SEC.co Podcast copertina

SEC.co Podcast

SEC.co Podcast

Di: Eric Lamanna
Ascolta gratuitamente

A podcast about latest trends, techniques and learnings in cybersecurity and cyberdefense.2026 SEC.co Economia Gestione e leadership Leadership
  • DLL Hijacking: The Invisible Attack Still Breaking Defenses in 2025
    Jul 5 2026

    It doesn't announce itself. It doesn't trip alarms. DLL hijacking weaponizes the way Windows was designed to work, letting attackers execute malicious code inside trusted, signed processes while endpoint tools watch quietly and see nothing wrong. This episode of Cybersecurity examines why this decades-old technique remains one of the most reliable tools in an attacker's kit — and what defenders need to do differently in 2025. The discussion draws on this eight-minute deep-dive on defending against DLL hijacking attacks from the SEC team.

    The episode walks through the mechanics, the variants, and the real-world shape of a DLL hijacking campaign — then turns to practical, layered defensive measures that security teams can begin applying today:

    • How Windows DLL search order works — and why its predictability is exactly what attackers exploit to stage malicious libraries before legitimate ones are ever found.
    • Four distinct attack variants — classic preloading, search-order planting, side-loading alongside signed executables, and reflective in-memory loading that never touches the disk.
    • Why legacy software is a permanent liability — decade-old line-of-business applications that will never be patched create inherited, fixed attack surfaces inside enterprise networks.
    • Advanced evasion techniques — function forwarding to keep applications behaving normally, backdated compile timestamps, domain-fronted C2 traffic, and on-the-fly disabling of Windows Event Tracing all stack the odds against reactive defenses.
    • High-value defensive controls — auditing write permissions on application directories, enforcing DLL signing policies via WDAC, cataloging file hashes for critical applications, and flagging anomalous load paths as high-fidelity signals.
    • Visibility-first strategy — how Sysmon Event ID 7, combined with ETW telemetry fed into a SIEM, gives defenders the baseline they need to spot drift before damage is done.

    The core argument of the episode is straightforward: this attack class has survived for over two decades not because it's clever, but because it requires no cleverness at all — just patience, a writable directory, and the confidence that most environments still haven't done the foundational work. The organizations making progress are the ones that started with visibility and used it to drive permission hygiene and signing enforcement systematically over time. For more on threats that exploit trust rather than brute force, listen to Deepfake Cyberattacks: When Seeing Is No Longer Believing, another recent episode of the show.

    SEC

    Mostra di più Mostra meno
    9 min
  • Deepfake Cyberattacks: When Seeing Is No Longer Believing
    Jul 4 2026

    A bank employee in Hong Kong once authorized a $35 million wire transfer after joining a video call with what looked and sounded exactly like his CFO. Every face was familiar. Every voice matched. None of it was real. This episode of Cybersecurity examines how deepfake technology has become a frontline weapon in the attacker's toolkit — and what defenders need to do about it now. The discussion draws on this in-depth article on deepfake cyberattacks as the next evolution of social engineering, a must-read for security professionals at any level.

    The episode walks through the full arc of the threat — from its roots in classic social engineering to the AI-powered impersonation campaigns reshaping corporate fraud and geopolitical disinformation today. Key areas covered include:

    • How the deepfake attack lifecycle works: Attackers begin with open-source reconnaissance, harvesting publicly available video and audio of high-profile targets — executives, politicians, and anyone with a visible digital footprint — before assembling convincing synthetic personas.
    • Business video compromise (BVC): The dangerous successor to business email compromise, where a live-looking video call replaces the spoofed email — applying the same psychological levers of authority, urgency, and fear to extract wire transfers or credential changes.
    • The detection arms race: AI-powered tools can identify artifacts like unnatural blinking or audio-lip mismatches, but generative models consistently outpace detection methods — and human perception is an unreliable last line of defense.
    • The low barrier to entry: Sophisticated voice cloning and video synthesis no longer require nation-state resources. Open-source tools and consumer hardware have brought deepfake-as-a-service within reach of everyday cybercriminals.
    • Structural defenses that actually work: High-stakes requests — transfers, access changes, credential updates — must trigger mandatory secondary verification through a completely independent, pre-established channel, regardless of how convincing the initial contact appears.
    • Building a culture of verified trust: Security awareness training must evolve beyond phishing-email spotting to normalize healthy skepticism of video calls, empower employees to slow down under pressure, and eliminate the fear of questioning an apparent authority figure.

    The episode closes with a look at where the threat is headed: automated, relationship-building AI personas that groom targets over weeks before making a move — making today's one-off deepfake calls look primitive by comparison. Organizations that treat this as a future problem are already behind. For more from the show on how attackers exploit gaps in visibility and verification, listen to the episode Decrypting Encrypted Threats: Middleboxes vs Endpoint Instrumentation.

    SEC.CO

    Mostra di più Mostra meno
    8 min
  • Decrypting Encrypted Threats: Middleboxes vs Endpoint Instrumentation
    Jul 3 2026

    Encryption was supposed to make the internet safer — and it did. But it also handed threat actors a near-perfect hiding place. This episode of Cybersecurity takes a hard look at what it actually means to defend a network where nine out of ten packets are wrapped in cryptography your traditional tools can't read, and lays out the architectural trade-offs defenders must confront. The discussion draws directly from this eight-minute deep-dive on encrypted threat inspection published on SEC.co.

    The episode examines both major strategies for inspecting encrypted traffic — network-side middleboxes and host-side endpoint instrumentation — covering where each excels, where each falls short, and how mature security programs combine them into a layered posture. Key topics include:

    • How encryption became an attacker's tool: the shift from plaintext-dominant networks to a world where phishing sites carry valid TLS certificates, ransomware rides HTTPS, and botnet C2 traffic looks indistinguishable from legitimate sessions.
    • Middlebox inspection mechanics and strengths: how TLS-terminating appliances, secure web gateways, and inline inspection devices deliver centralized, high-throughput visibility — and why they're well-suited for managed office environments and high-volume data centers.
    • Middlebox limitations: blind spots created by remote work, protocol headwinds from TLS 1.3 and Encrypted Client Hello, certificate-pinning breakage, latency overhead, and potential compliance exposure under data protection regulations.
    • Endpoint instrumentation advantages: how EDR agents and kernel-level drivers capture decrypted traffic in context — paired with process trees, file system activity, and behavioral telemetry — and how that visibility travels with users regardless of network location.
    • Endpoint instrumentation trade-offs: agent fatigue, coverage gaps on Linux servers and IoT devices, and the security risks introduced by session-key extraction and transport.
    • Emerging directions: hardware-backed key escrow (SGX-based approaches), encrypted traffic metadata analysis via machine learning, and why the long-term answer is a portfolio strategy rather than a single-tool bet.

    The central takeaway is that middleboxes and endpoint instrumentation are complementary, not competing — and that choosing between them is less a binary decision than a question of mapping the right tool to each segment of your risk surface: office traffic, roaming workforce, regulated data, and SOC workflow integration. For more on this topic, read the full source article on decrypting encrypted threats on SEC.co. More from the show: if you're thinking about how security architecture decisions fit into broader organizational risk management, check out the episode on Cybersecurity Audit vs. Assessment: Which One Does Your Organization Need?

    SEC

    Mostra di più Mostra meno
    8 min
adbl_web_anon_alc_button_suppression_t1
Ancora nessuna recensione