『SEC.co Podcast』のカバーアート

SEC.co Podcast

SEC.co Podcast

著者: Eric Lamanna
無料で聴く

A podcast about latest trends, techniques and learnings in cybersecurity and cyberdefense.2026 SEC.co マネジメント・リーダーシップ リーダーシップ 経済学
エピソード
  • EDR Bypass Techniques That Still Work in 2025
    2026/07/15

    Endpoint Detection and Response platforms have never been more capable, yet sophisticated adversaries continue to slip past them. This episode of Cybersecurity examines the structural blind spots baked into modern EDR architecture and walks through the specific attack techniques that remain effective in 2025 — drawing on this in-depth breakdown of current EDR bypass methods. The focus is firmly on the defender's perspective: understanding how these techniques work is the first step toward actually stopping them.

    The episode covers the following key areas:

    • Why EDR still has gaps: Default vendor policies tuned for low noise, the kernel-to-user-space telemetry blind spot, and cloud-backend latency all create windows of opportunity that attackers reliably exploit.
    • Living-off-the-Land Binaries (LOLBins): Legitimate Windows utilities like mshta.exe, regsvr32, and PowerShell continue to be abused precisely because they're expected to run — making alerts easy to dismiss or suppress.
    • In-memory and fileless execution: Reflective DLL loading, direct syscall frameworks, and short-lived implants that self-eject after exfiltration leave minimal forensic traces and sidestep disk-based detection entirely.
    • Kernel-level driver abuse: Stolen or misused legitimately signed drivers allow attackers to tamper with EDR sensor callbacks, hide process listings, and embed persistence deep in firmware or bootloader stages.
    • Signed malware and supply-chain piggybacking: Compromising a software vendor's build pipeline lets attackers deliver payloads with clean signature chains — trusted by EDR until the damage is already done.
    • Encrypted C2 tunneling: Command-and-control traffic routed through DNS-over-HTTPS, HTTP/3 QUIC, or cloud service impersonation blends into normal egress and evades inspection at the network layer.

    The episode doesn't stop at the attack surface. Practical defensive counter-moves include locking down script interpreter access with AppLocker or Windows Defender Application Control, enabling hardware-level memory protections like Control-flow Enforcement Technology, implementing a rigorous driver approval and blocklist process, and deploying selective TLS termination at sensitive egress points. Above all, the episode makes the case for regular purple-team exercises and human-led threat hunts — treating the security stack as a continuously tested hypothesis rather than a finished product.

    For more on adversarial exposure at the network edge, check out the episode Edge Network Exposure: New Frontiers for Exploitation from the Cybersecurity podcast.

    SEC
    cybersoftware.ai

    続きを読む 一部表示
    9 分
  • Edge Network Exposure: New Frontiers for Exploitation
    2026/07/14

    The modern corporate network no longer resembles a single fortified perimeter. It's a sprawling web of remote workstations, IoT sensors, cloud services, and field devices — each one a potential entry point for attackers. This episode of Cybersecurity examines the growing threat of edge network exposure, exploring how the relentless expansion of the network perimeter has fundamentally shifted the threat landscape and what security teams need to do about it.

    The episode walks through the core reasons edge devices have become such high-value targets for threat actors, and lays out practical, scalable defenses organizations can implement today. Key topics include:

    • Why the edge is the new battleground: The migration to remote work, IoT, and distributed cloud services has multiplied the number of network entry points exponentially — and attackers only need to find one that isn't locked down.
    • Access and lateral movement: A compromised edge device is rarely a dead end; it's a foothold that adversaries use to move deeper into the network toward sensitive data and critical systems.
    • The downtime weapon: Ransomware operators have made edge devices a preferred entry point precisely because seizing control of the perimeter can cripple an organization within hours, maximizing pressure to pay.
    • Default credentials and patching failures: Two chronic vulnerabilities — factory-set passwords that never get changed and firmware that goes unpatched for years — remain among the most exploited weaknesses in edge infrastructure.
    • Layered technical controls: Multi-factor authentication and network segmentation are highlighted as the highest-return investments, with consistent patching discipline rounding out the foundational defense stack.
    • The human element and assume-breach posture: Employee awareness training is framed as non-negotiable, and organizations are urged to build incident response plans specifically tailored to edge compromises — because prevention alone is never enough.

    The episode closes with a clear-eyed message: the network edge will keep growing, and security practices must scale with it. Treating edge devices as low-stakes because they appear small or peripheral is exactly the miscalculation attackers rely on. For more on kernel-level threat detection techniques that complement edge defense strategies, check out the episode eBPF: Giving Linux Detection Engineers Kernel-Level Superpowers.

    SEC
    Cybersoftware.ai

    続きを読む 一部表示
    8 分
  • eBPF: Giving Linux Detection Engineers Kernel-Level Superpowers
    2026/07/13

    Linux endpoint visibility has long been a trade-off between signal fidelity and performance cost — but eBPF changes the math entirely. This episode of Cybersecurity explores how detection engineers can harness kernel-level instrumentation to build sensors that are precise, lightweight, and operationally sustainable. Drawing from this practical deep-dive on eBPF for Linux detection engineering, the episode walks through everything from kernel hook fundamentals to production rollout discipline.

    Here's what the episode covers:

    • eBPF fundamentals: How safely sandboxed bytecode runs inside the Linux kernel — attached to kprobes, uprobes, tracepoints, and network hooks — without kernel modules, reboots, or upstream patches.
    • Hook selection strategy: Why the choice of hook type (process syscalls, uprobes for userland, XDP and socket hooks for network traffic) shapes everything downstream, and how to balance fidelity against resource cost across each domain.
    • Kernel-to-userspace data pipeline: How eBPF maps — hash maps, LRU maps, per-CPU ring buffers — serve as the bridge between kernel-captured events and a lightweight user-space agent, and why keeping heavy lifting out of the kernel is critical.
    • CO-RE portability: How Compile Once, Run Everywhere (using BTF type information and libbpf) eliminates the painful matrix of per-distribution kernel builds and simplifies rollouts.
    • Performance as a feature: Practical techniques — bounded stack traces, per-CPU maps, selective sampling — that keep sensor CPU overhead well under one percent and prevent the security tool from becoming the performance incident.
    • Signal design and enrichment: Why targeted, high-signal instrumentation beats firehose telemetry, and how enriching raw events with container metadata, package ownership, and process lineage shortens the path from alert to understanding.

    The episode also addresses operational realities: using bpftool for staged validation, feature-flagging individual probes for fast rollback, growing instrumentation incrementally across process, file, and network domains, and — crucially — treating detection rules like software with versioning and clear intent documentation. A measured rollout strategy and tight analyst feedback loops are presented as the difference between a trusted sensor and a noisy one that breeds alert fatigue. For more on mapping and protecting sensitive data at scale, check out the episode DSPM in Practice: How to Map Sensitive Data at Scale.

    SEC

    続きを読む 一部表示
    10 分
adbl_web_anon_alc_button_suppression_t1
まだレビューはありません