Exploring Information Security - Exploring Information Security

Summary:

Timothy De Block and Ed Bailey, a former customer and current Field CISO at Cribl, discuss how the company is tackling the twin problems of data complexity and AI integration. Ed explains that Cribl's core mission—derived from the French word "cribé" (to screen or sift)—is to provide data flexibility and cost management by routing the most valuable data to expensive tools like SIEMs and everything else to cheap object storage. The conversation covers the 40x productivity gains from their "human in the loop AI", Cribl Co-Pilot, and their expansion into "agentic AI" to fight back against sophisticated threats.

Cribl's Core Value Proposition

Data Flexibility & Cost Management: Cribl's primary value is giving customers the flexibility to route data from "anywhere to anywhere". This allows organizations to manage costs by classifying data:

Valuable Data: Sent to high-value, high-cost platforms like SIMs (Splunk, Elastic).

Retention Data: Sent to inexpensive object storage (3 to 5 cents per gig).

Matching Cost and Value: This approach ensures the most valuable data gets the premium analysis while retaining all data necessary for compliance, addressing the CISO's fear of missing a critical event.

SIEM Migration and Onboarding: Cribl mitigates the risk of disruption during SIM migration—a major concern for CISOs—by acting as an abstraction layer. This can dramatically accelerate migration time; one large insurance company was able to migrate to a next-gen SIEM in five months, a process their CISO projected would have taken two years otherwise.

Customer Success Story (UBA): Ed shared a story where his team used Cribl Stream to quickly integrate an expensive User and Entity Behavior Analytics (UBA) tool with their SIEM in two hours for a proof-of-concept. This saved 9-10 months and the deployment of 100,000 agents, providing 100% value from the UBA tool in just two weeks.

AI Strategy and Productivity Gains

"Human in the Loop AI": Cribl's initial AI focus is on Co-Pilot, which helps people use the tools better. This approach prioritizes accuracy and addresses the fact that enterprise tooling is often difficult to use.

40x Productivity Boost: Co-Pilot Editor automates the process of mapping data into complex, esoteric data schemas (for tools like Splunk and Elastic). This reduced the time to create a schema for a custom data type from approximately a week to about one hour, representing a massive gain in workflow productivity.

Roadmap Shift to Agentic AI: Following CriblCon, the roadmap is shifting toward "agentic AI" that operates in the background, focused on building trust through carefully controlled and validated value.

AI in Search: The Cribl Search product has built-in AI that suggests better ways for users to write searches and utilize features, addressing the fact that many organizations fail to get full value from their searching tools because users don't know how to use them efficiently.

Challenges and Business Model

Data Classification Pain Point: The biggest challenge during deployment is that many users "have never really looked at their data". This leads to time spent classifying data and defining the "why" (what is the end goal) before working on the "how".

Vendor Pushback and MSSP Engagement: Splunk previously sued Cribl over cost management, though resulting damages were only one dollar, demonstrating that some vendors initially get upset. However, Cribl is highly engaged with MSSP/MDR providers because its flexibility dramatically lowers their integration costs and time, allowing them to get paid faster and offer a wider suite of services.

Pricing Models: Cribl offers two main models:

Self-Managed (Stream & Edge): Uses a topline license (based on capacity/terabytes purchased).

Cloud (Lake & Search): Uses a consumption model (based on credits/what is actually used).

Empowering the Customer: Cribl's mission is to empower customers by opening choices and enabling their goals, contrasting with other vendors where it's "easy to get in, the data never gets out".

Summary:

Timothy De Block sits down with Mike Holcomb, founder of UtilSec, to discuss the critical and often misunderstood world of Operational Technology (OT) and Industrial Control Systems (ICS) security. Mike shares the origin story of BSides ICS, a global community-driven event designed to bridge the gap between IT security, engineering, and plant operations. The conversation dives into the "myth" of the air gap, the physical security risks in manufacturing, and why small utilities are the next major front in the cyber arms race.

The Reality of OT Security

The Vanishing Air Gap: While many believe OT systems are isolated, true air gaps are rare. Connectivity is driven by contractors dropping 5G hotspots for remote troubleshooting or employees charging phones on engineering workstations, inadvertently bridging OT networks to the internet.

Physical Security is Cyber Security: If an attacker can physically touch a device, they can own it. Mike shares a story of a VPN concentrator being stolen from a data center because there were no cameras and physical access was loosely controlled.

IT/OT Convergence: OT security is now "cyber security" because it involves TCP/IP packets, Windows machines in production environments, and networked PLC (Programmable Logic Controllers) and HMIs (Human Machine Interfaces).

BSides ICS: A Practical Community

Origin Story: BSides ICS was born out of a desire for a practical, down-to-earth alternative to highly academic or expensive "bleeding edge" conferences.

Global Expansion: Following a successful flagship event in Miami, BSides ICS is expanding globally in 2026 with events planned for Australia, Singapore, Argentina, Mexico City, and Bristol (UK).

Miami Flagship Details:

Date: February 23, 2026 (Monday before the S4 conference).

Location: Miami Dade College, Wolfson Campus.

Keynotes: Bryson Bort and Dr. Emma Stewart.

Features: Lockpick Village, ICS Village CTF (Capture the Flag), and a focus on diversity (achieving 50% women speakers last year).

The Threat Landscape: State Actors vs. Activists

The Hybrid Threat: Mike discusses his research on the alignment of state adversaries (low frequency, high impact) and activists (high frequency, low impact). The concern is a move toward a high-frequency, high-impact threat environment.

The "Long Tail" of Utilities: There are 50,000 water utilities in the U.S. 35,000 of them serve fewer than 500 clients. These "mom and pop" utilities lack the budget for basic IT security, let alone advanced OT monitoring, making them highly vulnerable targets.

Lessons from Colonial Pipeline & Jaguar Land Rover: Major incidents have shifted executive mindsets. Jaguar Land Rover's plants were down for five weeks due to fundamental failures in backup and recovery, highlighting that even large companies struggle with security basics.

How to Get Started in OT/ICS

Empathy is a Tool: The biggest problem in the field is a lack of empathy between IT and OT teams. Successful security requires understanding the engineer's goal (keeping the plant running) before enforcing security controls.

Free Resources: Mike provides over 40 hours of free course content on YouTube, covering OT essentials, OSINT, and pen testing for OT.

Resources Mentioned

Mike Holcomb’s Website: mikeholcomb.com (Training, consulting, and course links).

BSides ICS Website: bsidesics.org.

Standards: IEC 62443 (The global framework for securing OT/ICS).

Summary:

In this episode, Timothy De Block sits down with a panel of cybersecurity leaders—Chris Anderson, Roger Brotz, and Mike Vetri—to discuss the realities of moving from "boots on the ground" technical roles to senior leadership. The conversation explores the challenges of letting go of the keyboard, the critical importance of emotional intelligence, and why "empathy" is a high-performance tool in a high-stress industry.

Meet the Panel

Chris Anderson: Security Consultant and Architect known for his "pot-stirring" approach to solving complex organizational security problems.

Roger Brotz: CISO at Arcadia Healthcare with over four decades of experience, starting his journey in 1977.

Mike Vetri: Senior Director of Security Operations at Veeva and former Air Force cyber operations officer.

Main Topics & Key Takeaways

The "Passion" to Lead

The panel dives into the true meaning of leadership, noting that the word "passion" stems from the Latin word for "suffering". Leading a cyber team means being willing to suffer through mistakes and high-pressure incidents alongside your team.

Empathy as a Business Metric

Mike shares a pivotal study indicating that leaders who embrace emotional intelligence and empathy often exceed their annual revenue goals by 20%. Conversely, a lack of empathy directly correlates to high burnout and employee turnover.

Learning to Fail Fast

The leaders recount personal failures, from failing to recognize team burnout during 16-hour-a-day incident responses to the "pride" of holding onto technical tasks for too long. They emphasize that failure is not a roadblock but a necessary inflection point for growth.

Bridging the Gap: Technical vs. Business

A major challenge for new leaders is translating "this is bad" into actionable business risk. Leaders must learn to speak the language of the boardroom, focusing on profit protection and risk management rather than just technical vulnerabilities.

Actionable Advice for Aspiring Leaders

Set Boundaries Early: Don't let your job intrude on your personal life until it's too late; once you establish a habit of always being available, it’s hard to pull back.

Find Your Barometer: Use a spouse or a trusted peer as a "barometer" to tell you when your stress levels are negatively impacting your leadership style.

Work-Life Harmony: Move away from the idea of a perfect "50/50 balance" and strive for harmony where your professional and personal lives can coexist.

Summary:

Frank M. Catucci and Timothy De Block dive into a critical, high-impact remote code execution (RCE) vulnerability affecting React Server Components and popular frameworks like Next.js, a flaw widely being referred to as React2Shell.

They discuss the severity, the rapid weaponization by botnets and state actors, and the long-term struggle organizations face in patching this class of vulnerability.

The Next Log4j? React2Shell (CVE-2025-55182)

Critical Severity: The vulnerability, tracked as CVE-2025-55182 (and sometimes including the Next.js version, CVE-2025-66478, which was merged into it), carries a maximum CVSS score of 10.0.

The Flaw: The issue is an unauthenticated remote code execution (RCE) vulnerability stemming from insecure deserialization in the React Server Components (RSC) "Flight" protocol. This allows an attacker to execute arbitrary, privileged JavaScript code on the server simply by sending a specially crafted HTTP request.

Widespread Impact: The vulnerability affects React 19.x and other popular frameworks that bundle the react-server implementation, most notably Next.js (versions 15.x and 16.x using the App Router). It is exploitable in default configurations.

Rapid Weaponization: The speed of weaponization is "off the chain". Within a day of public disclosure, malicious payloads were observed, with activities including:

Deployment of Marai botnets.

Installation of cryptomining malware (XMRig).

Deployment of various backdoors and reverse shells (e.g., SNOWLIGHT, COMPOOD, PeerBlight).

Attacks by China-nexus threat groups (Earth Lamia and Jackpot Panda).

The Long-Term Problem and Defense

Vulnerability Management Challenge: The core problem is identifying where these vulnerable components are running in a "ridiculous ecosystem". This is not just a problem for proprietary web apps, but for any IoT devices or camera systems that may be running React.

The Shadow of Log4j: Frank notes that the fallout from this vulnerability is expected to be similar to Log4j, requiring multiple iterative patches over time (Log4j required around five versions).

Many organizations have not learned their lesson from Log4j.

Because the issue can be three or four layers deep in open-source packages, getting a full fix requires a cascade of patches from dependent projects.

Mitigation is Complex: Patches should be applied immediately, but organizations must also consider third-party vendors and internal systems.

Post-Exploitation: Assume breach. If the vulnerability was exposed, it is a best practice to rotate all secrets, API keys, and credentials that the affected server had access to.

WAF as a Band-Aid: A Web Application Firewall (WAF) can be a mitigating control, but blindly installing one over a critical application is ill-advised as it can break essential functionality.

The Business Battle: Security teams often face the "age-old kind of battle" of whether to fix a critical vulnerability with a potential break/fix risk or stay open for business. Highly regulated industries, even with a CISA KEV listing, may still slow patching due to mandatory change control and liability for monetary loss if systems go down.

The Supply Chain and DDoS Threat

Nation-State & Persistence: State actors like those from China will sit on compromised access for long periods, establishing multiple layers of backdoors and obfuscated persistence mechanisms before an active strike.

Botnet Proliferation: The vulnerability is being used to rapidly create new botnets for massive Denial of Service (DoS) attacks.

DoS attack sizes are reaching terabits per second.

DDoS attacks are so large that some security vendors have had to drop clients to protect their remaining customers.

Supply Chain Security: The vulnerability highlights the urgent need for investment in Software Bill of Materials (SBOMs) and Application Security Posture Management (ASPM)/Application Security Risk Management (ASRM) solutions.

This includes looking beyond web servers to embedded systems, medical devices, and auto software.

Legislation is in progress to mandate that vendors cannot ship vulnerable software and to track these components.

Actionable Recommendations

Immediate Patching: This is the only definitive mitigation. Upgrade to the patched versions immediately, prioritizing internet-facing services.

Visibility Tools: Use tools for SBOMs, ASPM, or ASRM to accurately query your entire ecosystem for affected versions of React and related frameworks.

Testing: Run benign proof-of-concept code to test for the vulnerability on your network. Examples include simple commands like whoami. (Note: Always use trusted, non-malicious payloads for internal testing.)

Monitor CISA KEV: The vulnerability has been added to the CISA Known Exploited Vulnerabilities (KEV) catalog.

Research: Look for IoCs (Indicators of Compromise) and TTPs (Tactics, Techniques, and Procedures) associated with post-exploitation to hunt for pervasive access and backdoors.

Resources

China-nexus cyber threat groups rapidly exploit React2Shell ... - AWS, accessed December 12, 2025, https://aws.amazon.com/blogs/security/china-nexus-cyber-threat-groups-rapidly-exploit-react2shell-vulnerability-cve-2025-55182/

How react2shell-guard Gives Devs a Practical Response Plan | by am | IT Security In Plain English | Dec, 2025, accessed December 12, 2025, https://medium.com/it-security-in-plain-english/how-react2shell-guard-gives-devs-a-practical-response-plan-5f86b98c44e4

CVE-2025-55182 – React Server Components RCE via Flight ..., accessed December 12, 2025, https://www.offsec.com/blog/cve-2025-55182/

Security Advisory: Critical RCE Vulnerabilities in React Server Components & Next.js - Snyk, accessed December 12, 2025, https://snyk.io/blog/security-advisory-critical-rce-vulnerabilities-react-server-components/

React2Shell flaw (CVE-2025-55182) exploited for remote code execution, accessed December 12, 2025, https://news.sophos.com/en-us/2025/12/11/react2shell-flaw-cve-2025-55182-exploited-for-remote-code-execution/

Detecting React2Shell: The maximum-severity RCE Vulnerability affecting React Server Components and Next.js | Sysdig, accessed December 12, 2025, https://www.sysdig.com/blog/detecting-react2shell

CVE-2025-55182 - CVE Record, accessed December 12, 2025, https://www.cve.org/CVERecord?id=CVE-2025-55182

React2Shell (CVE-2025-55182): Critical React Vulnerability | Wiz Blog, accessed December 12, 2025, https://www.wiz.io/blog/critical-vulnerability-in-react-cve-2025-55182

React2Shell Security Bulletin | Vercel Knowledge Base, accessed December 12, 2025, https://vercel.com/react2shell

React2Shell and related RSC vulnerabilities threat brief: early ..., accessed December 12, 2025, https://blog.cloudflare.com/react2shell-rsc-vulnerabilities-exploitation-threat-brief/

CVE-2025-55182: React2Shell Analysis, Proof-of-Concept Chaos ..., accessed December 12, 2025, https://www.trendmicro.com/en_us/research/25/l/CVE-2025-55182-analysis-poc-itw.html

React2Shell: Decoding CVE-2025-55182 – The Silent Threat in React Server Components, accessed December 12, 2025, https://blog.qualys.com/product-tech/2025/12/10/react2shell-decoding-cve-2025-55182-the-silent-threat-in-react-server-components

Serious React2Shell Vulnerabilities Require Immediate Attention, accessed December 12, 2025, https://www.sonatype.com/blog/react2shell-rce-vulnerabilities-require-immediate-attention

React2Shell and the Case for Deception in Your Vulnerability Management Program, accessed December 12, 2025, https://www.zscaler.com/blogs/product-insights/react2shell-and-case-deception-your-vulnerability-management-program

Frank (@en0fmc) has a lot of experience with application security. His current role is the director for web application security and product management at Qualys. He's also the chapter leader for OWASP Columbia, SC. He lives and breathes application security. In this episode we discuss: what application security is; why it's important; where it should be integrated; and resources.