Adversary Universe Podcast

Organizations fear adversaries will attack. Threat hunters assume adversaries are already in the system — and their investigations seek unusual behavior that may indicate malicious activity is afoot. Andrew Munchbach, CrowdStrike’s Global VP, Field Engineering, joins Adam and Cristian in this week’s episode to explore what threat hunting is, how it works, and what makes a good threat hunting program. As CrowdStrike’s “Chief Reddit Officer”, Andrew also shares how he came to run CrowdStrike’s Reddit account and discusses the platform’s evolving role in communicating with the security community. Now with nearly 20,000 followers, CrowdStrike’s Reddit account is used to share information — from key data on active attacks to weekly threat hunting exercises — with CrowdStrike customers and the general public.

Today’s conversation explores a common question around adversary activity: Why does attribution matter? When a cyberattack hits, why go to the trouble of learning who is behind it? Each attempt at an intrusion can reveal a lot about an adversary — who they are, what they’re doing and what their motivations may be. This information can not only inform your response to an attack but how you strengthen your security architecture against future attacks. In this episode, Adam and Cristian discuss the importance of knowing who the adversary is and what they’re after. They go back to the early days of adversary attribution, explain how adversaries are tracked as their activity changes over time and examine the value of this intelligence in helping organizations succeed in the face of evolving cyber threats. The tool Adam mentions at the end of this episode can be found at https://adversary.crowdstrike.com/

The National Security Agency’s Cybersecurity Collaboration Center (CCC) was created based on a growing need for the public and private sectors to work together and share insights to understand adversaries’ intentions, as well as the scope and scale of their activity. In this special episode of the Adversary Universe podcast, Adam and Cristian are joined by Morgan Adamski, Chief of the CCC and government security expert, onstage at CrowdStrike’s Gov Threat Summit in Washington, D.C. “We both had different pieces of the puzzle,” said Adamski of the NSA and private sector organizations, which collect different types of data on adversaries and how they operate. In this conversation, she, Adam and Cristian discuss the CCC’s mission and its evolution, explain how it works with private sector partners, and go “around the world” to discuss their observations of modern nation-state adversary activity.

CrowdStrike Chief Security Officer Shawn Henry joined CrowdStrike as employee number 19 after a 24-year career at the FBI, where he retired as the Bureau’s Executive Assistant Director. Today, he joins Adam and Cristian for a wide-ranging conversation exploring his early days at CrowdStrike and transition to the private sector, his perspective on the 2016 DNC breach and the risks modern elections face. Adversaries have numerous opportunities to sway voters’ opinions — and now they have the technology to wield greater influence through misinformation and disinformation campaigns. “I think we've just scratched the surface with AI from a deepfake perspective,” Shawn says of how artificial intelligence may play a role in this activity. Tune in to hear his perspective, stories and guidance as we navigate this election year.

The days of automated cyberattacks are dwindling: last year CrowdStrike saw a 60% jump in interactive intrusions, a type of attack in which a human is on the other side, working to break in and navigating their target environment as soon as they gain access. Most (75% of) attacks in 2023 didn’t involve malware at all — in nearly all cases, the adversary relied on identity-related techniques or exploited an unmanaged device.   The threat landscape is constantly evolving as adversaries explore new tactics. And as the CrowdStrike 2024 Global Threat Report shows, a lot can change in a year. We’re seeing more adversaries, operating at greater speed and conducting more attacks than ever.   In this episode, Adam and Cristian reflect on the early days of the Global Threat Report and examine the key findings of this year’s report. Highlights include: 62 minutes: The average time an adversary needs to move from an initial access point to another host in the target environment 232: The number of adversaries CrowdStrike tracks 75%: The year-over-year increase in attacks targeting cloud environments 76% increase in postings on data leak sites Download your copy of the CrowdStrike 2024 Global Threat Report today at crowdstrike.com/global-threat-report

CrowdStrike has long said, “You don’t have a malware problem — you have an adversary problem.” Much like we analyze the malware and tools used in cyberattacks, we must also learn about the people who orchestrate them. Adam and Cristian are joined by Cameron Malin, a behavioral profiler who specializes in understanding adversaries and the “why” behind their activity. Cameron built the FBI’s Cyber Behavioral Analysis Unit, which works to understand the motivations for cybercrime across different types of offenses and has focused for years on exploring why adversaries do what they do. In this episode, he discusses how the discipline of cyber behavioral profiling emerged, how experts approach interviewing and analyzing adversaries, and the “dark triad” and “dark tetrad” of personality traits commonly observed in cyberattacks.

Though the inner workings of North Korea remain a mystery to much of the world, its global cyber activity has been tracked and analyzed for years. CrowdStrike’s Counter Adversary Operations team, which tracks five North Korean threat actors, has a unique perspective on the country’s evolution as a global cybersecurity threat and the many ways it has used cyber capabilities to achieve its goals. In this episode, Adam and Cristian trace the history of North Korean cyber operations from its early days of destructive attacks to its focus on financial gain and espionage. Tune in for the answers to questions such as: How does North Korea discover its cyber talent? When did it pivot to cryptocurrency theft? And why does CrowdStrike track North Korean adversaries under the name CHOLLIMA? Come for the history, stay for Cristian’s singing skills in this conversation about the complex and changing world of North Korean cyber activity.   Check out some the CHOLLIMAs we track here:  https://www.crowdstrike.com/adversaries/silent-chollima/ https://www.crowdstrike.com/adversaries/labyrinth-chollima/ https://www.crowdstrike.com/adversaries/ricochet-chollima/ https://www.crowdstrike.com/adversaries/velvet-chollima/ https://www.crowdstrike.com/adversaries/stardust-chollima/ 

Cristian is joined by CrowdStrike Global CTO Elia Zaitsev to revisit the world of AI and large language models (LLMs), this time from the perspective of modern defenders. While this space has seen explosive growth in the past year, most organizations are still working to determine how LLM technology fits into their cybersecurity strategies. In this episode, Cristian and Elia unpack the rapid evolution of AI models — a trend the two consider both exciting and frightening — and examine how LLMs are empowering defenders, their effect on automation in the enterprise and why humans will continue to be part of the picture even as AI-powered tools evolve. Additional Resources: Five Questions Security Teams Need to Ask to Use Generative AI Responsibly Introducing Charlotte AI, CrowdStrike’s Generative AI Security Analyst: Ushering in the Future of AI-Powered Cybersecurity

In mid-December 2023, an adversary CrowdStrike tracks as VOODOO BEAR targeted Ukrainian telecom provider Kyivstar, wreaking havoc and disrupting thousands of systems and assets. The Russia-linked adversary has for years treated Ukraine as its “lab of offensive cyber operations”, testing attack techniques and demonstrating the destructive behavior it has become known for since it emerged in late 2010. In this episode, Adam and Cristian dive into the details of the recent Kyivstar attack and how it aligns with VOODOO BEAR’s history of disruptive cyberattacks, both in Ukraine and around the world. They also pull back the curtain on the broad, complex history of Russian intrusion operations, shedding light on adversaries operating within the country and what has motivated them over the years.

It has been a whirlwind year for the cybersecurity industry. In this episode of the Adversary Universe podcast, we revisit clips from standout episodes of 2023. Tune in to catch pieces of our conversations on the evolution of cloud-focused cyberattacks, the rise of cyber activity from Iran and China, the process of discovering and mitigating vulnerabilities, the role of AI in the cyber threat landscape and more. For those who want to listen to the full episodes related to each of these clips, the episodes highlighted here are in the following order: Adversaries and AI: Today’s Reality and Tomorrow’s Potential Data Extortion Dethrones Ransomware as the Threat to Watch Cloud Is the New Battleground Invisible Threats: Discovering, Tracking and Mitigating Vulnerabilities Have You Been Breached? Urgent Care Required: The State of Healthcare Cybersecurity Iran’s Rise from Nascent Threat Actor to Global Adversary Inside China’s Evolution as a Global Security Threat

Organizations around the world must navigate a growing number of cyber incident reporting regulations mandated by government bodies. In the U.S., these regulations come from agencies including the Securities and Exchange Commission (SEC), Federal Trade Commission (FTC), Cybersecurity and Infrastructure Security Agency (CISA) and others. This “alphabet soup” of regulations, as Cristian puts it, can be tough for businesses to understand and follow — especially as the threat landscape evolves and compliance requirements change. In this episode, Cristian is joined by Drew Bagley, VP and Counsel for Privacy and Policy at CrowdStrike, to dig into the details of why these myriad regulations have emerged and shed some light on common questions: When does a breach need to be reported, and why is the timeline a hot debate topic? What is a “material breach”? How are adversaries using these regulations to their advantage? And most importantly, how should businesses respond to all of this? Tune in for these answers — and more.

Today’s adversaries are working smarter, not harder — and it’s clear in the way their tactics are evolving. In this episode, Adam and Cristian explore the way adversaries are shifting their focus to data extortion. Instead of deploying noisy ransomware, more threat actors are quietly stealing data and threatening to publicly leak it if they’re not paid. Tune in to learn what’s driving this change, why data extortion is successful and what it means for organizations of all sizes and industries. Get your copy of the CrowdStrike 2023 Overwatch Threat Hunting Report. Read this blog to learn about why threat hunting and intelligence are essential to detect and disrupt today’s adversaries, ultimately raising their cost of doing business: https://www.crowdstrike.com/blog/crowdstrike-debuts-counter-adversary-operations-team/ 

At a time when breaches make headlines daily, the healthcare sector is among the most popular adversary targets. Cyberattacks against healthcare organizations have spiked in recent years, disrupting patient care, jeopardizing safety and privacy, and obstructing compliance with industry regulations. In this episode, Cristian is joined by Dennis Egan, director of healthcare services for CrowdStrike, and Drex DeFord, executive healthcare strategist at CrowdStrike, to discuss the impact of cyber threats against healthcare, challenges we see in the space, the urgent need for healthcare providers to strengthen their security and the steps they should take to defend against modern attacks. Discover the targeting healthcare: AQUATIC PANDA: https://www.crowdstrike.com/adversaries/aquatic-panda/ LABYRINTH CHOLLIMA: https://www.crowdstrike.com/adversaries/labyrinth-chollima/ Learn more about the cybersecurity issues Healthcare experiences: https://www.crowdstrike.com/blog/healthcare-experiences-cybersecurity-emergencies/

“Iran’s digital presence is something we don’t want to underestimate.” Though its cyber activity has been making headlines during a dynamic past few weeks, Iran’s history as a major player in the threat landscape spans decades. In this episode, Adam and Cristian take you back to the days of Stuxnet and trace Iran’s evolution from nascent threat actor to prominent nation-state adversary. Tune in to learn how hacktivism has played a role in its history, why CrowdStrike uses “KITTEN” to categorize adversaries who operate on behalf of Iran, and how key political events and cyber threat activity have shaped its growth.

China is the source of some of the most prolific and aggressive nation-state cyber activity organizations face. Every business vertical, across every geography, is affected by China’s unrelenting focus on growth and power. In this episode, Adam and Cristian take you through the evolution of Chinese threat activity from the early 2010s through today, closely examining the myriad ways they seek to build influence, the industries they target along the way and the threat actors linked to Chinese cyberattacks. Additional resources:  Download your copy of the 2023 Global Threat Report Get your custom threat landscape Read CrowdStrike's Research and Intel blogs

A cyberattack is any security team’s worst nightmare — but the earlier a breach is detected, the faster you can respond and mitigate the damage. In this episode, we’ll share the warning signs that could indicate a breach has occurred, the immediate next steps to take in the incident response process, and why having the right data is essential to a successful recovery. Please note that all references to "Falcon" in this episode refer to the CrowdStrike Falcon® platform.

When an adversary seeks entry into an organization, they no longer need to develop their own vulnerability exploits or steal credentials. Many turn to access brokers, the sellers of credentials, exploits and other tools threat actors can buy and use to gain initial access. In this episode, we discuss who access brokers are, how they gain and sell access, and their crucial role in the cybercrime ecosystem.

Adversaries are moving and innovating at a rapid pace — but so are we. In this bonus episode, Adam and Cristian chat about the biggest announcements from Fal.Con, CrowdStrike’s annual conference, which took place last week in Las Vegas. Tune in to hear their take on new and developing technologies like Charlotte AI Investigator and Falcon Foundry, why they’re excited about the Bionic acquisition and some of the standout moments in an action-packed week. Some brief disclaimers about products discussed in this episode: Charlotte AI is a text-based interface in the Falcon platform; it does not support voice interaction at this time Charlotte AI is currently available for private beta only. Watch CrowdStrike.com for future information about general availability Charlotte AI Investigator is a feature of Falcon Raptor and designed for incident investigation. The Raptor release further accelerates the evolution of Charlotte AI, CrowdStrike’s generative AI cybersecurity analyst.

Artificial intelligence. It’s the hot topic in cybersecurity today. Everyone is curious about it, excited about its use cases and nervous about the problems it may cause in the wrong hands. Adam and Cristian get right into the questions you want answered: How are adversaries using AI today? How might they use it in the future? What should businesses really be worried about? Tune in to learn the truth behind these questions — and more — in this breakdown of adversaries’ use of AI.  

School is back in session — and adversaries have already done their homework. They know educational institutions often lack the resources and expertise to keep up with the wave of ransomware, data extortion and other attacks pummeling their systems. Cristian and Adam examine why schools are a common target, the threats they face and how they can best defend themselves. In this episode, we also hear from special guest Jason Rooks, CIO at Parkway School District, who shares his perspective on fighting modern threats and creating a culture of cybersecurity.   Learn More: There are five crucial security components security teams must consider for securing educational environments to allow them to have visibility, threat detection and response capabilities to stop adversaries. Download this eBook to learn about CrowdStrike’s expanded partnership with Google covering these components: 5 Easy Steps for School Cybersecurity . Watch this on-demand CrowdCast to hear about the major ways that ransomware has evolved and understand how modern endpoint security solutions outsmart adversaries: Ransomware Isn’t Dead, It’s Growing Up: How to Evolve Your Defenses at Pace