Hello and welcome to the Tuesday, December 3, 2024 edition of the Science and at Storm Center's Stormcast.

My name is Johannes Ulrich and I'm recording from Jacksonville, Florida.

Threat-informed defense is something that's often being thrown around as, well, a methodology where you're defending against actual current

threats, avoiding, spending a lot of time on defenses that in the end don't really matter.

One of the ways how you can get to that state is actually having a good red team engagement. And that's exactly what

Boyan wrote about in his last diary. One particular control that often frustrates them in

their red team engagements. And if you can frustrate Boyan, you probably are also going to

frustrate a whole lot of attackers.

The assumption here is that some host network is already compromised and now you're trying

to prevent lateral movement.

The particular control that Boyan points out that being quite effective in preventing many techniques that are being

applied here is credential guard. Credential guard does prevent an attacker from, for example,

gathering other users' credentials. Just one little word of warning if you're enabling it,

and one reason why you may not want to enable it,

that it does interfere with some virtualization solutions. Credential Guard itself is implemented

by essentially running your Windows environment on top of HyperVee, and that will interfere with,

for example, running VMware on a system that has credential guard enabled.

And talking about credentials, researchers from clutch security looked a little bit about how long

it takes to have exposed AWS credentials exploited.

Well, the sad truth is that it takes literally seconds, maybe a couple

minutes for credentials to actually be exploited. They tried a couple different things,

like, for example, exposing them via GitHub and the like. This is in line with what we have seen in other reports, so this is not something

...