2 posts tagged with "threat-hunting"

Your software supply chain is already inside your network perimeter. Every time a developer pushes a commit, your CI/CD pipeline authenticates to your cloud provider, pulls secrets from your vault, builds and signs artifacts, and pushes code directly to production all without a human approving a single step. Attackers figured this out in 2020 with SolarWinds, refined it through the Codecov breach in 2021, operationalized it at scale with the 3CX and XZ Utils compromises in 2023–2024, and in August 2025, UNC6395 used it to compromise Drift's GitHub account, steal OAuth tokens, and gain access to hundreds of organizations' Salesforce environments without ever touching a single victim's network directly. The attack surface is not a misconfiguration you can patch. It is the pipeline itself.

By the time ransomware starts encrypting files, the attacker has already won. The encryption event that triggers your EDR alert, your SOC ticket, and your incident response retainer is not the attack it is the final step of an operation that began days or weeks earlier, during which the threat actor mapped your entire Active Directory, escalated to Domain Admin, exfiltrated your most sensitive data to a cloud storage bucket, killed your backups, and confirmed that every shadow copy on every server is gone. The encryption itself takes minutes. Everything that makes it devastating the leverage, the irreversibility, the breadth was assembled during the dwell period when your SIEM was generating zero alerts. The Conti playbook leaked in 2022, LockBit 3.0's affiliate documentation, and ALPHV/BlackCat's observed TTPs across hundreds of incidents all confirm the same operational tempo: reconnaissance, credential theft, lateral movement, exfiltration, and backup destruction are completed before a single file is touched.