Time and again, we see that the key hosts implicated in cyber incidents, those where threat actors gain initial access or exploit to spread throughout the network, aren't even supposed to BE there anymore. These are testing servers that were stood up during testing and were supposed to have been shut down afterward. They are old development systems that linger, long forgotten, unmatched and unmonitored. They are legacy application servers "temporarily" exempted from security requirements.
In this talk, we will look at several examples of how this can happen even in large, well-resourced organizations with otherwise mature IT operations. We will discuss how we can avoid this phenomenon in our organizations and use our awareness of this phenomenon in defending and threat-hunting on our networks.
Describe how cyber threat actors seek out and take advantage of vulnerable hosts in enterprise networks.
Determine the most likely hosts in their enterprise that could be used by a cyber threat actor to gain or maintain access.
Describe the reasons why vulnerable hosts linger in organizations and how to detect and avoid this in their own organizations.