In this episode of Threat Vector, host David Moulton, Director of Thought Leadership at Palo Alto Networks, welcomes Ryan Chapman, a seasoned Threat Hunter and digital forensics expert. With over 20 years of experience, Ryan has led incident response teams and authored courses on ransomware, making him a leading voice in the field. The discussion covers the evolving landscape of cybersecurity, with a deep dive into modern threats like LumaStealer and the CUPS vulnerability. Ryan shares actionable insights on how organizations can enhance their defenses by prioritizing threat hunting and staying on top of the latest tactics and vulnerabilities. Tune in to learn strategies to bolster your security posture in an ever-changing threat landscape.
Eager to hear from more about threat hunting from Palo Alto Networks experts? Listen to The Role of Threat-Hunting in Cybersecurity, Inside the Mind of State-Sponsored Cyberattackers and Decoding Cyber Adversaries: Unveiling Intent and Strategy
Protect yourself from the evolving threat landscape - more episodes of Threat Vector are a click away
Transcript
[ Music ]
Ryan Chapman: Threat hunting is not a skill that is unobtainable until you reach a particular level, but rather is something you can start from the get-go. You take the alerts, you take the incidents generated within your environment, and you expand upon them, and you dig, and you pull those threads. And the more that you can do that -- and the better that you can do that, the better you are at threat hunting.
David Moulton: Welcome to Threat Vector, the Palo Alto Network's podcast, where we discuss pressing cybersecurity threats and resilience and uncover insights into the latest industry trends. I'm your host, David Moulton, Director of Thought Leadership. Today, I'm thrilled to speak with Ryan Chapman, an experienced threat hunter, malware analyst, and digital forensics expert. Ryan has over 20 years experience in the IT realm, with extensive hands-on experience in digital forensics and incident response, or DFIR. He currently leads our managed threat-hunting team at Palo Alto Networks and is also a SANS author and instructor, specializing in ransomware defense. His passion for sharing knowledge and engaging with the community is evident through his work at conferences like CactusCon and his educational contributions through SANS and Pluralsight. Today, we're diving into the world of threat hunting, how professionals like Ryan stay on top of trends, and we'll delve into some of the recent threats, including Lumma Stealer and the CUPS vulnerability. Threat hunting is more critical than ever with the rapid evolution in cyber threats. Ryan's insights will provide a deeper understanding of how organizations can enhance their defensive strategies. Here's our conversation. [ Music ] Ryan, it's great to have you here. Before we dive into the nitty-gritty on threat hunting, could you tell us a little bit about what drives your passion for this field? I had noticed on LinkedIn that you've been deeply involved in the community through engagements and education, CactusCon, SANS, and some other platforms. Maybe talk to me about how those experiences have shaped your approach to threat hunting and incident response.
Ryan Chapman: I've learned most of what I know from others. We stand on the shoulders of giants, truly. And if you go to a security conference and you're in a talk, if you go to a SANS course and you have a four, five, six-day engagement, whatever it is, the key takeaways are that you identify and you notate what you don't understand, and you take that forward, and you build on that. My first engagement with a security conference happened to be CactusCon, which I ended up leading later in life for three years, no longer anymore, but I went to a workshop where we learned about creating IRC chatbots via Python. The Python code that we learned was mostly understandable to me at the time, but there were a number of things I didn't quite get, so I took notes on those things and I drove them to the point where I truly understood them and I knew why we were writing those particular lines of code. And it's the same thing with threat hunting. If you see a particular command within the list of 20 commands that you don't understand and you say, "These 19 commands mean the following," the key thing is to take that one thing you don't quite understand and just push further to truly understand it. And I think that's the key to threat hunting, is understanding what command lines mean, what threat actors are trying to do when they run various commands, why they're doing it. It's the who, what, where, why, and how behind what they've done and truly understanding that that makes you a strong threat hunter.
David Moulton: Ryan, given the pace at which the threat landscape evolves, how do your teams stay abreast of the latest threat trends, tactics, and techniques, and maybe what are some of the resources and strategies that you rely on?
Ryan Chapman: So we have the totality of the Unit 42 umbrella at our backs. We have threat intelligence, threat research. We have malware. We have the Unit 42 incident response team, which is just absolutely phenomenal. And those teams provide intelligence in our threat intelligence platform. We can utilize that. And I always find it funny when people ask me the same question because I say, "Oh, social media." And they're like, "Really? Social media?" I'm like, "Yeah, really." Because some of the craziest exploits and vulnerabilities come out via those platforms. So not only do we have the internal methodologies and resources that are provided at our disposal, but we have OSINT, and then we also have the closed source threat intelligence feeds, which I can't mention specifically what they are, but we have them at our disposal also. So utilizing all the above, we're able to stay abreast of the changes within this ever-evolving creature that is what we call security.
David Moulton: Ryan, one of the things that one of your colleagues talked to me about was how if you really need to know what's going on or who's doing something, just hop into Discord and look around. Is that something that you also find is an effective place to find intel?
Ryan Chapman: Oh, yes. One of my "OSINT resources," or I should say a multitude of my OSINT resources is a multitude of Slack servers and Discord servers. So you have for -- a great place to start with this for folks who are uninitiated, maybe unaware, is your security conferences. So whether it be something large like DEF CON or something smaller like CactusCon from Arizona in the United States, but just joining those particular Discord and Slack servers, it's like a built-in RSS feed. You know, they often will have particular channels for threat intel or exploits or hardware hacking or software hacking or whatever it is, and you can learn a ton through those resources.
David Moulton: When it comes to actual threat hunting, I'm curious how you prioritize what to focus on given you're talking about a vast number of threats and all these different sources. It seems like it could be easy to get distracted.
Ryan Chapman: Oh, it can be very easy to get distracted. You might have a particular, you know, CVSS score of 10.0 or 9 point something, where you think to yourself, "Oh, goodness, this is going to be really, really bad." But the way that we try to prioritize these things is based on the actuality of them occurring, you know. So if you have a particular remote code exploitation vulnerability that requires a number of ports to be open on the firewall, it requires certain accounts to be enabled that may be -- not enabled by default. It requires certain services to be running that are not enabled by default. We will deprioritize those. And when it comes to software vulnerabilities, we look at, well, how many are installed around the world? What is our, you know, Palo Alto Networks Expanse data look like? What does showdown data look like? What does census data look like? And the ones that just show more, or I should say, like a wider kind of, you know, vulnerability base, those are the ones that we kind of focus on a little bit more.
David Moulton: Ryan, Lumma Stealer has been making a lot of headlines recently. Can you start us off with just what is Lumma Stealer?
Ryan Chapman: So back in the early 2010s-ish, we dealt with banking trojans, and they were malware specimens that would literally just steal banking credentials. And they would just steal those credentials and then move on with life. Now the infostealer universe these days, they literally steal any and all credentials. Things you might have stored in your browser, that you might have -- cryptocurrencies on your device. And Lumma Stealer has become very, very popular because it is a stealer as a service. So the developers who create the actual stealer are providing these methodologies by which the threat actors who lease or basically purchase a stealer can, you know, get them to drop on devices around the world. And they're using social engineering in order to make that successful.
David Moulton: And, Ryan, when you're saying I could lease it or a person could lease it, you're saying that if I was so inclined and knew where to go, I could go out there and swipe a credit card or something like that, and I would be the new proud owner of Lumma Stealer version whatever, and could go about using that to drive my criminal enterprise.
Ryan Chapman: That's the thing. You don't have to know how to develop it. All you have to do is just pony up. For example, the initial foray into the stealer is $250. And it goes up to 500, and then it maxes out at 1,000, which to some people you think, "Oh, $1,000 American currency, that's a lot of money." That is nothing compared to what they can actually recoup from utilizing that stealer, stealing people's credentials, getting access to their accounts, and then utilizing those for a variety of purposes.
David Moulton: Ryan, the CUPS vulnerability has been another recent concern in the cybersecurity space. And if you could walk our audience through what makes this vulnerability such a critical thing to pay attention to, maybe for particular organizations? And then why are threat actors targeting this for exploitation?
Ryan Chapman: Yes, so first and foremost, CUPS affects Linux and Mac OS machines specifically. Windows does not deal with CUPS. CUPS is related to the LPD, the Line Printer Daemon protocol, and it's utilized for identifying, "Hey, a new printer has been added to your network." CUPS browser D will automatically identify it and say, "Oh, look, there's a new printer. You can print to it if you would like to do so." And the vulnerability allows RCE, or what we call remote code execution because it installs a printer daemon profile, or PD, that allows for arbitrary code execution. Meaning that a threat actor, if the particular port and particular protocol are enabled, ingress on the firewall, then CUPS will say, "Oh, look, this is -- this is actually a printer profile. Let's go ahead and load that." But in reality, it's not a printer profile. It is remote code that an attacker wants to execute. And that's why we need to be very, very careful about our general cyber hygiene as related to the service and the ports that are open on the firewall. [ Music ]
David Moulton: Let's shift gears a little bit. In your opinion, what qualities and skills do you believe are essential for your job as a threat hunter? Especially in today's cyber environment, which seems like it is constantly changing, zigging, and zagging.
Ryan Chapman: So I'd love that question. I've become a new lead on the Unit 42 managed threat hunting team, and we're hiring two roles right now, both of which will report to me. So I'm doing the recruiting. I'm doing the level one interviews, or round one, as we call them, etc. The major thing that we look for is critical thinking. We show a number of technical, like, very, very low-level technical screenshots of, hey, this happened, that happened, these commands were run, these things occurred after the fact. And I'm not necessarily looking for -- and this is what I believe that a threat hunting team truly needs -- a full knowledge of every single thing you're looking at, but rather how your brain processes in terms of critical thinking. And I think that critical thinking and thinking outside the box are some of the most important things when it comes to threat hunting, because you might have some command that you've seen at the umpteenth time, and you determine, "Okay. That reminds me of what I've seen when this particular attack has been executed." And even if it's not that same type of attack, just having someone who's able to relate that to their previous experience, who's able to identify the parameters on the command line, who's able to identify that this is something I've seen before, that is some of the most important things that we look for in a potential candidate.
David Moulton: How do you evaluate a new threat-hunting tool? And do you have, like, a criteria that you use when the tool should be integrated into your team's workflow?
Ryan Chapman: As far as the tools are concerned, what we really look for is if the tool provides us the telemetry that we need. And the number one problem that I see worldwide with teams, small scale and large scale, is that they don't have the visibility that you might actually require in order to find an answer or to derive an answer for that matter. So any type of tool that will provide telemetry that you can utilize, whether that be network-based or endpoint-based. So the real thing that we look for are the tools that go above and beyond a process ran, a file was written, but rather when the process ran, here were the parameters, here's the order in which they ran. When you take all those things and you put them together as scale, that's something that can be very beneficial to our general purpose of hunting for things that people, processes, and/or systems otherwise might not identify.
David Moulton: Ryan, you've got a background in incident response, and I'm hoping that you'll tell me about the influence of that background and how it informs the work you do as a threat hunter. And, you know, do you see that as one of those things? I know you were saying that anyone can threat hunt. I expect that that may be true, but some people may be threat hunt better than others. How does your background as a incident responder inform your work as a threat hunter?
Ryan Chapman: I think the real key to having a background in incident response is you see the real deal that happens in so many different types of cases. You know, I'm an author of a course on ransomware, and when I submitted my course, it wasn't submitted from the perspective of, I've heard of ransomware, I've researched it online. It was more so, I have worked 40, 50, 100, 200, whatever the heck the number is, cases on ransomware. And this is what we saw over and over and over and over. And when people want to get into threat hunting, one of the things that I often mention is that incident response and as a background running incidents and/or being involved in incidents is one of the best things you could possibly have in your toolbox. And it's because when an incident occurs, it's not the hypothetical; it's the reality of what's truly happening. And that type of analysis just prepares you for the real world. And when you start to hunt on those things, it provides just a stronger insight into what you're really looking for.
David Moulton: Looking ahead to the future a little bit, how do you think that threat hunting is going to evolve, especially in the next few years, especially with this rise in AI you might have seen and automation and cybersecurity? [ Laughter ]
Ryan Chapman: I love how you said "you might have seen." You might have noticed that AI is --
David Moulton: You might have noticed.
Ryan Chapman: -- you might have noticed. Yeah. First and foremost, AI absolutely enthralls me, but also scares me beyond belief. So even just taking something as simple as ChatGPT, you know, one of the more common discussed in the media and whatnot, LLMs, large language models. You have this -- I'm going to look for bad stuff. And one of the things -- I'll draw a direct correlation. One of the things that we do in threat hunting is called stacking. Stacking is looking for a particular thing in the Windows world that can be services that are installed, programs that are executed, files that are written to disk, whatever. And you look for the least frequency of occurrence, or LFO, as we like to call it, right? I can go into a system and I can tell it, "Hey, tell me the number of processes that ran from this particular directory and that had these particular parameters, but yet were the least frequent." And I can write that query, and I can run that query and get my response back and then try to identify the outliers. But artificial intelligence can do that at a scale and with accuracy, and with speed that humans just can't. So the idea of utilizing artificial intelligence to say, you know, something as simple as, like, putting in a query, "Hey, what are the least common services that ran in this particular client tenant over the past 90 days?" And boom, you have a response. And that type of telemetry and that type and speed of data analysis is just amazing. It's scary because of how amazing it is, but I truly believe that the future of threat hunting is a melding of the human mind and what threat intelligence can provide you statistically, you know, at a quick glance.
David Moulton: You know, it's an interesting parallel to draw, and maybe it's the right one, maybe it's not. But I look at the lifelong relationship or the centuries-old relationship between us humans and our favorite companions, dogs. And that's a relationship that allows the strength of the two, right? The strategy, maybe the sight of the human and the speed and the smell, maybe the ability to hunt the dog to come together. And, right, like, that relationship is really, really healthy. And I wonder if this is, you know, not a perfect model or a perfect analogy, but is there a moment where AI and human -- the artificial and the actual intelligence -- come together to create something that is that symbiotic relationship? But I like the idea that we're very adaptable as a human and, you know, we've invented a very powerful thing, this AI. AI is not coming for your job, but AI is coming to be a part of your work. And I think that that's, you know, that's what I'm hearing, is that threat hunting could be massively enhanced by having a powerful sidekick. You know, they can go at speed, go at scale, find things very quickly, but it still needs an input from the human to say, "Go look for this."
Ryan Chapman: I love that. I mean, the way you broke that down. Right now, we have LLMs within Palo Alto that we're able to utilize that will actualize exactly what you were talking about. And we can provide ideas and concepts, and the LLM just augments our hunting capabilities. I think that what most people fear is that eventually, you know, the AIs will take over. Oh, Ryan? Oh, who needs Ryan? But I truly believe that over the next 10, 20 years especially, that we will have this amazing engagement between those models, what we're looking for, what we're trying to look for, and refinement of -- and tuning of our threat hunting. I don't know what's after that. Don't quote me on after 20 years. But I think that so far, it's a good thing. And I'm very happy to have those available in the Palo Alto universe. [ Music ]
David Moulton: Ryan, thanks for the great conversation today. I appreciate you sharing your insights on threat hunting and diving into some of the insights that you have being on the Unit 42 team.
Ryan Chapman: I definitely appreciate it. Being on a team as structured and as strong as this, it is just something that I really, really enjoy doing. And the more that we can get other folks to, you know, kind of jump into the foray, the better.
David Moulton: That's it for today. If you've liked what you've heard, please subscribe wherever you listen and leave us a review on Apple Podcasts or on Spotify. Those reviews and your feedback really do help us understand what you want to hear about. If you want to reach out to me directly about the show, my email is threatvector@ paloaltonetworks.com. I want to thank our executive producer, Michael Heller, our content and production teams, which include Kenny Miller, Joe Benco, and Virginia Tran. Elliot Peltzman edits the show and mixes the audio. We'll be back next week. Until then, stay secure, stay vigilant. Goodbye for now. [ Music ]
