エピソード

  • Encrypted DNS in Enterprises: Balancing Privacy, Control, and Visibility
    2026/07/16

    Encrypted DNS protocols like DNS over HTTPS and DNS over TLS were built to fix a real problem: plain-text DNS queries are trivially readable by anyone on the wire. But when organizations deploy these protocols without a deliberate policy, they often trade one risk for another — replacing passive eavesdropping with active blindness inside their own security programs. This episode of Cybersecurity walks through exactly how enterprises can capture the privacy benefits of encrypted DNS while keeping the defender visibility that modern threat detection depends on, drawing on this in-depth guide on enterprise encrypted DNS policy and monitoring.

    The episode covers the full lifecycle of an enterprise encrypted DNS strategy, from protocol selection to incident response:

    • Protocol trade-offs: DoH runs on port 443 and blends invisibly with web traffic, making it hard to block selectively; DoT uses a dedicated port (853) that's easier to control; DNS over QUIC is gaining ground fast for its performance advantages — and each carries different implications for egress policy.
    • The shadow resolver problem: Browsers, operating systems, and applications increasingly enable encrypted DNS on their own, quietly routing queries to public resolvers and bypassing corporate infrastructure — taking threat intelligence and audit trails with them.
    • Identity-aware resolution: Tying DNS resolution paths to device identity and user identity, using client certificates or tokens, lets security teams link queries to specific endpoints and people — exactly what incident responders need when reconstructing an event.
    • Egress controls and BYOD: A default-deny posture for outbound DoH and DoT, combined with explicit allow-lists for sanctioned resolvers, closes the most common bypass routes; personal and unmanaged devices need dedicated network segments and resolver profiles rather than blanket blocks.
    • Monitoring without decryption: Rich telemetry at the resolver, minimal but meaningful telemetry at the endpoint agent, and egress-layer logging for unauthorized DoH connections give security operations teams the triangle of evidence needed for most investigations — without touching encrypted traffic on the wire.
    • Preparing for what's next: Encrypted Client Hello, Oblivious DoH, and DNS over QUIC are all pushing privacy further by default; organizations that anchor their strategy in identity, sanctioned resolvers, and attested endpoint configuration will adapt without rebuilding from scratch.

    The episode closes with a practical picture of what mature encrypted DNS looks like in production: managed devices on DoH or DoT, unknown resolvers blocked at egress, clean correlated logs in the SIEM, and users who never have to think about DNS at all. More from the show: check out the episode on EDR Bypass Techniques That Still Work in 2025 for a related look at how attackers work around modern defensive controls.

    SEC
    Cybersoftware.ai

    続きを読む 一部表示
    10 分
  • EDR Bypass Techniques That Still Work in 2025
    2026/07/15

    Endpoint Detection and Response platforms have never been more capable, yet sophisticated adversaries continue to slip past them. This episode of Cybersecurity examines the structural blind spots baked into modern EDR architecture and walks through the specific attack techniques that remain effective in 2025 — drawing on this in-depth breakdown of current EDR bypass methods. The focus is firmly on the defender's perspective: understanding how these techniques work is the first step toward actually stopping them.

    The episode covers the following key areas:

    • Why EDR still has gaps: Default vendor policies tuned for low noise, the kernel-to-user-space telemetry blind spot, and cloud-backend latency all create windows of opportunity that attackers reliably exploit.
    • Living-off-the-Land Binaries (LOLBins): Legitimate Windows utilities like mshta.exe, regsvr32, and PowerShell continue to be abused precisely because they're expected to run — making alerts easy to dismiss or suppress.
    • In-memory and fileless execution: Reflective DLL loading, direct syscall frameworks, and short-lived implants that self-eject after exfiltration leave minimal forensic traces and sidestep disk-based detection entirely.
    • Kernel-level driver abuse: Stolen or misused legitimately signed drivers allow attackers to tamper with EDR sensor callbacks, hide process listings, and embed persistence deep in firmware or bootloader stages.
    • Signed malware and supply-chain piggybacking: Compromising a software vendor's build pipeline lets attackers deliver payloads with clean signature chains — trusted by EDR until the damage is already done.
    • Encrypted C2 tunneling: Command-and-control traffic routed through DNS-over-HTTPS, HTTP/3 QUIC, or cloud service impersonation blends into normal egress and evades inspection at the network layer.

    The episode doesn't stop at the attack surface. Practical defensive counter-moves include locking down script interpreter access with AppLocker or Windows Defender Application Control, enabling hardware-level memory protections like Control-flow Enforcement Technology, implementing a rigorous driver approval and blocklist process, and deploying selective TLS termination at sensitive egress points. Above all, the episode makes the case for regular purple-team exercises and human-led threat hunts — treating the security stack as a continuously tested hypothesis rather than a finished product.

    For more on adversarial exposure at the network edge, check out the episode Edge Network Exposure: New Frontiers for Exploitation from the Cybersecurity podcast.

    SEC
    cybersoftware.ai

    続きを読む 一部表示
    9 分
  • Edge Network Exposure: New Frontiers for Exploitation
    2026/07/14

    The modern corporate network no longer resembles a single fortified perimeter. It's a sprawling web of remote workstations, IoT sensors, cloud services, and field devices — each one a potential entry point for attackers. This episode of Cybersecurity examines the growing threat of edge network exposure, exploring how the relentless expansion of the network perimeter has fundamentally shifted the threat landscape and what security teams need to do about it.

    The episode walks through the core reasons edge devices have become such high-value targets for threat actors, and lays out practical, scalable defenses organizations can implement today. Key topics include:

    • Why the edge is the new battleground: The migration to remote work, IoT, and distributed cloud services has multiplied the number of network entry points exponentially — and attackers only need to find one that isn't locked down.
    • Access and lateral movement: A compromised edge device is rarely a dead end; it's a foothold that adversaries use to move deeper into the network toward sensitive data and critical systems.
    • The downtime weapon: Ransomware operators have made edge devices a preferred entry point precisely because seizing control of the perimeter can cripple an organization within hours, maximizing pressure to pay.
    • Default credentials and patching failures: Two chronic vulnerabilities — factory-set passwords that never get changed and firmware that goes unpatched for years — remain among the most exploited weaknesses in edge infrastructure.
    • Layered technical controls: Multi-factor authentication and network segmentation are highlighted as the highest-return investments, with consistent patching discipline rounding out the foundational defense stack.
    • The human element and assume-breach posture: Employee awareness training is framed as non-negotiable, and organizations are urged to build incident response plans specifically tailored to edge compromises — because prevention alone is never enough.

    The episode closes with a clear-eyed message: the network edge will keep growing, and security practices must scale with it. Treating edge devices as low-stakes because they appear small or peripheral is exactly the miscalculation attackers rely on. For more on kernel-level threat detection techniques that complement edge defense strategies, check out the episode eBPF: Giving Linux Detection Engineers Kernel-Level Superpowers.

    SEC
    Cybersoftware.ai

    続きを読む 一部表示
    8 分
  • eBPF: Giving Linux Detection Engineers Kernel-Level Superpowers
    2026/07/13

    Linux endpoint visibility has long been a trade-off between signal fidelity and performance cost — but eBPF changes the math entirely. This episode of Cybersecurity explores how detection engineers can harness kernel-level instrumentation to build sensors that are precise, lightweight, and operationally sustainable. Drawing from this practical deep-dive on eBPF for Linux detection engineering, the episode walks through everything from kernel hook fundamentals to production rollout discipline.

    Here's what the episode covers:

    • eBPF fundamentals: How safely sandboxed bytecode runs inside the Linux kernel — attached to kprobes, uprobes, tracepoints, and network hooks — without kernel modules, reboots, or upstream patches.
    • Hook selection strategy: Why the choice of hook type (process syscalls, uprobes for userland, XDP and socket hooks for network traffic) shapes everything downstream, and how to balance fidelity against resource cost across each domain.
    • Kernel-to-userspace data pipeline: How eBPF maps — hash maps, LRU maps, per-CPU ring buffers — serve as the bridge between kernel-captured events and a lightweight user-space agent, and why keeping heavy lifting out of the kernel is critical.
    • CO-RE portability: How Compile Once, Run Everywhere (using BTF type information and libbpf) eliminates the painful matrix of per-distribution kernel builds and simplifies rollouts.
    • Performance as a feature: Practical techniques — bounded stack traces, per-CPU maps, selective sampling — that keep sensor CPU overhead well under one percent and prevent the security tool from becoming the performance incident.
    • Signal design and enrichment: Why targeted, high-signal instrumentation beats firehose telemetry, and how enriching raw events with container metadata, package ownership, and process lineage shortens the path from alert to understanding.

    The episode also addresses operational realities: using bpftool for staged validation, feature-flagging individual probes for fast rollback, growing instrumentation incrementally across process, file, and network domains, and — crucially — treating detection rules like software with versioning and clear intent documentation. A measured rollout strategy and tight analyst feedback loops are presented as the difference between a trusted sensor and a noisy one that breeds alert fatigue. For more on mapping and protecting sensitive data at scale, check out the episode DSPM in Practice: How to Map Sensitive Data at Scale.

    SEC

    続きを読む 一部表示
    10 分
  • DSPM in Practice: How to Map Sensitive Data at Scale
    2026/07/12

    Most organizations have a rough idea of where their sensitive data lives — and that rough idea is exactly the problem. This episode of Cybersecurity tackles Data Security Posture Management (DSPM) as a hands-on practice, drawing on this in-depth guide to mapping sensitive data at scale to walk through what it actually takes to find your data, understand how it moves, and keep that knowledge current as your environment evolves.

    The episode covers the full DSPM lifecycle — from first inventory to ongoing operational discipline — including:

    • Building a living inventory: Why breadth and depth both matter when enumerating cloud storage, databases, SaaS file systems, and code repositories — and why a stale inventory can be more dangerous than none at all.
    • Classification beyond pattern matching: How to layer business context on top of regex-based detectors to cut false positives, and why classifiers should be versioned and tested like production software.
    • Lineage mapping: Using orchestrator metadata, query history, and copy events to build a lightweight graph that turns disconnected alerts into a coherent cause-and-effect story.
    • Access stitching: Normalizing cloud IAM, database grants, and application roles into a human-readable view — and the case for writing residency, retention, and masking rules as executable, testable code.
    • Risk-proportionate controls: How to choose between encryption, masking, tokenization, and pseudonymization based on risk level and business context, and why removing a single public sharing link can be the highest-leverage move available.
    • Operational discipline and ownership: Routing findings to named owners with due dates and runbooks, measuring time-to-remediate, and building a culture where data stewardship is a first-class responsibility — not an afterthought.

    The episode closes with a practical starting point: pick one bounded environment, deliver one visible early win, and use that momentum to expand coverage steadily. DSPM isn't a one-time deployment — it's a program, and the quiet consistency of maintaining an accurate map is what keeps the worst surprises off the breach-notification list. For more on related data security challenges, check out the episode on DLP for Code Repositories: Git, IP Leakage, and Secrets Management.

    SEC

    続きを読む 一部表示
    9 分
  • DLP for Code Repositories: Git, IP Leakage, and Secrets Management
    2026/07/11

    Source code is arguably a technology company's most valuable digital asset, yet it's routinely the least-defended. This episode of Cybersecurity explores why Git repositories have become a prime target for data loss — and what engineering and security teams need to do, together, to close the gap. The discussion is grounded in the full DLP for code repositories deep-dive published by SEC, and covers everything from the mechanics of accidental credential exposure to the cultural conditions that either accelerate or contain an incident.

    Here's what the episode covers:

    • Why Git is uniquely risky: Its design — persistent history, distributed cloning, frictionless branching — means data that lands in a repository has a strong tendency to stay there, even after an apparent deletion.
    • How leakage really happens: Most incidents aren't malicious. They stem from everyday friction: late-night personal forks, debug commits with hardcoded API keys, contractors cloning more than they need, and secrets screenshotted into chat tools.
    • Pre-commit and pre-receive hooks: Scanning staged changes on the developer's workstation before a commit is created is the cheapest possible intervention point — and server-side hooks provide a policy-controlled backstop for anything that slips through.
    • Automated secrets scanning across history: Modern platforms can fingerprint thousands of credential formats across live branches and years-old commits. When a match is found, the response sequence — revoke, rotate, audit — needs to be rehearsed, not improvised.
    • Vault-based secrets architecture: Storing no secrets in source control at all, even encrypted, is the gold standard. Short-lived, scoped credentials issued at runtime by a dedicated secrets manager shrink the blast radius of any exposure dramatically.
    • Metrics and culture: Mean time to detect and remediate, repository scanning coverage, and the ratio of static secrets to dynamic vault references are the leading indicators that a program is maturing — alongside developer sentiment, which signals whether security is becoming an enabler or just another tax.

    The episode closes with a practical incident runbook — covering immediate revocation, surgical history rewriting with git filter-repo, stakeholder communication, and blame-free post-mortems — and makes the case that quarterly drills are what turn a written playbook into real muscle memory. DLP for code repositories is not a pure technology problem; the mechanical controls and the human culture have to be built in parallel, or neither works.

    For more from the show, check out Who Should Market Your Cybersecurity Company in 2026?

    SEC

    続きを読む 一部表示
    9 分
  • Who Should Market Your Cybersecurity Company in 2026?
    2026/07/10

    Picking the wrong marketing agency costs more than money in cybersecurity — it costs pipeline. This episode of Cybersecurity digs into why the industry's unique buyer psychology demands specialist marketing partners, profiles ten agencies earning spots on 2026 shortlists, and offers a clear framework for vetting whoever you hire. The full analysis behind this episode is drawn from SEC's cybersecurity marketing agency guide.

    Here's what the episode covers:

    • Why generalist agencies fail: Cybersecurity buyers — CISOs, VPs of IT, and technical practitioners — are professionally trained skeptics who will notice inaccurate content and tune out anything that can't demonstrate measurable ROI.
    • The trust problem at the center of every deal: Features and integrations matter, but cybersecurity purchasing decisions are ultimately about trusting a vendor with critical infrastructure — and marketing must reflect that reality.
    • What a qualified agency looks like: Full-funnel capability (SEO, paid acquisition, CRO, content, and reporting), genuine sector familiarity, and the ability to tie every activity back to pipeline — not vanity metrics like impressions or follower counts.
    • Ten agencies on 2026 shortlists: The episode profiles Digital.Marketing, Beacon Digital Marketing, CyberWhyze, Walker Sands, Ironpaper, SmartAcre, SevenAtoms, CyberTheory, Opollo, and Alloy — each matched to specific company stages and use cases.
    • Five vetting questions to ask before signing: How marketing maps to revenue, what reporting looks like in practice, how technical accuracy is maintained, who owns conversion rate optimization, and what the first 90-day plan actually contains.
    • Realistic timelines: Paid media can generate meaningful CAC data in 30–90 days; high-intent SEO ranking takes 12–24 months; true category authority is a multi-year effort — and any agency promising shortcuts deserves hard scrutiny.

    Whether you're Series A and still shaping your market position or an established brand looking to scale demand generation, the episode delivers a practical lens for making a high-stakes hiring decision with more confidence. For more from the show, check out the episode How Attackers Hide C2 Traffic — And How to Catch Them.

    SEC

    続きを読む 一部表示
    8 分
  • How Attackers Hide C2 Traffic — And How to Catch Them
    2026/07/09

    Command-and-control communication is what keeps an attacker operational after the initial breach — and it's increasingly invisible to traditional defenses. This episode of Cybersecurity examines how modern threat actors disguise their C2 traffic to survive inside enterprise networks, drawing on this in-depth breakdown of C2 obfuscation tactics and defenses. Understanding these techniques isn't just academic — it's the difference between catching an intrusion in hours and discovering it months later during a breach notification.

    The episode walks through six obfuscation methods threat actors use today, paired with concrete countermeasures defenders can act on:

    • Domain fronting — routing malicious traffic through trusted CDN infrastructure so firewalls see a benign domain; countered with granular allow-lists, TLS inspection, and JA3 fingerprinting rather than blanket CDN exemptions.
    • Protocol masquerading — wrapping C2 commands inside convincing HTTP sessions or mimicking real browser TLS negotiations; defeated by behavioral baselines that flag robotic beaconing regularity and static User-Agent strings.
    • Encryption stacking — layering DNS-over-HTTPS, gRPC, and custom certificates to make traffic opaque to network sensors; addressed by forcing clients onto inspectable internal DNS and upgrading sensors to parse HTTP/2 traffic.
    • Fast-flux and DGAs — constantly rotating IPs and auto-generating throwaway domains faster than blacklists can keep up; caught by monitoring for burst NXDOMAIN patterns and enriching DNS logs with passive-DNS feeds.
    • Living off trusted SaaS platforms — abusing Slack, Google Sheets, or Teams to relay encrypted commands over ports 443 and 80; mitigated through CASB tools that detect abnormal API behavior and tightly scoped OAuth permissions.
    • Low-and-slow beaconing — phoning home every several hours to stay below EDR detection thresholds; exposed only through long-term flow-log retention (at least 30 days) and statistical models tuned to regularity rather than volume.

    The episode closes with a framework for layering these defenses together — because sophisticated intrusions combine multiple techniques simultaneously. Key recommendations include establishing traffic baselines before deploying ML analytics, correlating EDR process data with network detection alerts for higher-confidence triggers, and building SOAR playbooks with human review loops. The core insight: C2 traffic is the attacker's greatest operational liability, and every transmission creates a detectable signal — if defenders are patient and precise enough to find it.

    For more on threats lurking in your environment before C2 even becomes a concern, check out the episode Initial Access Vectors You're Probably Ignoring Right Now. A prepared blue team starts at the front door.

    SEC

    続きを読む 一部表示
    9 分