Threat Emulation with Andrew Costis

Security risks are dynamic. Projects, employees, change, tools,
and configurations are modified. Many companies utilize PEN
testers on an annual basis, but as quickly as systems are
revised, you may need to implement threat emulation for regular
monitoring. 


Today’s guest is Andrew Costis. Andrew is the Chapter Lead of the
Adversary Research Team at Attack IQ. He has over 22 years of
professional industry experience and previously worked in the
Threat Analysis Unit Team at Firmware, Carbon Black, and
Logrhythm Labs, performing security research, reverse engineering
malware, and tracking and discovering new campaigns and threats.
Andrew has delivered various talks at DefCon, Adversary Village,
Black Hat, B Side, Cyber Risk Alliance, Security Weekly, IT Pro,
Bright Talk, SE Magazine, and others.
Show Notes:

[1:14] - Andrew shares his background and what he currently
does in his career at Attack IQ.

[3:49] - At the time of this recording, there has been a
major global security panic.

[6:06] - There are many programs that we use on a regular
basis that we don’t always consider the security of.

[8:09] - Historically, companies would pay for an external
pen test. Andrew describes the purpose of this and how they
usually went.

[9:33] - Pen tests and threat emulation do not need to be
limited to just once a year.

[10:45] - Andrew’s team is in the business of testing
post-breached systems. But they preach prevention.

[11:55] - Attackers are lazy in the sense that they will
reuse the same strategies over and over again.

[14:13] - Many programs we use may be caught in the
crosshairs of attacks and vulnerabilities in other companies.

[16:41] - Andrew discusses the frequency of really critical
CVEs.

[19:01] - What do attackers go after when they’ve breached a
system?

[21:04] - The priority for attackers is to get in quickly and
make the victim’s data unavailable.

[22:24] - A lot of people are under the impression of
vulnerability testers. “Fire and forget it” is not a beneficial
mindset.

[24:56] - If we run every test, the amount of data will be
overwhelming.

[27:03] - In his experience, there has been client testing
that has been overwhelmingly easy to breach.

[29:07] - There are also organizations that have done a
fantastic job. However, vulnerabilities will still be found.

[30:18] - The red team is not going to be able to cover your
entire organization.

[32:15] - Threat emulation and pen testing are technically
the same thing. Andrew explains how she sees the difference.

[33:50] - How are vulnerabilities and tests prioritized?

[36:19] - Andrew describes the things his team works on and
their objectives for customers and clients.

[38:34] - The outage at the time of this recording had a big
impact. It gave a really good idea of what could happen if it
were a real security breach.

[41:37] - There are a ton of free resources out there. The
primary resource at Attack IQ is the free Attack IQ Academy.



Thanks for joining us on Easy Prey. Be sure to subscribe to
our podcast on iTunes and leave a nice review. 
Links and Resources:

Podcast Web Page

Facebook Page

whatismyipaddress.com

Easy Prey on Instagram

Easy Prey on Twitter

Easy Prey on LinkedIn

Easy Prey on YouTube

Easy Prey on Pinterest

Andrew Costis at Attack IQ