Episodi

  • DLL Hijacking: The Invisible Attack Still Breaking Defenses in 2025
    Jul 5 2026

    It doesn't announce itself. It doesn't trip alarms. DLL hijacking weaponizes the way Windows was designed to work, letting attackers execute malicious code inside trusted, signed processes while endpoint tools watch quietly and see nothing wrong. This episode of Cybersecurity examines why this decades-old technique remains one of the most reliable tools in an attacker's kit — and what defenders need to do differently in 2025. The discussion draws on this eight-minute deep-dive on defending against DLL hijacking attacks from the SEC team.

    The episode walks through the mechanics, the variants, and the real-world shape of a DLL hijacking campaign — then turns to practical, layered defensive measures that security teams can begin applying today:

    • How Windows DLL search order works — and why its predictability is exactly what attackers exploit to stage malicious libraries before legitimate ones are ever found.
    • Four distinct attack variants — classic preloading, search-order planting, side-loading alongside signed executables, and reflective in-memory loading that never touches the disk.
    • Why legacy software is a permanent liability — decade-old line-of-business applications that will never be patched create inherited, fixed attack surfaces inside enterprise networks.
    • Advanced evasion techniques — function forwarding to keep applications behaving normally, backdated compile timestamps, domain-fronted C2 traffic, and on-the-fly disabling of Windows Event Tracing all stack the odds against reactive defenses.
    • High-value defensive controls — auditing write permissions on application directories, enforcing DLL signing policies via WDAC, cataloging file hashes for critical applications, and flagging anomalous load paths as high-fidelity signals.
    • Visibility-first strategy — how Sysmon Event ID 7, combined with ETW telemetry fed into a SIEM, gives defenders the baseline they need to spot drift before damage is done.

    The core argument of the episode is straightforward: this attack class has survived for over two decades not because it's clever, but because it requires no cleverness at all — just patience, a writable directory, and the confidence that most environments still haven't done the foundational work. The organizations making progress are the ones that started with visibility and used it to drive permission hygiene and signing enforcement systematically over time. For more on threats that exploit trust rather than brute force, listen to Deepfake Cyberattacks: When Seeing Is No Longer Believing, another recent episode of the show.

    SEC

    Mostra di più Mostra meno
    9 min
  • Deepfake Cyberattacks: When Seeing Is No Longer Believing
    Jul 4 2026

    A bank employee in Hong Kong once authorized a $35 million wire transfer after joining a video call with what looked and sounded exactly like his CFO. Every face was familiar. Every voice matched. None of it was real. This episode of Cybersecurity examines how deepfake technology has become a frontline weapon in the attacker's toolkit — and what defenders need to do about it now. The discussion draws on this in-depth article on deepfake cyberattacks as the next evolution of social engineering, a must-read for security professionals at any level.

    The episode walks through the full arc of the threat — from its roots in classic social engineering to the AI-powered impersonation campaigns reshaping corporate fraud and geopolitical disinformation today. Key areas covered include:

    • How the deepfake attack lifecycle works: Attackers begin with open-source reconnaissance, harvesting publicly available video and audio of high-profile targets — executives, politicians, and anyone with a visible digital footprint — before assembling convincing synthetic personas.
    • Business video compromise (BVC): The dangerous successor to business email compromise, where a live-looking video call replaces the spoofed email — applying the same psychological levers of authority, urgency, and fear to extract wire transfers or credential changes.
    • The detection arms race: AI-powered tools can identify artifacts like unnatural blinking or audio-lip mismatches, but generative models consistently outpace detection methods — and human perception is an unreliable last line of defense.
    • The low barrier to entry: Sophisticated voice cloning and video synthesis no longer require nation-state resources. Open-source tools and consumer hardware have brought deepfake-as-a-service within reach of everyday cybercriminals.
    • Structural defenses that actually work: High-stakes requests — transfers, access changes, credential updates — must trigger mandatory secondary verification through a completely independent, pre-established channel, regardless of how convincing the initial contact appears.
    • Building a culture of verified trust: Security awareness training must evolve beyond phishing-email spotting to normalize healthy skepticism of video calls, empower employees to slow down under pressure, and eliminate the fear of questioning an apparent authority figure.

    The episode closes with a look at where the threat is headed: automated, relationship-building AI personas that groom targets over weeks before making a move — making today's one-off deepfake calls look primitive by comparison. Organizations that treat this as a future problem are already behind. For more from the show on how attackers exploit gaps in visibility and verification, listen to the episode Decrypting Encrypted Threats: Middleboxes vs Endpoint Instrumentation.

    SEC.CO

    Mostra di più Mostra meno
    8 min
  • Decrypting Encrypted Threats: Middleboxes vs Endpoint Instrumentation
    Jul 3 2026

    Encryption was supposed to make the internet safer — and it did. But it also handed threat actors a near-perfect hiding place. This episode of Cybersecurity takes a hard look at what it actually means to defend a network where nine out of ten packets are wrapped in cryptography your traditional tools can't read, and lays out the architectural trade-offs defenders must confront. The discussion draws directly from this eight-minute deep-dive on encrypted threat inspection published on SEC.co.

    The episode examines both major strategies for inspecting encrypted traffic — network-side middleboxes and host-side endpoint instrumentation — covering where each excels, where each falls short, and how mature security programs combine them into a layered posture. Key topics include:

    • How encryption became an attacker's tool: the shift from plaintext-dominant networks to a world where phishing sites carry valid TLS certificates, ransomware rides HTTPS, and botnet C2 traffic looks indistinguishable from legitimate sessions.
    • Middlebox inspection mechanics and strengths: how TLS-terminating appliances, secure web gateways, and inline inspection devices deliver centralized, high-throughput visibility — and why they're well-suited for managed office environments and high-volume data centers.
    • Middlebox limitations: blind spots created by remote work, protocol headwinds from TLS 1.3 and Encrypted Client Hello, certificate-pinning breakage, latency overhead, and potential compliance exposure under data protection regulations.
    • Endpoint instrumentation advantages: how EDR agents and kernel-level drivers capture decrypted traffic in context — paired with process trees, file system activity, and behavioral telemetry — and how that visibility travels with users regardless of network location.
    • Endpoint instrumentation trade-offs: agent fatigue, coverage gaps on Linux servers and IoT devices, and the security risks introduced by session-key extraction and transport.
    • Emerging directions: hardware-backed key escrow (SGX-based approaches), encrypted traffic metadata analysis via machine learning, and why the long-term answer is a portfolio strategy rather than a single-tool bet.

    The central takeaway is that middleboxes and endpoint instrumentation are complementary, not competing — and that choosing between them is less a binary decision than a question of mapping the right tool to each segment of your risk surface: office traffic, roaming workforce, regulated data, and SOC workflow integration. For more on this topic, read the full source article on decrypting encrypted threats on SEC.co. More from the show: if you're thinking about how security architecture decisions fit into broader organizational risk management, check out the episode on Cybersecurity Audit vs. Assessment: Which One Does Your Organization Need?

    SEC

    Mostra di più Mostra meno
    8 min
  • Cybersecurity Audit vs. Assessment: Which One Does Your Organization Need?
    Jul 2 2026

    Two terms. One persistent source of confusion. Cybersecurity audits and cybersecurity assessments show up side by side in vendor proposals and boardroom conversations all the time — and they are not the same thing. This episode of Cybersecurity unpacks the structural differences between these two distinct exercises, drawing on this in-depth guide to audits versus assessments to help listeners make smarter, better-informed decisions about their security programs.

    Here's what the episode covers:

    • The core distinction: An audit is a formal, point-in-time compliance check against a recognized standard (ISO 27001, SOC 2, PCI-DSS, HIPAA) — binary by design, delivering a pass/fail result. An assessment is a diagnostic, exploratory engagement that surfaces risk, context, and blind spots the checklist never asks about.
    • When an audit is the right call: Any time there's an external mandate — a regulator, a customer contract, or a certification requirement — only a formal audit produces the attestation that stakeholders need.
    • When an assessment is the right call: Organizations in a period of growth, strategic change, or pre-compliance preparation benefit most from the risk-ranked, prioritized, actionable output an assessment delivers.
    • The smart sequence: Assessment first, audit second. Mature security programs use assessments to map gaps and drive remediation before inviting auditors in — skipping this order can delay certification by months and drive up costs significantly.
    • Four factors that determine real value: Clear objectives, the right framework for your industry and regulatory environment, cross-functional team involvement, and treating every finding as an improvement opportunity rather than a verdict.
    • The bigger picture: Audits provide rigor and market credibility; assessments provide curiosity and adaptability. Together, they build a security culture that treats compliance as a baseline — not a finish line.

    Whether your organization is preparing for its first external audit, evaluating its readiness for GDPR, or simply trying to understand where the real risks live, this episode offers a practical framework for choosing — and sequencing — the right engagement. For more on how real-world risk scoring shapes security decisions, check out the episode CVSS Is Broken: Scoring Vulnerability Risk in the Real World.

    SEC

    Mostra di più Mostra meno
    8 min
  • CVSS Is Broken: Scoring Vulnerability Risk in the Real World
    Jul 1 2026

    Vulnerability management runs on a single number — and that number is lying to you. CVSS scores are embedded in scanner reports, regulatory frameworks, and executive dashboards worldwide, yet most defenders who work with real production environments eventually reach the same conclusion: the system, used in isolation, is a poor guide for prioritizing actual risk. This episode draws on this seven-minute breakdown of CVSS's real-world failures to examine five hard-earned lessons about what goes wrong — and how to fix it.

    Here's what the episode covers:

    • Context blindness: CVSS is deliberately environment-agnostic, which means an internet-facing payment gateway and an air-gapped lab server can carry identical scores despite wildly different blast radii — and the fix is tagging assets with business context before acting on any score.
    • Exploitability gaps: Base scores assume worst-case conditions even when no working exploit exists, while actively weaponized bugs sometimes sit below the critical threshold; pairing CVSS with CISA's Known Exploited Vulnerabilities list and EPSS closes that gap.
    • Score manipulation: The eight metrics that feed a CVSS calculation can be nudged — intentionally or not — by whoever files the advisory, producing legitimately different numbers for the same flaw; independent validation by internal engineering teams is the safeguard.
    • Temporal decay: Vendors freeze the base score at publication and rarely update it, so dashboards stay static even after proof-of-concept code drops publicly; automated score-aging policies tied to exploit maturity keep the queue honest.
    • Patch paralysis: A wall of 9.8s doesn't drive action — it drives overwhelm; replacing the binary "critical vs. everything else" model with a triage ladder built on reachability and live exploit status turns an unmanageable backlog into prioritized sprints.
    • What good looks like: A concrete case study shows how a global manufacturer handled two simultaneous 9.8-scored CVEs differently based on exposure and compensating controls — patching one the same day, scheduling the other for the following quarter — with zero incidents.

    The episode closes with a clear framework for enriching CVSS rather than discarding it: layer in asset criticality, live threat intelligence, compensating controls, and exposure surface data. When briefing leadership, swap raw CVE counts for plain-language statements about business risk — that's what actually moves patching decisions forward. For more on preparing for systemic shifts in security fundamentals, listen to the episode on Cryptographic Agility: Preparing for the Algorithm Lifecycle Crisis.

    SEC.CO

    Mostra di più Mostra meno
    9 min
  • Cryptographic Agility: Preparing for the Algorithm Lifecycle Crisis
    Jun 30 2026

    Every cryptographic algorithm has an expiration date, and the gap between "trusted standard" and "actively exploited weakness" is shrinking. This episode of Cybersecurity examines the algorithm lifecycle crisis — the accelerating convergence of advances in cryptanalysis, cloud-scale computing, and the approaching reality of quantum computers — and makes the case that the window for proactive action is narrower than most organizations realize. The discussion is grounded in this six-minute deep-dive on cryptographic agility, which informed the episode's research and framework.

    The episode covers the full arc from historical precedent to practical implementation, including:

    • The algorithm graveyard: How DES, SHA-1, and RSA each followed the same arc from crown jewel to liability — and what that pattern tells us about every algorithm in use today.
    • Why hard-wired crypto is so dangerous: When cryptography is baked into products, embedded systems, and compliance checklists, retiring a broken algorithm stops being a patch and becomes a multi-year engineering project or a board-level crisis.
    • The five pillars of a crypto-agile architecture: Inventory everything that encrypts (with specifics, not generalities), classify and prioritize by risk, decouple cryptographic logic from business code, design for dual-stack coexistence during migrations, and automate rollouts through CI/CD pipelines.
    • Common roadblocks and how to navigate them: The "wait for NIST to finalize" trap, vendor lock-in behind proprietary quantum-safe interfaces, post-quantum performance overhead, and legacy operational technology that can't be patched.
    • Two contrasting case studies: A global financial institution that rotated SHA-1 across two thousand microservices in under a week using a single feature flag — versus a regional hospital forced into frantic weekend remediation after a regulatory audit exposed decade-old RSA key sizes still in production.
    • Where to start this quarter: Concrete first steps — a crypto-asset inventory template, a low-risk algorithm toggle pilot, and a lab environment simulating post-quantum TLS handshakes — that turn agility from abstract strategy into practiced muscle memory.

    The central takeaway is that cryptographic agility isn't a one-time project; it's an organizational discipline. The cost of building it in from the start is a fraction of the cost of retrofitting it under pressure — and history offers no shortage of cautionary tales for teams that waited. For more on related credential and token risk, listen to the episode Cross-SaaS Token Sprawl: Discover, Rotate, and Revoke API Tokens.

    SEC

    Mostra di più Mostra meno
    9 min
  • Cross-SaaS Token Sprawl: Discover, Rotate, and Revoke API Tokens
    Jun 29 2026

    API tokens are the invisible connective tissue of the modern SaaS stack — and they accumulate far faster than security teams can track them. This episode tackles cross-SaaS token sprawl head-on, drawing on this in-depth eight-minute read on discovering, rotating, and revoking API tokens to walk through a full governance lifecycle that actually holds up at scale. Whether you're running a lean security program or managing a sprawling enterprise integration mesh, the conversation offers concrete, actionable steps rather than abstract principles.

    The episode covers the full token sprawl lifecycle, from root cause to measurable outcomes:

    • Why sprawl is a context problem, not just a counting problem — a single over-scoped, forgotten token is more dangerous than dozens of well-managed ones, making ownership and scope as important as raw inventory.
    • Continuous discovery as a discipline — using vendor APIs, static and dynamic code analysis, and repository scanning to build a living inventory tagged with owners, lineage, and blast-radius estimates.
    • Telemetry and anomaly detection — turning raw token logs into an actionable signal layer that flags unusual geography, call-volume spikes, and access to sensitive endpoints before an attacker can pivot.
    • Rotation architecture that makes secrets boring — moving away from hard-coded values toward secret managers, runtime injection, and risk-tiered cadences so that rotating a token feels like a routine deployment, not a crisis.
    • Revocation as a verified campaign — building kill switches before you need them, checking for residual access in cached sessions and downstream copies, and codifying each incident's timeline to speed up the next one.
    • Governance that engineers will actually follow — designing secure token flows to be the fastest flows, using procurement conversations as a security control, and tracking meaningful metrics like mean time to revocation and the ratio of short-lived to long-lived tokens.

    The episode closes with a look at the most common failure modes — sprawling spreadsheets, rotation without monitoring, and policies that sound rigorous but can't be executed with available tooling — and explains how a tight feedback loop between inventory, rotation, and revocation compounds into a program that scales gracefully with each new integration your teams add.

    For more on protecting credentials from evolving attack techniques, check out the earlier episode Credential Stuffing Is Evolving—Are Your Defenses?

    SEC

    Mostra di più Mostra meno
    9 min
  • Credential Stuffing Is Evolving—Are Your Defenses?
    Jun 28 2026

    Credential stuffing is no longer the noisy, easily-blocked brute-force attack it once was. In this episode of Cybersecurity, the hosts draw on this six-minute deep dive into evolving credential stuffing defenses to map exactly how attackers have refined their tradecraft — and why organizations that haven't updated their mental model of this threat are already behind. From underground combo-list economies to headless browser farms that mimic human behavior, the episode makes a compelling case that this is one of the most persistently underestimated attack categories in enterprise security today.

    Here's what the episode covers:

    • Why the attack still works at all — password reuse remains the core enabler, and aging breach data retains surprising hit rates because most users never rotate credentials across every account after a notification.
    • How automation has industrialized the threat — modern frameworks rotate residential IPs, emulate full browsers, randomize device fingerprints, and solve CAPTCHAs in real time using AI, making volume-based defenses largely obsolete.
    • Layered evasion tactics — low-and-slow pacing to stay under velocity thresholds, headless browser tools like Playwright and Puppeteer, mobile API abuse against lighter-hardened endpoints, and targeted list enrichment using social media cross-referencing.
    • MFA isn't a silver bullet — stolen session cookies, push-notification fatigue attacks, and poorly implemented TOTP flows all give attackers viable bypass routes; the how of MFA deployment matters as much as the whether.
    • The full cost picture — beyond direct fraud losses, organizations absorb infrastructure overload bills, false-positive-driven help-desk spikes, customer churn after visible account-takeover incidents, and real regulatory exposure under GDPR, HIPAA, and PCI.
    • What a modern defense stack looks like — phishing-resistant FIDO2/passkey MFA, adaptive risk engines, behavioral-biometric bot management, automated session-revocation workflows, and proactive threat intelligence monitoring for brand mentions in underground combo-list markets.

    The episode closes with a strategic reminder that no single control has an indefinite shelf life: red-teaming your own login flows, rotating mitigation providers before entropy sets in, and keeping user education current are all ongoing commitments, not one-time projects. For more on attacker persistence techniques, check out the episode Covert Persistence via Scheduled Task Abuse for a complementary look at how adversaries maintain footholds after initial access.

    SEC

    Mostra di più Mostra meno
    8 min