Cyber adversaries are not “sophisticated”, rather they are pragmatic. The endpoint, still the nexus of the cyber problem, is challenging lately for adversaries to evade detection and persist at the operating system level due to advances in AI/ML, EDR, and threat intelligence. The endpoint battlefield is defined by a "time advantage” that either side has over the other. Both APTs and criminal ransomware actors have adapted by going “further down the stack”, and they have arrived at firmware, hardware, and driver level TTPs (Tactics, Techniques, Procedures). There is a dire lack of visibility here, and attackers are enjoying the omnipotence and indefinite persistence that sub-operating system tactics provide.
This talk will expose the reasons why attackers are going further down the rabbit hole in order to gain footholds and persist below the surface of the rest of the entire security stack. Recent examples of incidents involving such tactics will be shared and the challenges of addressing this trending attack vector will be explored.