Adversary Universe Podcast

It has been another busy year for defenders and adversaries alike. As we wrap up 2024, Adam and Cristian reflect on the nation-state and eCrime threat activity that defined this year and what they expect as we head into 2025.

Tune in to hear their observations on changing eCrime activity in Latin America, Chinese adversaries evolving their tactics and targeting telecommunications entities, the disruption of eCrime operations in the United States and more. And of course, you’ll hear the stories and context behind how these events unfolded and how we got to where we are today.

Thank you to our listeners for all your support this year. We appreciate you sharing feedback and topics you’d like to hear on the show. As we plan for 2025, we anticipate another year of in-depth conversations, adversary insight and guest perspectives on the Adversary Universe podcast. Happy holidays!

Adversaries have realized their time-honored attack methods involving clunky malware and malicious attachments are no longer working, largely due to endpoint detection and response tools alerting security teams to their activity. To improve their success rate, many are turning to cross-domain attacks.

Cross-domain attacks span multiple domains within an organization’s environment; namely, identity, endpoint and cloud. An adversary most often starts with a set of stolen credentials, which allows them to log in and operate under the guise of a legitimate employee. From there, they might target the cloud control plane to access more accounts or pivot to unmanaged devices. All the while, they move silently, achieving their goals without triggering alarms.

“The adversaries have really figured out how to operate from the shadows more effectively,” Adam says.

In this episode, he and Cristian discuss how cross-domain attacks unfold in a target environment; which adversaries are adopting this tradecraft; and how organizations can better detect, identify and mitigate these threats before it’s too late.

Watch our Cyber Threat Summit (focused on the rise of cross-domain attacks) on-demand: https://www.crowdstrike.com/resources/crowdcasts/cyber-threat-summit/

On Nov. 19, 2024, Adam testified in front of the U.S. Senate Judiciary Subcommittee on Privacy, Technology, and the Law on Chinese cyber threats to critical infrastructure. This was the first time he publicly spoke about LIMINAL PANDA, a China-nexus state-sponsored threat actor that has been targeting telecommunications organizations since at least 2020.

LIMINAL PANDA is a newly named adversary, but CrowdStrike has been tracking its activity for over three years. It uses custom tools and demonstrates extensive knowledge of telco networks, including the connections between providers. And it's not alone: There are multiple adversaries targeting telcos, with good reason — the access they grant, and the data they possess, is a gold mine for threat actors.

But LIMINAL PANDA’s activity does more than showcase why critical infrastructure is a valuable target. It also represents how Chinese cyber activity has evolved since the mid-2000s, when it mostly involved “smash and grab” operations. Now, China has refined its espionage operations to conduct subtle and advanced attacks targeting critical infrastructure entities around the world.

In this episode, Adam and Cristian dig deep into the discovery of LIMINAL PANDA, the maturation of Chinese cyber operations and the scary consequences of telco-focused cyberattacks. Adam shares more about his congressional testimony and the value of keeping government officials informed on adversary activity. Come for Adam and Cristian’s Thanksgiving recipes, and stay for a deep-dive on this evolving nation-state threat, in this episode of the Adversary Universe podcast.

Read Adam's testimony here: https://www.judiciary.senate.gov/committee-activity/hearings/big-hacks-and-big-tech-chinas-cybersecurity-threat

If a business wants to know what an adversary might be capable of, they can seek the help of a red team. These cybersecurity professionals are tasked with emulating adversary activity to achieve specific objectives in their clients’ environments. Their goal is to find an organization’s weaknesses — before a real adversary does — so it can strengthen its security posture. But what does a red team actually do, and who are the people on these teams?

In this episode, Cristian is joined by CrowdStrike Director of Professional Services Vincent Uguccioni and Professional Services Principal Consultant Brent Harrell to dive into all things red teaming. Both seasoned experts with fascinating backgrounds, Vincent and Brent define what red teaming is (and what it isn’t), explain how it has evolved, debunk common misconceptions about what red teamers do and explain the value of the many different skills the members of a red team have.

The goal of the red team is to help, not hurt. Red teamers may need to think like an adversary when they’re navigating a client environment, but their broader strategy involves collaborating with the client and blue team to guide remediation and improve the client's security. Vincent and Brent also walk us through the process of a red team engagement, from initial client discussions to final reporting, and share how they adjust their approaches as adversary techniques evolve. And if you’re interested in becoming a red teamer, they share some guidance for that as well.

On a related note, we recently introduced CrowdStrike AI Red Team Services. Read our blog for more details: https://www.crowdstrike.com/en-us/blog/crowdstrike-launches-ai-red-team-services/

China and Taiwan have a long history of geopolitical tension that has evolved from land and sea to cyberspace. Relations between the two recently took an interesting turn when the Chinese Ministry of State Security (MSS) claimed hacktivist entity Anonymous 64 targeted China and its territories with attempted disinformation and public communication disruption. The Chinese government further alleged the activity was directed by the Taiwanese government, whose officials are investigating the activity and expressed the claims are false.

These allegations mark an interesting shift in the relations between China and Taiwan. In this episode, Adam and Cristian start with a 50,000-foot view of their nuanced, tense history. They define and discuss the organizations involved in these events and the details of their claims, and they share what we know about Anonymous 64. Why is this news significant? What are the geopolitical implications? And where have we seen similar activity in other regions?

It is important to note that CrowdStrike has not independently verified the Chinese government’s accusations. Tune in to hear more about a story that blends politics, military strategy and digital warfare.

On Oct. 1, 2024, an international law enforcement coalition announced the disruption of a senior member of INDRIK SPIDER, who was also an affiliate of the BITWISE SPIDER ransomware as a service operation. CrowdStrike often works with law enforcement to identify, track and stop cyber threats, and we played a key role in this operation.

In this episode, Adam and Cristian are joined by a member of CrowdStrike’s intelligence collection team to dive into the takedown, the years of cybercrime evolution that led to it and how CrowdStrike collects the intel that informs organizations and aids law enforcement activity. Their conversation takes us back to the early days of INDRIK SPIDER and traces the emergence and transformation of enterprise malware as it relates to this prolific threat actor. The story underscores how adversaries operate like businesses — and why they’re so hard to bring down.

Tune in to learn the background and significance of INDRIK SPIDER and its takedown, its connections to Russian intelligence, the techniques used to investigate and attribute adversaries, what this means for the future of law enforcement against cybercrime and where cheese-covered sushi fits into the picture.

The kernel is the brain of the operating system. It controls everything that happens on a computer and has full access to the hardware and all system resources. Though it has a small code base, the kernel plays a critical role in how systems and applications operate, interact and stay secure.

Due to the current architecture and design of Windows systems, cybersecurity products running in the platform — particularly those involved in endpoint protection — require kernel access to provide the highest levels of visibility, enforcement and tamper-resistance while meeting the strict performance requirements that large enterprise clients demand. Kernel access translates to stronger protection, better performance and adaptability to emerging threats.

In this episode, Adam and Cristian are joined by cybersecurity expert Alex Ionescu to unpack what the kernel is and its critical role in cybersecurity defense. They explain threats to kernel security, why kernel access is critical for cybersecurity products and the testing that security products must undergo to gain kernel access. Looking ahead, they also discuss what we can expect for the future of collaboration among Microsoft, security researchers and larger security organizations.

Next week marks the start of Fal.Con 2024. CrowdStrike’s annual conference brings together cybersecurity leaders and practitioners, as well as our customers and partners, in Las Vegas for four days of keynotes, breakout sessions, workshops and demos.

Adam and Cristian will both be speaking at this year’s show. In this episode, they share the talks they’re most excited about and how they tie into the broader threat landscape. Some sessions will dive into insights from the CrowdStrike Counter Adversary Operations team; some will explore how adversaries are using large language models (LLMs) and how to defend against adversarial use of AI technology. One will discuss generative AI and data security, in particular how genAI raises concerns around privacy, data fencing, and IP, as well as how data can be misused when training new AI models.

A key highlight of Fal.Con is the Adversary Underground, during which Adam and Cristian will bring guests onstage to showcase a machine learning-based research project they’ve been working on.

Register for the Fal.Con Digital Experience to stream the keynotes live during the show and view select sessions on-demand after the event.

For students aspiring to work in cybersecurity, sitting in a classroom isn’t enough to gain the skills and experience they need to succeed. Industry internships are invaluable opportunities to learn how security pros operate in the real world and understand the responsibilities each role requires.

CrowdStrike’s University Program welcomes interns across virtually every field to gain this real-world experience. This summer, David Feldman and Chandler McClellan interned for the CrowdStrike threat intelligence and Falcon Adversary OverWatch teams, respectively. Like many cybersecurity pros, both David and Chandler found their way into the industry after first exploring different fields. In this episode, they join Adam to share the details of how they got into cybersecurity, how they discovered CrowdStrike’s internship program and the projects they’ve been tackling as part of the CrowdStrike team.

“You just get to dive in,” says Chandler in this episode. “You feel like you’re doing meaningful work, and you are ... What we’re doing here matters.”

Tune in to learn how CrowdStrike’s interns are aiding in the fight against adversaries, what they consider the coolest parts of their summer roles and more in this episode of the Adversary Universe podcast.

FAMOUS CHOLLIMA, a new adversary CrowdStrike is tracking, has recently made headlines for its insider threat activity. In April 2024, CrowdStrike Services responded to the first of several incidents in which FAMOUS CHOLLIMA threat actors targeted 30+ US-based companies. The insiders claimed to be US residents and were hired for remote IT positions, which granted them access they exploited to attempt data exfiltration, install malware and conduct other malicious activity. CrowdStrike has now informed more than 100 companies they have hired these threat actors as employees.

In this episode, Adam and Cristian dig into the details of who FAMOUS CHOLLIMA is, how this attack was uncovered and why malicious insider threats are on the rise. They also examine the key findings of the CrowdStrike 2024 Threat Hunting Report, including the growth of cross-domain activity, adversary adoption of remote monitoring and management tools, and the concerning pattern of identity-focused attacks.

Download the CrowdStrike 2024 Threat Hunting Report today: https://www.crowdstrike.com/resources/reports/threat-hunting-report/

Where in the world are Adam and Cristian? In this episode, they’re coming to you live from São Paulo, Brazil, where they sat down with a special guest: Fernando Madureira. Fernando is the Global CISO of Cosan, a Brazilian conglomerate of several businesses spanning energy, transportation and logistics, and other sectors that operates around the world.

Given Cosan’s size and the nature of its business, Fernando has a broad range of threats at top of mind. Operational technology (OT) security is a key concern because adversaries seek access to OT devices and traffic, and it requires a different mindset and technology than a modern IT environment. Social engineering is another, as adversaries attempt to disguise themselves as employees to manipulate customers and partners.

Tune in to hear a conversation that explores OT security, modern phishing scams and how the Global CISO of a major company is taking steps to protect it.

What happens when there is a takedown of a major cybercriminal group or law enforcement activity has a major impact on its leadership?

In this episode, Adam and Cristian unpack what happens in the aftermath of a takedown, including how some groups splinter, reemerge and even rebrand.

How do adversaries react when they know they’re being tracked? How do they respond to organizations that are on to them — and how do they know what the defenders know?

In this episode, Adam and Cristian explore how adversary behavior shifts as their activity is discovered and tracked. Today’s adversaries carefully research their victims. They read corporate blog posts and craft their techniques based on the information defenders share. As this intelligence becomes more detailed, organizations like CrowdStrike are forced to consider an important question: How much information can they share when they know adversaries are looking for it? Helping potential victims often comes at the cost of adversaries knowing we can see them and shifting their behavior accordingly.

How does their behavior change? As always, it depends on the group. Tune in for this fascinating conversation and real-world examples of adversaries responding to defenders’ actions.

What happens when two cyber superpowers — and the most populous countries in the world — target one another? Tensions between China and India have been rising in recent years, and it’s time we take a deep dive into the many factors at play.

In this episode, Adam and Cristian examine the dynamics between the two nations, the drivers of their evolving cyber activity and the key adversaries involved in this growing conflict. “The key thing to understand here is adversaries are not only focused on us … in the U.S. or in Europe … and they’re not only focused on a particular business vertical,” says Adam. “They target each other all the time.”

When did we start to see this adversary-vs.-adversary conflict? What do the attacks between China and India look like? And how have we seen other nations target one another around the world? Tune in for these answers and to learn what organizations operating in these countries need to know to stay secure.

Social engineering is not a new threat — adversaries have long used psychological manipulation to gain access, money, information and more. But as we learn in this episode from Shelly Giesbrecht, Director of Professional Services at CrowdStrike, it remains a top cybersecurity challenge for all organizations.

Today’s social engineers are more convincing than ever. Gone are the days of clunky phishing emails rife with spelling errors. Modern social engineering attacks arrive as convincing and well-crafted text messages, emails and voice calls. They prey on human emotion and instinct, creating situations where technology can’t always help.

“It really comes down to that human factor,” says Shelly. “We talk a lot about technology, and obviously CrowdStrike is a technology company, but we are fallible still at the human level — and that’s where social engineering is targeted.”

In a conversation that starts with impostor syndrome and quickly pivots to the impostors who are emailing employees and calling help desks, Adam, Cristian and Shelly explore the modern social engineering landscape. Shelly describes what her team is seeing on the front lines of incident response, how social engineering campaigns are evolving with the rise of AI, and guidance for organizations worried about this prolific technique.

The rise of hacktivism — the use of hacking techniques to make a statement supporting a political or social cause — is often associated with the Occupy Wall Street movement and the Anonymous hacktivist collective. But the practice of hacking as a form of civil disobedience goes back to the 1990s. It has taken many forms in the years since, driven by a wide range of hacktivists around the world.

In this episode, Adam and Cristian trace the history of hacktivism to its early days, dive into high-profile examples and explain the practice of “faketivism” often used among nation-states. They share why hacktivism is top of mind during a year in which 55 countries have held, or will hold, elections. And they disclose the meaning behind JACKAL, the name CrowdStrike broadly uses to track activists who operate online. Tune in for an engaging explanation of a complex and oft overlooked topic.

Organizations fear adversaries will attack. Threat hunters assume adversaries are already in the system — and their investigations seek unusual behavior that may indicate malicious activity is afoot.

Andrew Munchbach, CrowdStrike’s Global VP, Field Engineering, joins Adam and Cristian in this week’s episode to explore what threat hunting is, how it works, and what makes a good threat hunting program.

As CrowdStrike’s “Chief Reddit Officer”, Andrew also shares how he came to run CrowdStrike’s Reddit account and discusses the platform’s evolving role in communicating with the security community. Now with nearly 20,000 followers, CrowdStrike’s Reddit account is used to share information — from key data on active attacks to weekly threat hunting exercises — with CrowdStrike customers and the general public.

Today’s conversation explores a common question around adversary activity: Why does attribution matter? When a cyberattack hits, why go to the trouble of learning who is behind it? Each attempt at an intrusion can reveal a lot about an adversary — who they are, what they’re doing and what their motivations may be.

This information can not only inform your response to an attack but how you strengthen your security architecture against future attacks. In this episode, Adam and Cristian discuss the importance of knowing who the adversary is and what they’re after.

They go back to the early days of adversary attribution, explain how adversaries are tracked as their activity changes over time and examine the value of this intelligence in helping organizations succeed in the face of evolving cyber threats.

The tool Adam mentions at the end of this episode can be found at https://adversary.crowdstrike.com/

The National Security Agency’s Cybersecurity Collaboration Center (CCC) was created based on a growing need for the public and private sectors to work together and share insights to understand adversaries’ intentions, as well as the scope and scale of their activity. In this special episode of the Adversary Universe podcast, Adam and Cristian are joined by Morgan Adamski, Chief of the CCC and government security expert, onstage at CrowdStrike’s Gov Threat Summit in Washington, D.C.

“We both had different pieces of the puzzle,” said Adamski of the NSA and private sector organizations, which collect different types of data on adversaries and how they operate. In this conversation, she, Adam and Cristian discuss the CCC’s mission and its evolution, explain how it works with private sector partners, and go “around the world” to discuss their observations of modern nation-state adversary activity.

CrowdStrike Chief Security Officer Shawn Henry joined CrowdStrike as employee number 19 after a 24-year career at the FBI, where he retired as the Bureau’s Executive Assistant Director.

Today, he joins Adam and Cristian for a wide-ranging conversation exploring his early days at CrowdStrike and transition to the private sector, his perspective on the 2016 DNC breach and the risks modern elections face. Adversaries have numerous opportunities to sway voters’ opinions — and now they have the technology to wield greater influence through misinformation and disinformation campaigns.

“I think we've just scratched the surface with AI from a deepfake perspective,” Shawn says of how artificial intelligence may play a role in this activity. Tune in to hear his perspective, stories and guidance as we navigate this election year.