ORLANDO, Fla. — The second day of ThreatLocker's annual Zero Trust World conference featured presentations of new ThreatLocker features, demonstrations of
zero trust preventing
ransomware attacks, warnings about how zero trust can be turned against organizations, and counterintuitive observations from famous hacker/defender Marcus Hutchins.
"Our mission is to change the paradigm of security from default-allow to default-deny," said ThreatLocker co-founder and CEO Danny Jenkins during a joint presentation with his Chief Product Officer Rob Allen. "How do we deny by default and make your lives as easy as possible?"
Jenkins and Allen announced ThreatLocker
zero-trust protections for cloud assets and
for networks, with Jenkins demonstrating how the software protected his phone from attack by routing its network connections through a ThreatLocker-managed access broker.
"I have 100,000 invalid logins on my email account every day," Jenkins said. "But even if you had my username and password, you wouldn't be able to get into my accounts."
But ThreatLocker isn't running a VPN, he and Allen clarified.
"Using a broker is a lot faster than using a VPN," Jenkins said. "We developed our own TLS protocol."
He also touted the benefits of ThreatLocker's
Defense Against Configurations, announced just before Black Hat last August.
"It was originally Dumb-Ass Configuration," Jenkins clarified, "because we started with looking at our own configurations. But now we look at 217 different programs."
He noted that in addition to Windows 10 and 11, ThreatLocker now has agents for MacOS, Windows XP, and the CentOS, Debian, Oracle, Red Hat, SUSE and Ubuntu flavors of Linux.
"We are the biggest user of our own product," Jenkins boasted.
How well the defenders stack up
ThreatLocker's capabilities were highlighted in a presentation by Rohit Satpathy, aka Leo from the
PC Security Channel on YouTube.
Satpathy explained that his YouTube channel, which currently has about 625,000 subscribers, began in 2011 because he was an avid gamer and he wanted to see how he could protect his gaming rig.
"Infections affecting games are no joke," he said. "So I started testing antivirus solutions."
From there, he's gone on to test
endpoint security solutions and provide security tips and advice on YouTube.
Fifteen years ago, Satpathy said, Microsoft's built-in Windows Defender antivirus didn't work so well against ransomware. So how about today?
He built a new ransomware test tool from scratch so that it wouldn't have any signatures that an antivirus or endpoint protection tool would recognize. Detection would have to be solely through behavioral monitoring.
The test ransomware encrypted files with AES, changed your desktop background, and had a large file size to evade detection by scanners that expect malware to be smaller.
The malware ran without any alert from Windows Defender running on Windows 11. Files were encrypted systemwide — a total failure on Defender's part.
ThreatLocker, on the other hand, stopped the malware from running at all because it wasn't on ThreatLocker's list of approved software.
But even when Satpathy went into the ThreatLocker admin settings to let the malware run, ThreatLocker's ring-fencing feature stopped it dead in its tracks. The only thing that changed was the desktop background.
Satpathy also tested other well-known antivirus and endpoint solutions, and you can
watch the YouTube video here.
"A lot of modern ransomware gets through EDR detection, especially on the first day," he said. "The moral of the story is: Test your endpoints!"
How attackers could weaponize zero trust
One of the biggest problems with implementing modern security practices is the burden they place on end users. You surely know people who hate using MFA or refuse to use it at all, or who may even not want to have more than one password.
That's a problem for the enterprise too, said
penetration tester Luke Patneau in an afternoon session. The annoyances and friction caused by zero trust, he said, will wear users down so that they'll fail to take even basic security measures after a time.
"On paper, zero trust looks invincible," Patneau said. "But you can weaponize zero trust against an organization through
social engineering."
He compared zero-trust fatigue to the "
push notification bombing" that attackers use to wear down consumers who have MFA enabled until the exasperated users click "yes" on the umpteenth request for access.
"You cannot just outright convince people to care about security," Patneau said. "This is something that attackers can weaponize."
Even trained IT teams buckle under too many alerts and notifications, he noted. How will regular end users react when they have to authenticate themselves 20 times a day?
"Once zero trust is implemented," Patneau said, "users slowly become saturated and less observant."
To combat this, he recommends reducing security friction everywhere, prioritizing security culture, auditing every system and emphasizing "soft skills" that are better at spotting the
new wave of social-engineering attacks that have taken down MGM and other prominent victims.
"All it took was
one phone call to the right person," he said, "to get around zero trust."
The near-death of dwell time
The dangers of alert fatigue were also highlighted by Marcus Hutchins, aka MalwareTech, who famously stopped the worldwide
WannaCry ransomware infection in 2017 — and then got
arrested by the FBI a few months later for malware he'd written in his early teens.
"Alert fatigue is real," Hutchins said, adding that he'd worked with companies that had 300,000 alerts every day.
This overwhelming noise, he said, has made enterprise security reactive again because alert overload shifts investigations to manual teams in the SOC, and it can take days or weeks to properly figure out what triggered an alert.
"The better solution is to have higher-quality alerting" by using filters and pattern recognition of routine events, he said. "We need to take security back to being proactive."
One big reason for the urgency, Hutchins said, is because the "dwell time" during which attackers investigate and profile your systems after initial intrusion has gotten shorter.
In a classic ransomware attack, he explained, an initial attacker first penetrates the system. The next phase is to check out the internal architecture to see how effective ransomware can be, and the organization itself to estimate how much it can afford to pay.
That's the dwell time, and it's when most organizations can detect an intrusion, letting them take action before the access is sold to another attacker and ransomware is deployed.
But today, Hutchins said, scanning tools like Shodan make for better and swifter reconnaissance of newly infected systems reduce the investigation time, and repeat attacks upon previous targets nearly eliminate it. The dwell time is nearly gone.
This has little to do with
AI, he pointed out, as there's been a steady reduction in dwell time since early 2021, a year and a half before ChatGPT became widely available at the end of 2022.
Besides, he added, the current crop of infostealers, which make up the majority of initial entries, work faster than any AI can.
"AI or no AI," Hutchins said, "cyberattacks are getting faster."
We asked whether defenders could gain any advantage by using AI-powered tools.
"No," he replied. "AI raises all boats, so it won't make defenses any faster against attacks."
