As of May of this year, an unknown attacker breached the gentleman's own servers. So there's no honor among thieves. The thieves just got hacked by their own person or by somebody else. So, yes, the criminals got hacked by someone involved. And they imposted, the person who hacked this posted the internal materials online. So ESET researchers dug into these leak files and discovered something they say hat they hasn't received nearly enough attention, and I will agree with that completely. So the gentlemen have built their own sophisticated EDR killer framework. So this is for those that are thinking about this, EDR is endpoint detection and response killer framework. So it's your Sentinel Ones, it's your arc size, anything that's EDR type activity, it's that thing that's on the endpoint, and it is what's detecting and responding to anything that would go bad. So they're calling it the gentle killer, right? So it's a small killer, it's a nice killer. It's still killing you, but it's nice about it. It speaks in a British accent. And they've made it available to every affiliate on their platform. So no development work required. You just plug it in and use it. This is the part that gets really spooky because now you can have Billy Bob sitting in his mom's basement, not doing anything, and goes, hey, I want to try this. And then all of a sudden, he can do or she can do some very serious damage to an organization. So, what is an EDR

What An EDR Killer Really Means

SPEAKER_01

killer? So let's make sure we all are on the same page when we come to this point. So we talked about EDR, it stands for endpoint detection and response. These are the advanced security agents that sit on your laptops and your servers and they watch for malicious behavior in real time. Now, this can be done both from a uh behavioral analytics type of standpoint, or it can be done in a combination of knowing the heuristics of what's going on and the actual technical aspects that are going on. So it's it's both it's watching dynamics on how people are reacting to it or how the system's reacting, as well as the technical pieces that it's trying to accomplish while it's sitting on that endpoint. And so this is an interesting part. This is one of the main things that a lot of companies will just go, hey, I'm just gonna slap EDR, which was the former antivirus, traditional antivirus in the past. I'm gonna slap EDR on these systems and I'm gonna be good to go. Well, that they rely, that's not a good idea, right? So, like anything else we talk about, having defense in depth is important. And as the CISSP, you need to understand that as well. So you any organization or enterprise that relies heavily on EDR as a cornerstone of their defense really needs to think hard about doing that. Again, layered defenses, defense in depth. So the EDR killer is exactly what it sounds like. It is a tool designed to disable or bypass your EDR agents before the ransomware payload gets deployed. So it's basically going to say, these are not the droids you're looking for, and then the droid will be deposited into your organization. So that's the point, right? They're they're trying to bypass the EDR completely, and then that way when it happens, and you now have no visibility into it. So the idea is simple. If you can blind the security tool before you execute your attack, the attack is far more likely to succeed. These tools have occurred existed for a while, but here's the critical evolution that ESETS is highlighting. Historically, each affiliate had to either develop their own EDR killers or go source one from the underground. So they had to go find their own tools, right? So they're out there scrounging around. That takes skill, time, and money, right? So Billy Bob in his basement doesn't probably have the money because it's why he's living in the basement. So the gentleman just removed that barrier entirely. So now you don't need to have the money or the skill or the time, really. Well, you'll have to have the money, but in the summer case, not even that. You're they're gonna take care of everything for you. They're gonna provide you all the skills and the tools you need to be successful. Just like the CISSP, but on a bad form. Yeah,

BYOVD And Kernel Level Control

SPEAKER_01

that's it. All right, so let me walk you through how Gentle Killer actually works, because this is important both from a security practitioner standpoint and for your CISSP exam. The core technique is called BYOVD. Bring your own vulnerable driver. Yes, everything needs to have an acronym because it makes us feel cool about ourselves. But BYOVD is bring your own vulnerable driver. And here's how it works Step one, the attacker compromises an attack and gains administrative privileges. Standard fare from the hacker playbook, right? That's what we want to do. It's your classic initial access phase, get your toe hold, go from there. Step two, once they're in as the admin, they load the legitimate but outdated and vulnerable driver onto the system. So again, you've got to still have admin access, but you've you're loading a vulnerable driver onto the system. So what at the key piece of this, this is not malware. This is a vulnerable driver. It's already flagged as something that should be there, but it's out of date. This is real, it's a signed driver from the real vendor. It just happens to have an exploitable vulnerability in it. Step three, the attacker exploits that vulnerability in the driver to escalate from an admin level access all the way down, I say down to the kernel level access, right? So it's that you're going to ring zero here. This is a big deal. So you're going from the kernel level or admin level down to the kernel level access. So this is huge. This is big. The kernel obviously is the core of your operating system. And if you can control the kernel, you control everything, right? Now we're not talking kernel like me when I was a former kernel. It is the kernel, K-E-R-N-E-L. And it's not like popcorn, it's the kernel on the computer system. So it's an important part, right? We you'll any basics you understand, and you need to know this for the CISSP, understand the kernel level, ring zero. Okay, so step four. Now operating at the kernel level, the attacker can directly target and terminate the EDR's own drivers and processes specifically. So the EDR can't see what it what's killing it because the attack is happening below the privilege stack. Again, it's below the radar, it's below the wire, below the water, however you want to say it. It's going after a driver, right? So the gentle killer ships with evasion techniques targeting 400 different EDR processes from 48 different vendors. So you see that's a large subset of all of the EDR vendors out there is now has the ability to do this. So it's a targeting tool. It's a broad spectrum EDR neutralizer. So you now basically blind the guy, right? You tell him the droid these are not the droids you're looking for, and the those guys let you just move on, right? And the gentleman also bundled a well-known third-party tools into this as well. So specifically Hex Killer, Throttle Blood, and Havoc Killer. So the researcher Jacob Suk, I can't say Susik. Susik? S-O-U-C-E-K. Put it this way: by providing such tools for affiliates, they lower the entry barrier for less skilled affiliates. Right. Okay. You now can basically throw someone in there who probably can't even order a happy meal at McDonald's, and now they can go and do something like this. So again, brilliant. It's super smart. One of the things we ran into when I was a red team hacker. I mean, we in the red team world, I did all kinds of fun stuff, man, from breaking into buildings to hacking into organizations, lots of great things. The one thing we struggled with was, and I we trained a bunch of jet engine mechanics to become hackers. Now, no offense to jet engine mechanics, they are extremely smart, super smart, especially when you're dealing with jet engines and all these different aspects. And but they're a different kind of smart, right? And it's a different kind of more mentality of hands-on type of thing. So now you have to teach these guys how to do this thing in an abstract way. And we did that. However, the one challenge where I'm going with this is the one challenge we ran into was getting people who are really strong hackers to be able to create product for us, to be able to create exploits for us. And so what it came right down to was is it was challenging. Well, now I don't need that. I don't need, I can use jet engine mechanics, I can use a regular mechanic, I can use Billy Bob who teaches pre preschool, right? Doesn't matter. The point is that they have taken all of that out. So even though you may not have the right skill set as a hacker, now you can put provide these ex or have these exploits and do things against organizations. So again, I'm telling you all this is saying don't go do this because that is something will land you in prison and you will not see your family and you'll be very unhappy because you did it. I'm saying that it changes the thought process as senior leaders. We have to be aware that it's not just the smart guy we're worried about or the nation state that we're worried about. Again, this is really bringing it down to the grassroots roots level. So the phrase they call it is democratization, and they would chill down, basically it's supposed to put a chill down your spine because of that fact, but realistically, it's something you should be very, very concerned about. Because it just scaled dramatically from what we had before.

Practical Defences Beyond Endpoint Agents

SPEAKER_01

So, what do you do about this? So, ESET gave us some concrete guidance and these recommendations aligned directly with modern security architecture principles. First, enforce HVCI, Hotel Victor Charlie India, hypervisor protected code integrity, and KMCI, which is a kilo mic Charlie India, kernel mode code integrity. Okay, so these are important parts of all this. You want to make first start with this. Now, these technologies make it much harder, more challenging to load old, unsafe, or unauthorized drivers. If you're on modern Windows infrastructure, these should already be on your radar and something that you're thinking about. And we I ran into this when I was uh as a CISO, I we had a bunch of hypervisors, and we wanted to make sure that as we're dealing in the uh what do you call it, the the industrial side of the house. We had industrial processes running on hypervisors, the ability that you couldn't pierce through the hypervisor. So something for you to consider, this is a great thing for you to think about if you have that kind of environment within your organization. Second, enforce strict driver allow and block policies. Don't just rely on the defaults, create custom rules for your organization. If you know which drivers your environment legitimately needs, block everything else. Now, this can get very squirrely. Again, it works great if you're a greenfield. If you're starting up brand new, it works like a champ. If you have a large enterprise that you've been around for a while, this make it a little bit more challenging. And I would recommend if you're going to do this, start small. Start in an area that you can start to control and build it out. This is a if you've got an enterprise of any size, this is a multi-year process. Just you gotta think about it that way. You're gonna have lots of plates spinning for every year that you have on all these different areas, but it's a good thing for you to start to kind of put in the back of your cranium. Third, continuously audit and remove unnecessary drivers. Yeah, it's a big deal. It really truly is. All those extra drivers add exposure to your organization. Vulnerable drivers that aren't in use are a ticking time bomb. They are going to get leveraged at some point in time. So remove them. This is that hygiene piece of this. We used to fly when I was flying airplanes, we would go in, we call it de lousing. Uh when you would one of the things that people would think about is you're like a bomber and you're you're going in, you just dropped your bombs and you're flying back. Sometimes a uh a predator would be following you in. And then you have your friends that are flying with you will de louse for you. They'll looking for any lice that are coming behind, and they will clean them off. So you want to remove them. Delouse, important part. Fourth, and this is a big one, right? Assume your EDR can be killed. It can be stopped. EDR is not your last line of defense, it's one layer in this defense. We talk about this. Layer defenses, important part. Your architecture needs to account for this scenario where the where the endpoint protection fails, that means the network segmentation, behavior analytics, privileged access controls, immutable logging, all of that the attacker can't reach, right? Even if they own the endpoint, you need to encapsulate it and protect it. So, really, these are great key points from this article. So here's my bottom line on this story. The threat landscape just evolved, once again, right? I think it's a constant state of spinning. A sophisticated capability that used to require a real technical skill is now a menu item, a Chinese menu item on a criminal franchise platform. Yes, it's I this is really screwed. And the the sad part is so many people out there are not prepared for this. They're just not prepared. So that means the bar for launching a sophisticated EDR evading ransomware attack just dropped significantly and it's available to anyone. So, you that are listening to this podcast, obviously you are a you might be a security manager, you might be a CISO, you might be wanting to be one. If you advise organizations on their security posture, and many of you listening here are working toward exactly that role, this story is a data point that belongs in your risk conversations. These are things you should be chatting with your CIO or the person whoever is in charge of you about these different aspects. Now, again, you can come to them to go in and scare scaring them all the time, and that doesn't really help. This is one of those things you put on your bucket list of going, okay, am I vulnerable? If I am vulnerable, where am I vulnerable? Okay, build up a plan before you go and bring this to your CIO, but at least have a plan of going, I see this as a problem, I need your support, we're gonna go fix this. That it's an important part of this. So EDR is extremely valuable, but if it's the only thing standing between your organization and a ransomware attack, you have a single point of failure and it's not something you want to be dealing with, right? So think like a manager, layer your defenses and keep listening, right? Because in a minute, we're gonna, in the next episode, we're gonna be talking about how we break all this down through the lens of the CISSP exam. Uh so you can take this real world scenario and you can turn it into an exam ready knowledge so that you are properly prepared to take that test. All right, we're excited about that, right? All right,

CISSP Study Paths And Cohort Pitch

SPEAKER_01

let's get going. Okay, so before we get into the training aspect of the CISSP Cyber Training Podcast, want to just throw out there a quick shout out. If you are interested in getting your CISSP and finishing up in the next eight weeks, my cohort is getting ready to start. Now, gotta put it in perspective. What is the cohort? You have self-study, which I provide on my site. There's different types of self-study platforms you can use. One that you meet to interact with me a little bit. There's ones that you can just do it all on your own. Very inexpensive, not very expensive at all. And we did that on, I did that on purpose, specifically for people that are working to do self-study. I also have a CISSP cohort that is starting up. Now, we'll talk about that here in just a second. So you have this the self-study, and then you also have the boot camp aspects. So you can go do a boot camp, you can do it spend five to ten thousand dollars on a boot camp, and you spend a week and you go through the entire process. At the end of that week, you hopefully take your CISSP exam and you're done. So there's that option as well. I saw a gap. So what I came up with was this cohort. And this cohort is an eight-week where we are intensive on you have homework, you have things you have to study, you have a diagnostic capability at the beginning to kind of understand where your strengths and weaknesses are, and then we will do accountability as well. And it's over eight weeks. So the goal is at the end of that eight weeks, you will book your time before you can even start with me. You have to book your exam. Now it doesn't have to be in eight weeks, but you You have to have the date set for your exam. And once that date is set, then we are going to work to go towards that cohort and we're going to work through. And so in eight weeks, you are in a position where you feel very confident to pass the exam the first time. And so that cohort's out there. It's I've got limited pricing right now for it for uh just getting early bird pricing as it gets launching. Uh, but that being said, it's available to you. Go to CISSP Cyber Training, go check it out. There's links on it, on a little bit more about it, and all the details around it. So if you're looking to get your CISSP, self-study just isn't quite you're having a hard time, or you don't have 10 grand to spend on doing a boot camp. That is a great option for you, is the CISSP cohort. Again, though, one last caveat. There's only 15 slots, and I've already been filling them up. It's over a third full right now, actually, almost a half full. So if you are interested, I would not delay. I would get on that as soon as possible because once I get to 15, I stop. And I won't do a cohort for a little while later because I want to make sure that we have all the time and effort into these students to give them everything they need to pass the exam. Okay, enough about that. Let's get into what we're going to talk about today.

Linking The Story To CISSP Domains

SPEAKER_01

Okay, so welcome to the training portion of today's episode. So if you're studying for your CISSP, this is where we take what just happened in the real world and connect it to the domains and concepts you need to master your exam. So today we're covering the three domains. The primary domain is domain seven, security operations, and that is where this story lives. So we're also going to pull in domains three, related to security architecture and engineering, and domain one, security and risk management. And before we get into the concepts, I want to give you the overarching lesson that ties all three domains together. No single control is sufficient. And we talk about layering, right? Defense in depth, not even EDR. Your architecture must assume that any control can be defeated. And critically, when that threat landscape changes, your risk goes up. And in many cases, we don't even know when this risk changes. We are just reacting to it. So even if you have not changed anything, your risk will go up. So this is the manager mindset, and this is what the CISSP is testing. So as we go through this, keep asking yourself the question that is on your side right now. If my EDR is dead, what else is watching? The defense in depth is such an important part of all this. So if you cannot answer that question confidently, you have a single point of failure. So let's get that fixed and addressed now. Domain seven is where the rubber meets the road. It covers incident response, monitoring, endpoint security, vulnerability management, and threat intelligence. This story touches all of those. And so let me walk you through some three key concepts related to that. So concept number one, EDR and its limits. First, EDR and its limits. EDR tool monitors endpoint behavior in real time. They detect anomalies, contain threats, and give you forensics data for investigations. They're a big step up, huge step up from traditional antivirus. But here is what the CISSP exam wants you to know. EDR is a detective and response control. It's not purely preventative. And it has a failure mode. It can be killed, as we have just mentioned, even before it ever gets an alert. So thinking like a manager on exam questions about EDR, the most sophisticated technology is not always the right answer. If a question implies that by deploying EDR, it means you are fully protected, you must be very skeptical of that. EDR is a layer, not a solution. So keep that concept in mind. Concept number two, BY OVD and privilege escalation. So we talked about BY OVD and this bringing your vulnerable driver and privilege escalation. Now the CISSP exam covers something called the rings of protection, the hierarchical privilege model in computing. Now ring zero in is kernel mode, the highest privilege, the OS core. Your operating system's core is considered ring zero, like I kind of alluded to when we were doing the news article. Ring one and two are device drivers and OS services. BYOVD puts the attacker at ring zero as well. So now the layers that were there designed to protect you from ring zero up to ring three, they are not there. They are gone. And so the point of it is that you now bring the BYOVD brings that down to ring zero. Same level as your EDR, which means they can reach in and terminate it directly if they see fit. So in CISSP language, this is what they call privilege escalation attack. The attacker starts with admin privileges and exploits a vulnerable driver to climb all the way down to kernel level. Right? I say down because it's in the bowels of the beast, uh, but it's ring zero. So that is the technique. So thinking like a manager, if a CISSP question describes a kernel mode exploit or a driver-based attack, the attacker's goal is privilege escalation. And the correct defensive answer will almost always be about preventing the escalation, such as using HVCI and KMCI, which we talked about. So that's your kernel level and your hypervisor level uh protections, not just detecting it after the fact. Okay, so concept number three, the RAS and threat actor classification. So when you're thinking of RAS, ransomware as a service, and a threat actor classification, the CISP exam asks you to differentiate threat actor types. So we have script kiddies, we have hacktivists, we have organized crime, we have nation states, and we have insiders, right? The gentlemen are an organized crime, which we talked about in the news article. They with serious development capability. They got a bunch of smart people who make stuff, right? They make stuff up. Their affiliates are lower-skilled actors. Now it doesn't mean they're not smart, but they're just not the same level of skills as the gentlemen. And I really don't mean to be, let's talk about the nice things about you. Everybody wins a trophy. No, that's not it, right? But the point of it is that you can now have different tiers of the ability to work together. But here's the key highlight: the skill of the attacker no longer equals the sophistication of the tool they are carrying. In the past, when I was working in the red teams, you had to have a really good quiver of tools and you had to be on your game to be able to use those tools because they weren't just simple as, hey, I want to mash an easy button and see what it does. They didn't do that. You had all kinds of command lines that you had to do. Now that has changed dramatically, especially since I've been doing it, and now you see these things happening, it's it's all morphing. And then with AI coming in on board, that line is blurring completely. So RAS platforms are the reason because of that. So as we're thinking like a manager, when the CISSP question references threat actors, always think about the capability and the motivation together. Organized crime is motivated in most cases by financial gain. Don't want to say this is an all-encompassing, but in most cases, it's about the money. That's what they're in for. And I've mentioned this before is that, you know, organized crime was all about the different things, prostitution, drugs, all those kinds of aspects that have been around since the beginning of time. But now you add this financial dynamic with as it relates to ransomware as a service, it's so much cheaper and it's so much easier to utilize a ransom as a service type of tool because now I don't have to worry about the deal that the challenges with prostitution. I don't have to worry about the challenges with drugs. I don't have to worry about all those challenges from an organized crime standpoint. This is easy button stuff, right? And so this is the kind of thing they're going to gravitate towards. So RASs are how you scale by recruiting low-cost affiliates. That's the ultimate goal. Your defenses must account for amplified capability. You must be able to withstand the basically the Huns at the gate. So not just the skill level of the individual attacker, you now have to consider everybody involved. So now we're going to be bridging domain seven and

Incident Response Without Endpoint Visibility

SPEAKER_01

domain three. If you see on the slides, if you're watching this on YouTube or watching it at my website, you'll see this is where now on the slide related to domain seven or domain three. If you're not listening to this and you listen to the podcast, hey, awesome. Go check it out at CISSP Cyber Training, or you can check it out on YouTube, one of the two. Now we're bringing the domain seven and three together, right? So there's three more concepts here. You have incident response, defense in depth, and system hardening. The IR lifecycle on CISSP goes like this preparation, detection, and analysis, containment, eradication, recovery, and lessons learned. So we're dealing with the IR life cycle, preparation, detection, analysis, containment, eradication, recovery, and lessons learned. EDR killers specifically target the detection phase. So if your EDR is terminated before it fires an alert, you have no detection event. You do not know you are under attack. And so, therefore, how do you respond? So, this is why a centralized immutable logging matters so much more. So, a sim, a security information and event management system, collects these logs from your endpoints, and they're an important part of your organization. And they basically have from your endpoints, your network devices, and any of your identity systems as well. It does not depend on the endpoint agent being alive. So it's collating everything together besides just the EDR tool. So if your attacker kills your EDR tool at 2 a.m., your SIM still has the authentication logs, the network traffic logs, and the Windows event logs showing exactly what loaded and when. Now that may not be a trigger to go, oh, boop, boop, boop, you know, that the everything is sky is falling kind of thing. But what it will do is it will have some sort of capture of that information as needed. So as you're thinking like a manager, if a CISSP question shows a scenario where the endpoint agent was disabled during an attack and asks what you should do first, the answer is to go to your centralized logs, not the endpoints. Because again, the endpoints would be under attack. So concept five, defense in depth. This brings us to domain three architecture. The principle is defense in depth. Layer multiple independent controls so that if one fails or is actively defeated, the others remain intact. So Gentle Killer was a direct attack on the organizations that have come to over-rely on EDR as their single layer. And they're out there. There's a lot of people that do this because they think I'll slap that on and I'm good to go. Effective layers against EDR killer attacks include network level detection, catching lateral, which catches lateral movement and command and control traffic. Identity controls, which it deals with your MFA, privileged access management, or just in time access. It's also known as JIT, just in time access. Immutable logging, this is where it's shipped off endpoints in real time so it survives the compromise. Kernel integrity protections, this is where you have HVCI, secure boot, code integrity policies. All of those are part of this. So as you're thinking like a manager, right, which the CISSP wants you to do, defense in-depth questions on the exam often show a scenario where one control was bypassed and ask what is the best response. The answers almost never add more of the same control. Okay, so well, let's just add more of that, right? If one is good, two is better, right? It's it's to add a different type of control at a different layer. Physical, logical, and administrative controls working together in cohesion. I can't I can't say the big word. Basically working together, right? They're they're working together, making things happen. That is an architecture mindset. Again, you're thinking of if something can go bad, how can I determine that something went bad? Okay, concept six system hardening and driver hygiene.

System Hardening And Driver Hygiene

SPEAKER_01

Okay, so the last concept of this section is hardening. So the ESET's recommendation, based on the news article we had, is to audit and remove unnecessary drivers. This is a textbook application of attack surface reduction. Big words of basically saying you need to reduce the amount of stuff in your system so that it can't get attacked. So every driver on a system has a potential attack vector. Drivers that aren't needed shouldn't be there, right? We've got a knock, knock, hint, hint, stamp, stomp, whatever you want to say, that is a big factor. Same principle for you closing unused ports, disabling unnecessary services, and removing default accounts. Yeah, default accounts, bad, bad juju, bad. So minimize the attack surface. You want to do that. Now, system hardening means you remove unnecessary components, apply least privilege, configure to the minimum required functionality as needed. So driver hygiene is a form of endpoint hardening. The more drivers you get rid of, that will help with your endpoint hardening. So know what is installed, why it is there, and whether it has any known vulnerabilities at all. If not, get rid of it, remove it. If it's vulnerable and outdated, update or eliminate it completely. So as you're thinking like a manager, if a CISSP question describes a compromised system and asks what should have prevented it, system hardening is frequently the right decision and the right direction in which you go. And specifically for driver-based attacks, the preventative control is restricting what can be loaded. Again, limiting what can be loaded, not just detecting it after it specifically loads. Okay, so let's now go into domain one where we need to think strategically.

Risk Increases Without You Changing Anything

SPEAKER_01

So as we're going down this path, concept seven, risk and threat landscape. The risk formula the CISP uses is risk equals threat times vulnerability times impact. Right? So Gentle Killer changed the threat component. The likelihood that a less skilled attacker can now successfully execute an advanced attack went up. Your vulnerabilities did not change, your assets did not change, but your risk increased anyway. That's the threat landscape evolution concept. Your threat model just expanded without anything changing on your side. Previously, a sophisticated kernel level EDR bypass required a skilled resource attacker with the tools needed to do that. And someone that is also just very knowledgeable in that subject. Now, a low-skilled affiliate, let's just say me, right? I would be a low scale, low-skilled affiliate with a RAS subscription can do the exact same thing. So as you're thinking like a manager, when a CISSP question describes a change in the threat landscape and asks how a security manager should interpret it, right, which is what you all want to be or are, the answer involves a threat component of the risk formula. Likelihood just went up. So the correct response is to reassess your controls and update your risk register. Do not wait for the vulnerability to appear before acting. That is usually the last thing you want to do. If you're dealing with a vulnerability before it, like all of a sudden you go, oh, here it is, uh, that is when you know you are not in a good state. The last concept is the one that does not get enough attention. So the gentleman's platform is essentially a criminal supply chain. They build the tools, affiliates execute the attacks, and revenue flows back up the chain. This mirrors legitimate business supply chain models, right? Which I highly recommended, except don't use this one because this will put you in jail. And the CISSP covers supply chain risk management. So the idea that risk can enter your organization through third parties, vendors, and partners, which we have talked about, and your third-party risk management program needs to be solid. The criminal version of this is threat capability can be amplified through the chain. So when an affiliate attacks you using the gentleman's tools, the sophistication of the attack exceeds the sophistication of the individual attacker. That has super implications for your threat intelligence and your incident response. Why? Well, if your intelligence is saying, we have only nation-state hackers that can come after us, so I'm not worried about the script kitty. That's bad because the script kitty now can be the nation-state hacker with just an easy credit card from mom and dad. So you cannot assume that a low-skilled attacker is carrying low-skilled tools anymore. You have to assume that all attackers have a very wide range of tools available to them. So as you're thinking like a manager, your threat model must account for capability amplification, not just the skill level of the person at the keyboard. Now I know we've talked about this at CISSP Cyber Training. You cannot do that, but many people do, going, I'm not worried about Billy Bob in the basement of mom's house. My stuff is solid. It is until it isn't, right? That's just the way this kind of stuff works. So be ready for it. All right, so that's all I have. Let's

Manager Mindset And Core Takeaways

SPEAKER_01

kind of bring this home. Today's story was the gentleman and their gentle killer framework. It's a perfect illustration of why the CISSP frames security management as a strategic discipline. It's not a tool selection exercise. The right response to a capability like this is not buy a better EDR. You know, this one just got poned. I want to buy a new one. No, that's not the response. Or let's buy another. Remember, I was a consultant and I had went to an organization and they had three EDR programs running. Three? Yeah, that's not the right call. Don't do that. It is to ask, what does our architecture look like if our EDR is dead? What is watching? What is still working? Defense in depth, least privilege, centralized logging, kernel integrity controls are all important. These are not just exam topics. They are the exact controls that matter when the bad guys are specifically targeting your endpoint security. So the three domains we covered domain seven, security operations, EDR limits, BYOVD, which is your bring your vulnerable driver, privilege escalation, threat actor classification, and incident response. Domain three is security architecture and engineering, defense in depth, system hardening, attack surface reduction, all of those are important. And then domain one, security risk management, threat landscape evolution, risk formula, and criminal supply chain amplification. Yeah, that's a lot of big words, $10 words there, but the bottom line is the supply chain's a big deal. Internalize this and think like a manager mindset. Your job is not to be the most technically sophisticated, which many of you that are listening to this are probably like light years beyond me. That the only difference is that I'm not that way. So because of my, I'm smart in other areas and not so smart in the technical side, I focus on what I know. Same with you. You are smart maybe in the technical side. Start focusing on things that maybe you don't know, and but utilize those skills that you had technically to help be able to translate. So your job is not to be the most technically sophisticated person in the room, it is to build programs that work even when the individual controls fail. And then communicate that risk specifically and clearly to leadership within your organization. Okay, so that's all I have for you today.

Resources On Site And Essentials Program

SPEAKER_01

I hope you all enjoyed this. Head on over to CISspCbertraining.com, check out what I've got available to you, lots of free stuff. My Essentials program is amazing. It will give you everything you need to basically understand the CISSP from a self-study standpoint. If you want a little bit more hands-on with me, potentially, uh then you there's another program out there available for you. And then finally, there's the Sprint Cohort that's kicking off here July 7th, and the early bird pricing is still available till June 27th. I think you got like seven days, and then the early bird pricing goes away. So go check that out. Again, all that stuff is available at CISSP Cyber Training. Thank you so much for joining me today, and we'll catch you on the flip side. See ya.

Reviews YouTube And Free Practice Questions

SPEAKER_01

Thanks so much for joining me today on my podcast. If you like what you heard, please leave a review on iTunes, as I would greatly appreciate your feedback. Also, check out my videos that are on YouTube, and just head to my channel at CISSP Cyber Training, and you will find a plethora or a conocopia of content to help you pass the CISSP exam the first time. Lastly, head to CISSP Cyber Training and sign up for 360 free CISSP questions to help you in your CISSP journey. Thanks again for listening.