Insights

At Verizon's Boston offices, the CRISP Autumn Training ran over two days and featured two technical sessions led by Patrick Kelley and Jared Haviland of Critical Path Security. Their focus: how Léargas, Zeek, and OT/ICS protocol analyzers turn raw industrial traffic into precise, auditable detections that operators can act on fast. Why this workshop mattered Kelley and Haviland anchored the training in current realities: OT/ICS incidents aren't hypothetical, and the blind spot is often at the protocol layer. Their message was straightforward-pair Zeek's deep protocol visibility with CISA's ACID to surface behaviors traditional IT tools miss, then push those insights into workflows operators actually use. What they showed Zeek's evolution and deployment. The instructors walked through practical changes from Zeek 7 to Zeek 8-enhanced telemetry, storage improvements, broader analyzer coverage, and modern build requirements-then translated that into deployment choices (Dockerized OT builds, tuned workers, and packet-loss discipline) that matter in…

Google's Threat Intelligence team recently published findings on data theft campaigns exploiting integrations between Salesforce, Drift, and Salesloft. The research highlights a growing challenge in cybersecurity: the risk isn't always in the core application, but in the web of connections that tie platforms together. These integrations are designed to increase efficiency, but they can also silently expand the attack surface. A single OAuth token, once granted, may continue to live on even after an app is retired. If abused, that token can provide adversaries with broad access across business-critical platforms. Systemic Risks, Not Isolated Failures This incident is not about one company doing something wrong. It's a systemic problem. SaaS tokens are built for convenience, but they don't always align with the realities of secure lifecycle management. In one example, a token tied to an application decommissioned more than a year earlier was still active and later abused by attackers.…

At Critical Path Security, we've always believed that cybersecurity is about more than firewalls, alerts, and incident response-it's about people, community, and resilience. Today, we're proud to announce a new chapter in our journey: we've joined the Atlanta Falcons Associate Partner Program. This partnership, spanning the next three seasons, is an opportunity to strengthen our presence in the Southeast and continue connecting with the industries and communities we protect every day. Why the Falcons? The Falcons stand as a symbol of grit, discipline, and teamwork-the same qualities we've built our company on. Just like the game on the field, cybersecurity is about anticipating threats, adapting strategies in real-time, and delivering results under pressure. Aligning with the Falcons allows us to bring that message to a wider audience while showing that strong defense isn't just for the gridiron. What This Means for Our Clients and Community As an Atlanta Falcons Associate…

Nation-state actors continue to sharpen their tools and broaden their reach. A newly released Joint Cybersecurity Advisory (CSA) from NSA, CISA, FBI, and allied partners around the world details how Chinese state-sponsored threat actors are compromising telecommunications, government, transportation, lodging, and even military infrastructure networks across the globe. These operations, which overlap with industry-tracked groups such as Salt Typhoon, OPERATOR PANDA, RedMike, UNC5807, and GhostEmperor, focus on large backbone routers, provider edge devices, and customer edge routers. Once inside, adversaries use trusted connections to pivot into additional networks, modifying configurations to maintain long-term, persistent access. What the Advisory Reveals The advisory lays out the tactics, techniques, and procedures (TTPs) used by these actors, mapped to the MITRE ATT&CK framework. Key points include: Initial Access: Exploitation of well-known CVEs (including Ivanti, Palo Alto, and Cisco vulnerabilities such as CVE-2023-20198 and CVE-2024-3400). Zero-day use has not been observed to date. Persistence: Modifying…