@IceSolst I figure they just have a different stack / architecture. Targeting and availability is another thing - probably more fortinets available for hot takes.
English
Daniel Schell
1.5K posts
Daniel Schell
@danonit
CoFounder & CTO at @AirlockDigital. Practical Execution Control & Allowlisting.
Adelaide, Australia เข้าร่วม Haziran 2009
1.4K กำลังติดตาม1K ผู้ติดตาม
Palo Alto’s revenue is from its firewalls, yet we only hear about vulnerabilities in Fortinet, why?
Options:
- Fortinet’s code is shittier (most likely?)
- PAN doesn’t disclose or issue CVEs?
- PAN firewalls are more expensive but not as widespread (explaining market share), so less research on them?
- some sort of licensing issues that prevent researchers from testing PAN firewalls?
This is all speculation to give Fortinet the benefit of the doubt. Most likely they just suck at writing secure code.
English
Daniel Schell รีทวีตแล้ว
We have two choices:
We can broadly adopt app control, or we can continue to get our asses kicked.
If we keep persisting in choosing the latter course, the only real question is whether the kicking will be about the same as now or whether it will get substantially worse.
Justin Elze@HackingLZ
Happy Saturday! Exposed attack surface on the internet has been shifting from legacy appliances and Windows boxes directly on the internet into cloud for years now (Thanks Citrix, Fortinet, MoveIt, etc). The excitement around LLMs findin vulnerabilities and the incoming apocalypse is legitimate, however directly exposed attack surface has been decreasing(Thanks App proxy, zscaler, etc) and now you have more eyes on what was already a shrinking target. Bugs found on the cloud side have a shorter life and once identified, generally patched for everyone at once. Down the line from that you can certainly use LLMs to go after endpoint bugs in Microsoft where you generally lack source and it requires a higher level of human directed iteration, on top of dealing with EDR/AV if your target is enterprise. No doubt people can iterate faster and find more bugs, I've found a ton of these personally, but many bugs have limited to no real world impact. Configurations you won't see in the wild, code paths you can't reach without auth you don't have, features that are off by default. Overlooked in all of this is the ease at which you can reverse and dismantle security products, many of which are forced into design choices by the OS, or into exclusions to avoid drowning clients in false positives. Things like extracting the local ML models from products isn't a big leap these days. It certainly makes the case for application control being a bigger priority going forward, even if it doesn't make for a great funding pitch.
English
Another great RiskyBiz discussion. "It took a decade, but allowlisting is cool again" - That thumbnail though😅youtube.com/watch?v=1ztwRR…
YouTube
English
@UK_Daniel_Card @NSAGov @ASDGovAu Clustering malware was very important, but also being able to say, opening this document caused unwanted behaviour on these exact versions of Acrobat Reader (with-in minutes) were the types of capabilities that sought about 15 years ago.
English
@UK_Daniel_Card This would be more like @NSAGov Ghidra, internal tooling used by @ASDGovAu being shared.
I used to work with many governments on malware analysis sandboxing projects at a scale of hundreds of thousands of samples a day across hundreds of detonation environments.
English
Haven't had a chance to look yet, but 🇦🇺 gov have released Azul open source. github.com/AustralianCybe… "Azul is a malware repository for reverse engineers, incident responders and everyone in-between"
English
@UK_Daniel_Card Yeah, it looks like a malware focused threat intel platform. Probably primarily for government and the top end of town / malware researchers.
English
I had a few people test this when it was behind auth but pulled the auth back. If you're interested in Defender signatures and ASR rules.
defender.hackpwn.net
English
With @AirlockDigital in Enforcement mode with .NET Assembly reflection protection enabled. It’s also possible to only allow clickonce applications by domain.
English
Created a short demo showing a simulation of modern day ClickOnce + Assembly sideload phishing campaigns we’re seeing targeting finance orgs in the wild. Comments showing @AirlockDigital app control on same method in comments.
English
@arekfurt Yeah, we had customers trusting the thumbprint of their self signed cert in the app folder which is good capability to have, however it is surprising to see large orgs just accept this free app with out their normal vendor due diligence, questionaires, soc2, iso review etc.
English
Indeed, the critical fact in the current supply chain compromise is that even after updates started getting properly signed the updater didn't actually check to see whether downloaded installers were so signed by Notepad++ certificates until December 2025.
Sigh.
English
People in the app control community have had issues with Notepad++ for quite a while.
For a long time you basically had to deal with it by allowlisting hashes or using some reputation/prevalence based auth mechanism.
Daniel Schell@danonit
@arekfurt It’s been high risk for a while since the author rallied against proper code signing for a while, switching to self-signed and has come around again now. It’s a great product and free, but yeah…
English
@arekfurt It’s been high risk for a while since the author rallied against proper code signing for a while, switching to self-signed and has come around again now. It’s a great product and free, but yeah…
English
Speaking of state-level actors abusing the updating mechanisms of software you would expect to be better hardened....
Damn. Notepad++
rootsecdev@rootsecdev
Notepad++ Hijacked by State-Sponsored Hackers | Notepad++ notepad-plus-plus.org/news/hijacked-…
English
Daniel Schell รีทวีตแล้ว
Notepad++, the popular text editor used by programmers, was hacked by the Chinese government…
English
Daniel Schell รีทวีตแล้ว
I'll continue to "stand on business" and say application control is the most effective security control you an implement
English
@arekfurt Trouble comes by not having defined processes, visibility, and exception handling resulting in unexpected blocks resulting in rushed poor policy decisions.
Allowlisting with imperfect policy is still far stronger than not getting started.
English
Why do orgs trying app control run into trouble:
The reasons can be distilled to a few broad categories (problems with tooling, sloppy vendor practices, etc.) but let me suggest one issue many don't appreciate:
App control requires cultural change, not just technological change.
spencer@techspence
Application control works, I don't think there's many who debate that. But part of the reason it gets a bad reputation is because of flawed deployments. Here's a few things to avoid: 1. Overly permissive path rules (e.g. wildcard paths) 2. Overly permissive publisher rules (e.g. everything from a publisher is allowed) 3. Using only hash rules 4. Allowing CMD/PowerShell/PowerShell_ISE/Terminal
English
David and I joined RiskyBiz this week to discuss novel ClickOnce tradecraft we’re seeing targeting the finance sector, plus a wider conversation on the role of AI in application control. Check it out here: youtu.be/5fsZklyapss?t=…
YouTube
English
If you are a third-party dev of something that itself executes arbitrary code can you actually practically make use of this? Well... good question.😄
For one, AFAIK there's nothing on the WDAC policy side that can allow an admin to set a policy to tell hosts to use sandboxing.
🤷
English
Random security capabilities that's in Windows 11:
A program that itself executes code (like a scripting engine) can ask the OS if code in a buffer or stream would comply with code integrity policy, and should expect the OS might respond it should only be executed in a sandbox.
English
Daniel Schell รีทวีตแล้ว
Attack surface reduction is one of the key underlying principles of cybersecurity (heck, all security) that you must understand and apply religiously.
Doing so starting with most exposed and most critical assets/locations and extending across more and more layers of depth.
Nathan McNulty@NathanMcNulty
One of the most consistently achievable ways to secure your org is to eliminate unnecessary attack surface You don't have to patch it if it doesn't exist
English
@NathanMcNulty Yeah, last time I spoke to Gartner they’ve said seen a massive uplift this year on enquiries. I’m more confident than ever based on recent conversations I’ve been having that App Control as table stakes is inevitable.
English
@danonit That is so great to hear! I've had a lot more interest and walking folks through the basics of WDAC this year, probably as many as the previous 3 years combined.
We just don't get enough requests to make it part of our practice, plus the Microsoft management experience sucks :(
English
