Based on recent threat reports, a growing number of bad actors are bringing vulnerable drivers to victim environments to exploit and guarantee a more successful attack path. These kernel drivers are legitimate, trusted and… vulnerable! Amazingly, some have CVEs dating back to 2015 or earlier. During this Anti-Cast, we will map out detection methods to identify and remove vulnerable drivers already present in your network AND devise prevent/block strategies to future-proof against BYOVD attacks.
For most security teams, high operational tempo (measured in dumpster fire lumens) incentivizes analysts to stick to well-tailored playbooks that prioritize remediation at the expense of proper incident scoping and root cause analysis. Though modern endpoint security products have significantly improved host visibility, most critical incidents will require the acquisition and analysis of additional endpoint data.
Does your environment pose unique security challenges that require special deviations from industry standard? Do you justify the diminutive size of your SOC/hunt/intel teams by pointing to how smart they are? Has the motto of your team’s onboarding become “they may be best practices but they aren’t our practices”? Welcome to the blue team logical fallacy follies talk.