Hey there! Hoping you had an awesome weekend! It's cold and rainy here in NY and I am literally so over it. Hah. I hope you enjoy this weeks newsletter. Please hit reply and leave me some feedback or roast me. Would love to tune this and make it incredibly useful and valuable to you. I will consider ALL ideas.

🩺Threat Pulse

​GitHub expands security tools after 39 million secrets leaked in 2024​

GitHub detected over 39 million leaked secrets, such as API keys and credentials, in repositories throughout 2024, posing significant security risks. In response, GitHub announced updates to its Advanced Security platform to mitigate these exposures.

Key Takeaways:

• Implement GitHub’s enhanced security features, including secret scanning and push protection, to prevent sensitive data exposure.
• Regularly audit repositories for accidental inclusion of secrets and remove them promptly.
• Educate developers on the importance of safeguarding credentials and integrating security practices into their workflows.

This is only a problem that’s going to get worse, especially with the advent of “vibe coding” and the use of LLMs, AI Chat bots for development. On the plus side, the technology (LLM/AI assisted) for detecting these credentials and even preventing these mistakes in the first place is also getting exceptionally good. It’s like any other risk at the end of the day. Something to be mindful of if you have a development team or if you have people in your org using GitHub or similar.

​The Reality Behind Security Control Failures—And How to Prevent Them​

Many organizations discover security control failures only after a breach, often due to untested assumptions about their effectiveness. OnDefend emphasizes the necessity of continuous validation to ensure security measures function as intended.

Key Takeaways:

• Adopt continuous validation strategies to proactively identify and address security control gaps.
• Move beyond compliance checklists to operational assurance testing that evaluates real-world effectiveness.
• Regularly simulate attack scenarios to test and improve defensive measures.

We see this all the time with penetration testing. The client experienced a breach and after they’ve cleaned up from it and implementing a few new pieces of technology the very next thing they do is have a security/risk assessment and/or a penetration test. I’m happy to see them performing these exercises however it goes without saying that an ounce of prevention is worth a pound of cure. A 1-week pentest is worth 6 months of DFIR, remediation and PR damage control.

​Dispersed responsibility, lack of asset inventory is causing gaps in medical device cybersecurity​

The resale and redistribution of medical devices complicate efforts to locate and patch them when vulnerabilities are discovered. This lack of comprehensive asset inventory poses significant cybersecurity challenges in the healthcare sector.

Key Takeaways:

• Develop and maintain an up-to-date inventory of all medical devices within the organization.
• Establish clear ownership and responsibility for device security throughout their lifecycle.
• Implement processes to promptly address vulnerabilities in both new and legacy devices.

The state of medical device security is really all over the place. If you haven’t heard Brad Causey, the VP of Offensive Security at SecurIT360 (my boss and where I work) give his talk on pentesting medical device a listen. It’s a bit scary, but eye opening. Here’s a link — https://www.youtube.com/watch?v=CZOEP4czIDc. As the title of the video suggests, quite literally, performing pentests and security assessments on these devices can save lives.

​Identity lapses ensnared organizations at scale in 2024​

In 2024, cybercriminals exploited weaknesses in identity controls, with valid accounts being the primary access vector in 60% of incidents responded to by Cisco Talos. This underscores the critical need for robust identity management practices.

Key Takeaways:

• Enforce strong password policies and implement multifactor authentication (MFA) across all systems.
• Regularly audit and restrict user privileges to the minimum necessary for job functions.
• Monitor for unusual account activities that may indicate compromised credentials.

We just popped an account this week on an external pentest. The password was incredibly weak. You know like CompanyName2025! This is really very avoidable by implementing just a few controls. Microsoft Entra Password Protection is the first thing. Microsoft Entra Password Protection detects and blocks known weak passwords and their variants, and can also block additional weak terms that are specific to your organization. The second biggest thing here is you’ve got to have someone (ideally a group of someone’s, aka a SOC) watching your back. If you’ve got a small IT team, no dedicated security staff, the most financially and strategically responsible thing to do is to engage and procure an MSSP/MDR provider.

​Malware is harder to find when written in obscure languages​

Malware authors are increasingly using less common programming languages, such as Delphi and Haskell, to evade detection and hinder analysis by security tools.

Key Takeaways:

• Update security tools to recognize and analyze binaries compiled from a wide range of programming languages.
• Invest in training for analysts to understand and reverse-engineer malware written in unconventional languages.
• Implement behavioral analysis techniques to detect malicious activities, regardless of the underlying codebase.

This is not new and for anyone whose been around for a bit that will probably not be a controversial take. AutoIt, a scripting language meant for automating Windows tasks, was used extensively by malware authors in the late 2000s and early 2010s. Malware families like SpyEye, Dorkbot, and various Trojans and droppers were written in or packed with AutoIt. Now days malware developers are writing in Nim and Golang as well as those references in the article above. The specific languages change, but the tactic of using the unexpected to frustrate detection and analysis is as old as malware itself.

🔐Securing the Stack

🛡️ How To Defend Against Typosquatting Attacks

1. Monitor for Look-Alike Domains

• Use a tool like dnstwist to scan for domains that closely resemble yours.
• Schedule regular scans and flag suspicious variants.

2. Secure Your Organization Proactively

• Register common misspellings and similar domain variants before attackers do.
• Consider trademarking your organization’s brand to strengthen legal takedown options.

3. Lock Down Your Email

• SPF ensures only authorized servers can send emails on your behalf.
• DKIM verifies email integrity and authenticity.
• DMARC gives you control over how email providers handle suspicious messages.

✅ All three combined help reduce the risk of email spoofing from typosquatted domains.

4. Train Your Team

• Teach employees to hover before clicking and always verify URLs.
• Teach and encourage users how to report suspicious activity to the IT/Security team and stress the importance of speedy reporting.

😆Memes & Mayhem

Relatable? 😅🤣😂

Also…I really hate to admit but this is literally me. It's not you too is it? haha 😭😂

👨‍💻Behind the Console

I posted this on LinkedIn last week and wanted to make sure you all saw it. Some of my best advice for how to prepare for your next internal pentest. And by the way, I live and breathe internal pentesting. If you’d like to have an honest and transparent conversation about how we do things (very differently) and why we are able to provide so much more value per engagement than our peers, I’d love to chat. No obligation, no pressure. Reply back and we can book some time to chat!

That's all, have an awesome week!

All the best​
Spencer Alessi

"Spirit of a hacker heart of a defender"
​All My Links | super cool cybersecurity shirts & stickers​