Practical defenses from Huntress: inventory, KEV prioritization, MFA and user hygiene to 'get ahead' of ransomware
Loading...
Summary
John Hammond of Huntress told the FBI podcast that defenders should start with asset inventories, prioritize known‑exploited vulnerabilities, adopt phishing‑resistant authentication and address basic hygiene like least privilege and detection for social‑engineering tricks such as 'click fix.'
In a wide‑ranging interview on the FBI’s Ahead of the Threat podcast, John Hammond, senior principal security researcher at Huntress, laid out practical, prioritized steps organizations can take to reduce risk from ransomware, credential theft and device compromise.
Hammond said the first step is visibility: "Build out that asset inventory...what are the IP addresses, what's the host name, what's the barcode serial number if you have to go that deep. Just know your environment," he said. The conversation returned repeatedly to that theme: inventory drives the ability to prioritize and patch.
On vulnerability prioritization Hammond recommended focusing on externally facing devices and KEV entries with high severity. "That's the compass...let's think about what's externally facing," Hammond said, pointing to the CISA Known Exploited Vulnerabilities catalog as an operational filter for immediate remediation.
Hammond and Brett Leatherman discussed credential‑stealing malware and the criminal market that commoditizes stolen credentials. "Attackers don't break in, they log in," Hammond summarized, describing how info‑stealers harvest browser‑saved passwords and session tokens that are then traded on criminal marketplaces and used to stage ransomware and business‑email compromise.
On authentication, both guests favored phishing‑resistant MFA and hardware tokens over SMS and push notifications. "Those hardware tokens do add more security," Hammond said. They also recommended password managers and rolling out multifactor options for priority users.
Hammond described a social‑engineering trend called "click fix," in which a webpage instructs a user to paste and run commands (via the Run dialog or clipboard), leading the victim to execute a malware dropper. He called awareness and stopping risky user behaviors a key defense and recommended least‑privilege accounts and allow‑listing to limit damage from content executed by users.
Finally, Hammond recommended pragmatic, incremental progress: pick controls from the FBI’s Operation Winter Shield list that yield traction, assign owners, and maintain human‑in‑the‑loop processes when using automation or AI for detection. "Cherry pick what's the easiest thing for you to get started on…What is the best thing to get some buy in and some forward motion?" he asked.
Why it matters: the interview translates high‑level government advisories into specific, achievable steps for defenders and executives, emphasizing visibility, prioritized patching, authentication hardening and user education.
What’s next: the hosts point listeners to fbi.gov/wintershield and cisa.gov for KEV and additional resources and encourage reporting breaches to the FBI to bring threat intelligence to bear.
