SANS Stormcast Friday, October 10th, 2025: RedTail Defenses; SonicWall Breach; Crowdstrike “Issues”; Ivanti 0-days; Mapping Agentic Attack Surface (@sans_edu paper)
SANS Internet Stormcenter Daily Cyber Security Podcast (Stormcast)
SANS ISC Handlers
4.9 • 696 Ratings
🗓️ 10 October 2025
⏱️ 15 minutes
🧾️ Download transcript
Summary
Defending against attacks like RedTail is more then blocking IoCs, but instead one must focus on the techniques and tactics attackers use.
https://isc.sans.edu/diary/Guest+Diary+Building+Better+Defenses+RedTail+Observations+from+a+Honeypot/32312
Sonicwall: It wasn t the user s fault
Sonicwall admits to a breach resulting in the loss of user configurations stored in its cloud service
https://www.sonicwall.com/support/knowledge-base/mysonicwall-cloud-backup-file-incident/250915160910330
Crowdstrike has Issues
Crowdstrike fixes two vulnerabilities in the Windows version of its Falcon sensor.
https://www.crowdstrike.com/en-us/security-advisories/issues-affecting-crowdstrike-falcon-sensor-for-windows/
Interrogators: Attack Surface Mapping in an Agentic World
A SANS.edu master s degree student research paper by Michael Samson
https://isc.sans.edu/researchpapers/pdfs/michael_samson.pdf
keywords: ai; agentic; attack surface; crowdstrike; sonicwall; ivanti; zero day; initiative; redline
Transcript
Click on a timestamp to play from that location
| 0:00.0 | Hello and welcome to the Friday, October 10th, 2025 edition of the Sands in its Storms. |
| 0:11.0 | Stormcast, my name is Johannes Ulrich, recording today from Denver, Colorado. |
| 0:17.0 | And this episode is brought you by the sands.edu credit certificate program in Purple Team Operations. |
| 0:24.8 | And in diaries today, we do have another diary by one of our undergraduate interns. |
| 0:30.8 | This time it's Yin Guan Lo, who wrote about a redtail infection. |
| 0:37.4 | Redtail is a crafter jackacker, so essentially infecting your system in order to mine cryptocurrency, |
| 0:44.3 | in this case typically Monero. |
| 0:46.9 | Now, what I like about this particular write-up is it doesn't just focus on exactly what hash, for example, was used or what IP adders the attack |
| 0:57.7 | came from. Quite often defenders are a little bit overly concerned with these indicators of |
| 1:04.3 | compromise. What's really more important to inform your defense is the TTPs that are being used |
| 1:10.5 | by a particular attacker in order to |
| 1:13.3 | identify certain weaknesses in your systems that you need to defend. In this example, for example, |
| 1:19.6 | is things like weak passwords or, for example, the modification of the dot SSH authorized keys |
| 1:27.1 | file in order to gain persistent access to the system. |
| 1:31.0 | In particular, the later one is one of those things that's often not done very well. |
| 1:36.3 | So you want to protect that authorized keys file, maybe make sure that it's only |
| 1:40.4 | writable by the root user, or you deploy them centrally into a location other than |
| 1:47.5 | the user's home directory, which of course also then makes it easier to detect any unauthorized |
| 1:53.8 | modifications to this file. So overall, a nice approach here to look at a honeypot attack from this lens based on the |
| 2:02.5 | Mider Attack matrix and not just looking at these individual very kind of ephemeral |
| 2:10.5 | indicators of compromise. |
| 2:12.5 | Well, remember a week or two ago, I talked about the breach of the My Sonic Wall service. |
... |
Please login to see the full transcript.
Disclaimer: The podcast and artwork embedded on this page are from SANS ISC Handlers, and are the property of its owner and not affiliated with or endorsed by Tapesearch.
Generated transcripts are the property of SANS ISC Handlers and are distributed freely under the Fair Use doctrine. Transcripts generated by Tapesearch are not guaranteed to be accurate.
Copyright © Tapesearch 2025.