PC Matic Webinar Series
Throughout the pandemic, PC Matic has brought you an array of topics discussed in our webinar series. From advice for providers to security issues for customers, we’ve tried to cover topics for everyone. But what about cyberattacks? Let’s delve a little deeper.
In the latest of these videos, we go in-depth about cyberattacks. Are we overestimating the level sophistication behind most cyberattacks? Security experts Terry McGraw of PC Matic and Allison Wikoff Senior Strategic Cyber Threat Analyst | IBM Security X-Force Threat Intelligence discuss this and much more in a fascinating conversation.
Full transcript below video.
Hey, welcome, everyone, to our webinar today. I am blessed to have Allison, like off with me, a famed researcher and a very, very accomplished person in her own right and other categories as well. I am, of course, Terry McGraw PC matic PC.
Matic is you know a patented application whitelisting technology that we offer to commercial as well as government entities. And Allison, if you could, could you give us some intro about yourself background about yourself and sort of what you do with IBM’s X force?
So I am also Eickhoff, I have been in the information security field for about 20 years, which is sort of hard for me to say. It’s sort of like taking a bullet, but I have had Marietta roles in this space.
So I spent the first half of my career doing network defense for a lot of private companies.
And during that time, shifted to doing incident response and threat intelligence. And then the latter half of my career, I took that experience and shifted it into research.
And so in the past, guess, almost 7 or 8 years At this point I’ve been doing specific research on threat actors intrusions. Basically, threat intelligence work. So it was a really nice transition, a naturally, very curious person. So being able to spend a lot more time on on who did it, and why they did it, has been great.
My research focuses have really been more on the nation state side of things. So I’ve done a lot of work on Iran.
But I generally tend to spend my time on nation, state threats, emerging threats, things of that nature.
And then in my spare time, I teach, because, her time, as a professional, researcher, mother, and teacher, Yeah, that’s great, OK, so, tell me a little bit about IBM slash forest, just tipping our hat to one of our future. Sure, so X force is a, a part of IBM security, and the team that I’m on specifically supports the incident response practice.
So, we do a lot of collection from, from our incident response practice, and support them, specifically with various amount of threat intelligence services.
You and I have done this kind of Roadshow for for many, a year, and usually happens in, but what I wanted to get your thoughts, and, really, your expertise around.
The linking of what we’re seeing, a commoditized, you know, E crime in that tradecraft.
And, and what is derivative, if any, from, from nation state?
It seems like tradecraft and the commodity space has gotten more sophisticated, but mostly due to tooling.
But their tooling came from somewhere versus freely available on the, on the dark web, is, you know? But what are your thoughts on sort of the, the link between, you know, advanced actors and how that gets commoditized.
So I think there’s like this Misnomer misnomers with advanced actors.
And, and in some cases, you know, our equine actors can actually be more advanced the nation state actors, you know, their malware, A lot of times can be much more complex than what we’re seeing nation state actors use.
Many times because it has to scale across a large amount of fiction and victims. What that said, there’s also E crime actors. that look a lot like how we can we consider a traditional ABT style actors.
They do reconnaissance on targets, they come and the spear phishing, they move laterally and the networks. So, you know, this, this fine line. I think there’s a really fine line when we’re talking about tradecraft for these particular Actors.
It’s not like E crime is, really unsophisticated and and nation state actors are the end, all, be all, um, the other thing to really consider in this space is, you know, what, we’re calling a threat actor, sophisticated, this is not a binary designation, whatsoever. I mean, I mean, these are humans behind the keyboard, and I think we forget that a lot of times.
You know, I have seen really sophisticated nation state actors, make mistakes, you know, I hope I can talk about a couple of things that we’ve seen.
And then we’ve seen criminal groups that, you know, I was reading a recent indictment of a criminal group, some members of a criminal group, and they were using jira to track various aspects of their intrusion and malware development. I mean, that’s just insane.
So so we really have to remember again, like this, this kind of designation of sophistication of an actor. It’s not binary and it’s not a concrete designation. There are humans behind the keyboard and we all have moments of brilliance and Moments of just epic failure.
Sure, I actually, I like to make the sort of the analogy of a global marketplace. You have venture capitalists now you have retailers manufacturers and you had that you have a global exchange and the exchange rate.
I mean and the other day there there is certainly a downward pressure in pricing based on on its availability and use.
Do you think that that that that global market style economy is why we see the prevalence of more sophisticated weaponry, if you will, being used by a larger base.
Know, it’s really hard to say Terry, because one of the things that we are seeing a lot of is, you know, a lot of actors using openly available tools, and tools available on GitHub.
So, you know, whether we’ve got threat actors who are spending a lot of time developing their tools, or just going out and modifying free things, you know, it’s, it’s really difficult to say.
So you believe that, you know, based on, on the availability of it, I mean, you mentioned, get him and living off the land. And I laugh because … files. But but you get the point, I mean, the nomenclature living off the land and lateral movement style seems to even be present in most of the ransomware attacks is it’s, I mean, it’s following what, what we would have labeled as more sophisticated attacks styles where you do have sort of an initial vector, Then you just sort of the land. And expand you looking in, enumerate the network, et cetera. Now, of course, for E criminals, the idea is to lock up as much of your network as possible for you to pay. But it does seem to follow that same style of no land and expand that, we used to only see and more sophisticated.
The agree with that statement. I 100% agree, and it’s it’s I think it’s really challenging as an organization when you’re investigating something like that to determine. You know, you know, is this an advanced actor or a nation state actor that is likely on my network for espionage purposes?
Or, are just the beginning of a ransomware attack, because responding to those two things are very, very different, as you and I both know. But, yeah, the lines are really, really blurred between the tradecraft that we’re seeing, you know, both style of Actors using, and just the, the broad availability of tools.
You know, personally, I don’t know why.
Why a lot of Actors would develop their own tools when there’s so many great tools. That you can just download and modify, you know, and then that, that also muddy the water in terms of attribution.
Yeah. That’s a good point about attribution. I mean, you know, in the nation state space, you know, obfuscation of your activities can be done in a lot of ways.
one of those ways is also to use commoditized malware or things that are commonly found in environments. So, so tell me a little bit about attribution and you spent a lot of time studying nations.
one, that will, I mean, as far as, as far as, you know, if, if, if you’re a practitioner in the trade and you’re looking at activities, other tell-tale signs, that you’re dealing not with just a run on the middle, you know, E crime, No attack, versus, this is a campaign, or is it too late when you find out, You know, it’s not too late when you find out, and, you know, when we’re talking attribution, you know, there are full-time jobs dedicated to doing attribution. And I will say that attribution is an art, not a science. You know, it really is. It’s, it’s not one of these things where you, you get a smoking gun. I mean, Yes, that happens from time to time, but I can count on one hand in the last 10 years that I’ve been working on, this type of thing that, there’s been a smoking gun type of situation, and there’s usually other things in in play. You know, it’s one of those things where you have to use some sort of model to and follow it consistently.
It’s not a gut feel.
And before I get into that, I will say, you know, there’s, I think there’s, this, misconception that. There’s a significant amount of time that a lot of actors spend using false flags.
Should I explain what I mean? By phone? It’s good, OK? So, false, lagging in layman terms is, essentially, somebody acting like someone else in order to hide your true identity. Basically, hoping the payment of the party. While this does happen, and there’s, I think the most famous example, is …
for two of the persona that emerged after news broke in 2016, that the DNC and Hillary Clinton Presidential Campaign had been compromised on this persona trying to take responsibility for that activity, However, there were a lot of flaws in the execution.
And that’s, that’s sort of where this art of attribution comes into play.
False flagging happens a lot less than than people might think most adversaries aren’t really trying to avoid attribution. They’re trying to just move through your network without being detected. So, there are a fair amount of things that they can already do to obscure their, their true identities, but again, it’s, it’s never when they’re operating, It’s never to say, like, I don’t want you to find out who I am, as, I don’t want you to see what I’m doing. So I can get in there and achieve my objectives.
Um, with that said, you know, some of the groups that that I’ve observed, you know, they work working hours 9 to 5, like you and I do.
And in there, you know, local areas where reside, you know, there are times exactly, and there are times there, and that’s really helpful.
That that’s one factor in a lot of the different breadcrumbs that are left behind when an adversary is in your network or has been on it.
You know, everything from specific strings in a line of code that’s left, behind working hours, the type of proxies that are used, you know, a lot of threat actors have preferences to where are they higher out there BPS Or where they were their virtual private servers or where they register their domains?
And all of those things lead up to hopefully an educated hypothesis or a guess.
We use confident statement, Smart Marketing attribution, as to who’s behind it.
Well, you know, I remember a former director of the CIA said that, if you want a certainty, you would be talking to the army, not the CIA. Right. So, it’s matter is we don’t act uncertainties when it comes to the intelligence world.
But, so let’s talk a little bit about prevalence of actors.
So, so you and I have had this discussion many a time, and we, we didn’t presented this to different different, you know, customers at the time.
Um, do you still see the breakout of sort of it? When I say advanced, I’m talking about, you know, actual name threat groups, versus what I would say is commodity threat, and that insurance still 85 to 15% mix, And even then that 15% is probably half insider activity rather than than actual advanced tradecraft.
Does that does that number sound directionally accurate to this day or do we see trends differing?
No, I think it’s about the same, right?
You know, there, there hasn’t been a huge shift in how actors’ operate, and who’s out there.
You know, there’s there’s certain groups that have shifted over time.
Part of that’s just due to time part that’s due to public disclosure of Actor Tradecraft and there were a lot of leaks a couple of years ago.
four, some nation, state groups, and that force them to retool.
And that made attribution, fairly tricky. And new groups are cropping up, or new clusters of activity are cropping up, that certainly look a lot, like, these old groups that, you know, several of us were keeping an eye on.
But, back to the talk about attribution.
All these various aspects of, you know, trying to determine, you know, is this the group we’ve seen before? Those all changed when, when this these public disclosures happened.
So, I think, folks, you know, you and I talked about this as well. You know, people learn tradecraft. They, you know, they, They, they grow up, learning certain, techniques. They write code in certain ways. They, you know, they’re humans, so they do behave, you know, according to human patterns, and so that, that does still seem to bear out with your research. Does it.
Not, It doesn’t end, and that is probably one of the more fun, and again, I’m a nerd, and I live in this space of attribution, but it’s, it’s wonderful.
What are fun things that we get to see when, when we’ve focused on an area or a group for awhile?
When we see very specific aspects of, like, how a mouth piece of malware communicates back to its command and control server, even though we know this is a completely different cluster of threat activity, hey, this really looks like the developer of this tool over here has now moved over to this group, and has developed this tool. You know, those sorts of things are really interesting, is this human behavior aspects.
You know, another thing that I’ve seen is a really specific type of fishing document, move between groups.
And just the style of how it was designed like this very specific survey that’s been used per at this point three years And the theme has been updated. But the color scheme the same and the list of questions is about the same. And, you know, it’s still using the same flavor of Office document.
But it’s clearly uh-huh.
Probably the same person or people that are developing this again, because we’ve all got habits and developers love to re-use goods, right. So it’s a yes. Yes.
Wants to use many.
Let’s of the I’ll take the, you know, it’s a contrarian point of view here, just for the sake of our discussion, why even care about a P T then? If it’s if it’s a low percentage of prevalence, it has sort of no confidence ranges of attribution.
Why would a commercial entity really pay attention to threat intelligence these days?
Well, it’s important to know who you’re dealing with, and what you’re dealing with.
You know, I mean, not all APTA actors are, ah, you know, created the same, and, you know, the risks that you run with a lot of these is, you know, losing the crown jewels fear an argument, I mean, most most, not all, there’s an exception to everything.
But most of the, the motivation behind those operations is some sort of collection objective.
So, there’s some sort of data within your network that, that these adversaries are particularly interested in, and depending on what the adversary is going after, and a lot of times it’s fairly transparent.
Do you really want these actors to have that information just from a general, ah, … perspective, I mean, losing your crown jewels is awful, and your intellectual property is is terrible. Particularly if somebody’s taking it to undercut.
What you’re doing as a business. But there are large ramifications for losing that kind of data.
Yeah, there’s a reason that the Chinese space Shuttle look like our space shuttle and why their joint strike Fighter looks a lot like our Joint Strike Fighter but we won’t go there. You know, I do.
And I share the fascination in a strange graph because of my former background and yours.
But but I watched the market texture these days. And we go to RSA, and we we see the same buzzwords use over, and over again. And, and a lot of marketing seems to be centered around you know, advanced tradecraft detection.
But it’s really camana, commodity, malware that’s kicking your **** and, and, and ransomware. And despite that, it’s adopted some advanced trade craft techniques, and the way it enumerates your environment, it’s still freely available. It’s really prevalent, and it’s largely spray and pray. You know, minus a few exceptions are a minority category of exceptions. So, so, what do you feel about?
Know, if I’m a if I’m a practitioner and I’m in a mid-sized enterprise or small municipality, let’s say, um, where do I focus on the on the marketing? I mean, what is it I really need to pay attention to?
Well, you know, one of the things that we’ve seen at X force year over year in terms of like how adversaries are getting and there’s a really big focus on the end user.
So phishing credentials, you know, and in terms of defending against that, you know, and a lot of this goes and works for the nation state actors as well, and we’ve really got to defend your end point.
Yes, there is a lot of examples scan and exploit, and that’s still a very prevalent attack vector, but, you know, our end users are really a very important aspect of securing our network.
There’s two things I think, that we can really focus on. And it’s something that as an industry we’ve been talking about for years and years, you know about you. And I have been saying it for years too.
But multi factor authentication, you know, we’re consistently seeing in our incident response practice that end user credentials are extremely vulnerable. Maybe they’re being re-used across a million different things. Maybe you or maybe they’ve been compromised somewhere else.
Maybe they just fallen susceptible to or end users and susceptible to a credential grabbing attack. But this is a really big deterrent. And I understand that for a lot of organizations, it’s really challenging, because you’re, you’re adding another layer of.
I’m gonna see pain, but, you know, it’s, it’s a culture shift within a lot of organizations to, to add multi factor authentication, but it is so effective.
And until that becomes just like a part of doing the job, you know, we’re going to continue to be talking about this as an industry.
So, that’s one thing, and I’m super passionate about that, because, you know, when it comes down to it the way adversaries are getting in like you watch these movies. And it’s so, like, convoluted and, you know, my husband refuses to watch that stuck with me because I’m like, it’s always an e-mail. It’s always a credential.
Like, it’s never anything that sophisticated, and, again, there are edge cases, but, generally speaking, it’s never like something like, Wow.
So, you know, that’s one thing.
He won’t watch any of those movies with me. He said, He’s like you to some laughing, because it rings so true human response. Areas where, you know, the password was Bulldog one to. Compromise your entire Active Directory structure. That’s yeah. I mean, it’s so true.
And I empathize with their end users, right? Because all of us, even the non IT folks, the people who live outside of our space, like everybody, has a lot of passwords to manage, you know? And really, that second factor, you’ve just gotta figure out how to do it. And, there are so many options available now, like they think about what was available 20 years ago when I started in the field, there was really not a whole lot, you are carrying around like these giant tokens, and they know. And I remember when we shifted to the Keychain version of those. And that was awesome. And now, I’ve got 5000 apps on my phone that I can use. So, my company doesn’t have to issue you know, a little device. I can lock down all of my personal things with MFA as well. So, it’s it’s great and you know, I know a lot of the solutions now.
Are coming with MFA free, you just have to enable it.
And just to drill this point home, because I really am extremely passionate about it, it’s not just your e-mail on your VPN. It is any external access point into your environment, if there is a single factor.
The adversary is going to find that.
they really are like, And this is nation state, and criminals, you know, there is a, a ransomware family that’s been observed going through third parties, and using that third party, single factor access to compromise the compromise that original company’s customers.
So, you know, we’ve got to do it.
I, actually, I would go a step further. I think it’s almost malfeasance for for security practitioners and businesses alike to not have it employed at this point.
I mean, the old thing, it’s, it puts my users out. That’s ridiculous.
It’s the way there’s some, as you already said, there’s so many ways to implement these days to not have that everywhere, I think, is, it is almost malfeasance if you’re a security.
Mean, you’ve got a limited budget, though. I mean, it’s a brisk decision for a lot of companies. You know, I can do, I can, I can do my webmail but, you know, beyond that, you know, do I have the bandwidth and the budget? And that’s that’s a constant struggle for security Practitioners. Don’t even Google Authenticator, you know, is an option, I mean, is, there are so many low-cost, no cost solutions that it’s, it’s the old adage. I don’t have to be faster than the bear. I just had to be faster than the guy next to me.
Right? At the rational, higher.
Anyway, you can point to that, my second. Yeah, I’ve got to that. And again, like, you’re not going to be surprised by this because we’ve been having this conversation for years. But you’ve gotta have something on the endpoint that detects behavioral anomalies, you know, So if the, if the actors do get in and they get credentials, you do have something on your endpoints that can detect this anomalous behavior.
You know, one of the things, you know, another thing, I would say that professionally, people really get wrong is just because the actor got in.
It doesn’t mean they achieve their objectives. You still got time as an organization to get them out. You know, if they’re going to launch ransomware, it’s going to take some time to get to where they need to go to do that. If they’re there to take data, again, they’re going to need some time to move around and find what they’re looking for.
And having something on the endpoint, detect some of the weird behavior that, that maybe your users aren’t actually doing, and allows you to hopefully stop the intrusion before the actors achieve their objectives.
So, who’s doing it well?
As far as technologies are concerned, when you and I are come from, we’re both represent companies that are in the security space, but, But who’s out there doing it well?
Know, I, I really, I can’t tell you, because I’ve been out of the network defense base for so long and gain more in an advisory role. But, you know, I think it really depends on who you are. As a company, right. So there isn’t a single product or service that you can go out and buy that is going to solve all of your security issues. And there’s never are just not going to be a one size. There’s not a one size fits all or one.
Product fits all approach. It’s very much, much a risk decision.
You’ve got to do defense in depth, You know, and not everything scales for everybody. I don’t I don’t think everybody needs like the the gold standard of, you know, X, Y, and Z for their particular networks.
It’s it’s really, you know, what does the company comfortable with what’s your budget?
You know, and what and what can you get done in a way that is just going to make it more difficult to get, you know, traditionally PC matic and it was born out of the consumer space and we work in the small and mid-sized enterprise in municipal space and I I like to everybody’s heard. My webinars will hear me say you really have to figure out where you are in the Cyber threat landscape.
What is your profile?
and what is your your probability of attacked by any certain certain group if you’re not doing business with you, the federal government, if you’re not doing business in the energy sector, R&D, and BioPharm. You know, if you’re just sort of running your auto parts business, or in your small community organizations, you may not have to really worry about, you know, nation state actors coming after you, unless you’re a tangent. To some other business relationship, to what you do is subscribe.
So, I asked people to go through the, you know, don’t look at yourself as yourself, look at yourself as an adversary, like, what do I represent? Someone that that is either, you know, commodity or a vector. And then sort of assess where you are. And your PC matic is very much in that prevented space. I mean, we’re an application whitelisting solution.
So we believe that, you know, lock your environment down to the greatest extent for actual upfront, and then worry about how you identify the additional tradecraft after you lock the front door.
But unfortunately, we still see lots and lots of organizations that haven’t done due diligence, and haven’t even haven’t even gone through the, Where do I sit in the cyber, cyber threat landscape? What, what are the potential vectors that I have to face, and what risk am I willing to assume. They know what they’re assuming. Because they haven’t even done the risk assessment yet.
Like, that’s what I think is a huge step.
Well, and I think, you know, again, for these smaller companies, you know, these mid-size type companies, it’s really hard to have the resources, to spend the time to do that. That introspection to think about, OK, well what kind of threat actor?
I would go after a company like mine, and to that, I would say there’s a lot of companies out there that, that will do that for you.
So, my team, specifically at IBM does those kinds of strategic threat assessments for company, so they don’t have to go back, You know, I’m an expert in the threat space, like, tap me and I will write a document for you and tell you, you know, based on my experience, these types of adversaries are going to come after your company.
And these are the types of things that, you know, we recommend you do to defend against this type of stuff.
So, if you don’t have the resources in house, like, find eight an organization that can help you, you know, I think one of the biggest mistakes a lot of companies can make is being so insular in their security programs.
I mean, there are so many companies out there that have a really broad view of the threat landscape, and can add a lot of color to your security program, whether it be in an advisory role, or a more services based role, is interesting. I’m going to shift gears a little bit. I don’t know how familiar you are with the Newseum MC framework that the DOD’s rolling out.
Not at all. Well.
So, it’s interesting, because it takes a lot of the NIST frameworks, particularly, you know, the, the cyber maturity modeling, if you will, and then various forms and NIST. In this particular case, it’s 871, but, but the Fed is now requiring the defense industrial base, like anyone who services an entity of Duty. And GSA is now reserving the right to use it in their scheduling as well.
Which means that lots of people who didn’t think they had to play in that space are now going to have to play in that space.
But, the reason I mentioned it, is that framework, goes to what you and I were talking about, it. forces are, not always a big believer in compliance or blind say, but I do believe the frameworks are good to force you to think about things.
And this framework, I like a lot, because it, it makes them addressed things, and it’s scaling up, like, the, the more things in the higher sensitivity you are. Where you are in the threat landscape, the more you have to ratchet up your environment, and I think it’s a great framework. I mean, we. we like it because it actually calls out application whitelisting is as some of the more sophisticated things you can do, like a plus for us. But, but, what do you feel, what’s your view on, on industry frameworks? And helping businesses, or, you know, a new CEO, come in, and, do you have a recommendation of a framework? or, how, how does IBM X force help a company do that?
So, um, that off the top, in terms of X force. I know we have programs that at IBM security, that can help with that, that sort of assessment. And I think for frameworks, there are a lot of really great ones out there. I think the important thing is to pick one that’s applicable to your organization and stick with it, you can’t jump frameworks, because you’re just going to get yourself confused in this framework.
So I spent a lot of time with 853 and 853 A, which make me a little bit. I think this might know it’s still there. They’re like, Yeah, it’s been Awhile. But what I always liked about them as they were very clear-cut no nonsense common sense and And In that regard, very easy to follow. So I imagine that the framework that you mentioned was similarly, I mean, Good.
Even though they’re very long, detailed documents, I found them always to be very straightforward and, and not written at a level where somebody couldn’t read them and take what the spirit of a lot of these controls were, and implement them into their environment.
So switching gears again, just because I want to cover a lot of topics here. So you spend a lot of time looking at nation state actors, and I know that you focus on Iran.
What would be something surprising? And, what’s a, what’s a neat fact related to your research that most people wouldn’t know, that you can share, of course?
Well, we actually did some really exciting research earlier this year, that, no, I can, I can think of a couple of things.
In my career I’ve done that really kind of made me take a step back and go, wow, that’s crazy. And, this was one of them, so it actually started.
It all started in May, so there was a news article that came out about a group that we call ITG 18 there called, Charming Kitten, or phosphorus and open sources.
So May 2020 news broke that this group had targeted pharmaceutical executives’ personal account.
Before I dig into that, do you want me to give, like an overview of …, OK? Yeah, so they’re, they’re pretty interesting groups that they’ve probably been in operation since at least 2013 and their cyber Cyber Espionage group that that seems to gather intelligence that benefits The government of Iran. The hallmark of their activity is spear phishing individuals of interest, like specifically targeting the credentials for these individuals.
Personal accounts, which is something that we can get back to Oregon talking about this, but I think like Gmail and Hotmail. You know they’ve used strategic web compromises in the past. They’ve also use something called the browser exploitation framework for beef.
But back at the pharmaceutical targeting, for folks who didn’t spend a lot of time, or don’t spend a lot of time tracking threat actors, this really seemed out of place if you haven’t been following the group.
Now, I find this group really interesting, right? Again, I’m a dork and this is the space I like.
But they, they have what we like to call blended objectives, right? So they will pivot their operations to support topical and long term strategic objectives. And this was the inspiration for the blog that we sort of set out to do at X Force a couple of months ago.
Um, but by backtracks, I don’t just Babel. So what do I mean by blended objectives?
Or, or why was this targeting sort of out of the ordinary for them, or seemingly out of the ordinary?
They have a wide range of targets. So they will and will and have consistently gone after Iranian dissidents people. Iranian folks residing in other countries to think like science and journalist scientists, journalists, as well as global media, military government officials.
But they also pivot based on current offense, so they targeted OFAC, the Office of Foreign Assets Control.
Just said, part of the Treasury, that that managed a lot of the financial sanctions.
These folks were targeted in late 2018, and if we think about what was going on, then, in terms of the US and Iran, the US left the JCP away and sanctions were being re-instated. So it made a lot of sense to get a leg up on what was what was going to happen. So recently, in May, news breaks of pharmaceutical targeting from this particular group.
Well, if you take a look at what was going on, and Iran during that time, and that’s around the time that that covert spiking there.
So, we were going to write this, this blog on, on just the fact that, you know, this group pivots.
In the case of this particular instance, we actually found that the infrastructure that was used for that pharmaceutical targeting had been registered in April of 2019. When there was no kogod. Imagine that. So, we’re like, cool, not only do they shift their, they shift their objectives, but they also use their, their infrastructure for multiple objectives. So this is going to be a really fun strategic blog to write.
one of the things that we do as researchers, when we decide we’re going to publish something publicly as one way, the risks of tipping the hand of the adversary and having them change their tactics, because that’s something we never ever want to do. You know, we won’t talk about things publicly, if we think that, we’re going to lose insight into how the adversary’s operate.
But then, the other thing we do, and this is probably, no surprise, is we collect everything that we can find on, on that adversary and analyze it. And in the course of doing that, for this particular threat group, we discovered videos on a server associated with their operations, and the videos were essentially training videos for operators.
So, I just talked a whole lot, but I’ll just boil it down into a couple sentences to summarize what I just said.
We found training videos, for a group that works, on behalf of a government, training, other operators on how to access compromised accounts, and I’ve seen a lot of things, I have not seen anything like that before.
So, to say that we were excited, would be a gross understatement. It was really amazing.
You are under keep going. Yeah, but you and I spent a lot of time talking about hands-on keyboard activity, right? Now, it’s one thing to see it in a tool. It’s a whole nother thing to see that an operator has recorded themselves, and watching them move the mouse on a desktop, typing in a URL, fat fingering things, in a case in cases you know it.
We know that there’s humans behind the keyboard, to be able to see something like that.
It was really, just mind-blowing, to be perfectly honest, and we’ve got, I will make sure to include it too, to you, but we’ve got a link on that research, which was really very, very exciting.
That’d be great. It does. It does segue into another topic I wanted to talk about, which is, which is blackmail of home users are compromised user. So one of the things that we have PC matic especially with school districts now working remotely, etcetera. and, you know, although it’s not really security but the zoom bombing in those kind of things are, you know, things that we don’t want our kids to be exposed to. But the school districts were woefully unprepared for extending their networks out to the home, and so there’s the, you know, the topics of BYOD. What’s appropriate security, ome, etcetera?
So, in, in, in this new sort of extended B, Y D, in BYOD environment in this extended virtual environment, do you, do you feel that, so, how do you address the things that are normally the corporate America, or, excuse me, corporate owned infrastructure versus privately owned infrastructure? And we’ve talked about ensuring that you have appropriate, you know, endpoint security for the home user, et cetera, but so, to two questions there.
one, you do Dubai and on the data architecture side, When you Do you extend the controls down to the end user? And, have you had instance? I know the answer is yes. That’s why I’m asking you. Home users that have been blackmailed for company purposes.
Yeah, so I think just, first of all, we have to address the fact that even before Kobe, like the perimeter of an organization’s network there, it’s just not it’s not a pretty line. You can’t draw circle around it. I mean, ITG, 18, Charming. Kitten! The group I was just telling you about is a perfect example, and there’s a million, a million, but there’s a lot of other groups out there that operate similarly.
So this group is going after personal accounts. Well, you know, we don’t own the personal accounts of our employees. How do we defend against that?
one of the things and I, and again, we talk about this non-stop, is training program.
So we, I think everyone, I would say everyone has, for the most part, a social engineering type training program. But taking a second look at those programs. And does that include your personal device, your personal resources, your your Gmail accounts, your LinkedIn, your Facebook?
You know, does your employees have a way to report suspicious activity on those accounts to you as, as a and network defender, or do you have the resources to investigate those sorts of things?
I mean, I think, you know, we’re definitely an uncharted are unprecedented times in terms of work from home and BYOD and I know. You know.
We have done, we did, an IBM Security, did a study when covert happened and everyone moved, moved remotely and a lot of people didn’t have any experience.
I think like 83% in our study, 83% of people didn’t have experience working from home or didn’t have the right tools prior to the pandemic.
Yeah. We one of the webinars I just gave, we talked about, you know, look, you really have to treat everything as a dirty domain now, and you have to like, use it much more granular user, object permission schema, IE, let’s talk about not only zero trust architectures but MFA. Again, like, MFA is now even more important than it ever was to include some, you know, MFA plus, you know.
Some other analytics that would would help determine who’s who’s good and who’s not. You know, even logging in from the place, I’m supposed to be logging, et cetera.
But I remember reading an article recently where we’re a network admin of a company in the Middle East, had some rather illegal pornographic material on his home computer.
That was compromised by an adversary, and they blackmail them into given up the credits. Right. I mean, that the days of the network admin able to address that are over. Right.
You just have to sort of say, how do I extend my my security architectures to the home or account for the fact that’s going to happen? In which case, we say audit, on audit, or to the best extent. You can. But I think that kind of activity is going to become even more prevalent.
I really do, I think that compromise compromise of the home as a factor into the environment is going to become a more more popular attack vectors as everyone stays home. And not everyone left with a corporate owned device. The plugin on the VPN.
Right, Everybody says policies need to change, too. I mean, policies need to address the fact that people are going to be that happen, and are going to be working from home for a fair amount of time again.
I study that we did, again, like most people had not, and I think the percentage was about 40 to 50% hadn’t been given new guidelines for working from home. How do they handle PII or in their home? I mean, not everyone has a shredder.
What do you allow to be downloaded on a personal computer? Exactly.
If you allow for data to be accentuated by your own personnel, and do you have any requirements for storage at home, and encryption, and the antivirus, and all of the things that you know that you take for granted in a corporate environment, you’re going to have to extend to the, to the home environment.
There was a I wanted to talk about. Oh, yeah.
Yeah, So one of the other things that really, I find problematic in the younger generation as a younger generation, like that’s anybody younger than 50, my opinion is, is, is, is, so used to sharing everything.
Their social media is inter-connected, their lives are on display.
And I, there’s a tendency to link all their accounts together. So you know, their Instagram has access to their Gmail, access to their Facebook as S or the LinkedIn, et cetera. Do you find that problematic?
As far as, you know, a security architect, an incident responder 100%, you know, I’ll call Lean back on the ITT 18 or Charming kitten research that we saw.
You know, the videos that that weren’t the training videos was the actor going through the accounts of two of the victims. And that was about 3 to 4 hours of video.
And what was really alarming about that, was that there was no particular account that was two, um, trivial for the adversary to go through.
I mean, they went through, you know, diaper reward, sites, accounts, collecting all this personal information. On these, on these folks, they even went to Google Takeout for one of the victims. Now, I don’t know if you’ve gone to your Google takeout if you have a Gmail account. And depending on how your, your account is set up. I mean, there’s some extremely personal information on there that can’t be changed with the resetting of a password. So, you know, I, again, will you and I live in a little bit of a paranoid state based on what we do for a living.
But I’m always a little sensitive to linking all of my accounts for that very reason.
But Oversharing online, you know, has a myriad of problems we know the adversary go on social media sites, and do reconnaissance on their targets. So the more you’re sharing on these sites, depending on who you are, you know, you’ve just got to be careful with it. I know there’s companies out there that can do a lot of that monitoring for you.
They can go and do an open source intelligence hunt on your organization to see what kind of profile they can build based on your employees’ behavior outside of the network.
Reason that spear phishing works, right? I mean, it’s, it works because, it’s been that, that you are an open source intelligence source.
So, in the, we got 10 minutes. I don’t know if there’s any questions. I don’t see any questions in our queue.
At least, I don’t think I see any.
Um, but you, you envision your thought about interesting, interesting things that came out of your studies from Iran and And where it appeared, know, in new unusual places you said you had a couple of vignettes. And that was one, what’s another vignette of unusual in the Iran? It could be any other nation states where where it made it work its way into popular culture but may not have been. The public may not realize where it came from. Well, we did a really interesting piece of research in March on German PPE targeting, so we identified a pretty aggressive phishing campaign against a German.
Multinational corporation is associated with a German government private sector task force, basically, to procure PPE and this phishing campaigns start at the same day that this was announced. So, the Group Commission was commission basically to use all their contacts to get PPE, like face masks medical gear.
And what we saw was we found about 200, little over 280 URLs tied to a single IP address, with more than a third of them, including base 64 encoded e-mail addresses, belonging to, suspect that targets, and some of the third party partners, But 100 different high ranking executives in the management procurement roles, 40 organizations being targeted in this campaign.
A lot of the folks who were executives in operations, finance, it was really interesting how fast this came to fruition.
I mean, this was something that the task force was announced, and this campaign kicked off very shortly there, After, we have no idea how successful it was, or attribution, in this case, which was which is really interesting. But it sort of speaks to everything we’ve been talking about today like how is the world changed since the pandemic, you know, what are what are the adversary is doing? How are they adapting the things going on? That was extremely interesting, and at the time that we publish that research, the campaign was still ongoing. I will say that we didn’t notify cert binders. I’m gonna I probably butchered that.
But German cert, ah, about that activity, just responsible disclosure and to make sure that they were aware of it.
But, and a good day.
I’m sorry, good now, I wish to say it’s been a wild ride this year with, with everything that’s gone.
The year that we all wanna forget, wasn’t rescue manufacturer PPE, in which case it was a banner year for you.
You know, I think I will finish up, here. We’ve got about 11 minutes left, but it goes to, I like to get people to think of things sort of outside the standard.
Um, know, I do know that we’re not doing basic blocking and tackling every year. You know, you and I would speak it, either Gartner RSA and we’d say the same things right? The way we’re seeing the exact same vulnerabilities, You’re in a year out, we’re just not upping our game, and, and, of course, every year, the RSA would have a new vendor saying, that Jered, everything. Right? And so, yeah, this one point solution is going to cure everything and that’s always kind of disturbed me Because as an industry, we seem to monetize the failure of the very, very group that we want to protect. We say, well, I predicted And that’s kinda always been this weird dichotomy.
But But on the on the things that you do, need the thing that are little asymmetric.
Tell me a little bit and I love this story about me, Ashe. And not only me. But what’s the what’s the latest flavor of that to come out?
I would love to tell you that that that type of activity has stopped. It is still very much ongoing.
So so Mia Ashe was a persona on various social media network. So, LinkedIn, Facebook, we already had a blog, are also had a blog, which is also still active three years later. Yeah, I know, I know it’s funny. But this was a person who are a persona on on LinkedIn.
That was essentially looking for for they were doing reconnaissance and reaching out to targets. So let me backtrack. It’s been a long time since I told the story.
So there was a really large phishing campaign that was run by a group that at IBM we call ITG 13.
They’re more commonly known as oil rig, the other nomenclature for them as it’s cobalt gypsy. If you’re interested in reading that, that old reporting. But essentially, there was this large phishing campaign.
And it failed at a particular Pick A Company, and about two weeks after that campaign failed.
Somebody from LinkedIn Ashe reached out to an employee of this organization and struck up a conversation and eventually delivered the malware that didn’t get delivered the first time at this particular organization.
And when we unpacked the persona, we found that there were a lot of people associated with this profile who were likely targets or victims of this particular campaign.
And there were a lot of things about that campaign that we’re very mind-blowing. The persona had been active for about a year before, before we had discovered it, it had all of these connections on Facebook, too. So we did an analysis of like the overlap. We also took a look at the types of people who are associated.
But it was surprising just how obvious to a researcher like myself, how bad it’s profile was, so Mia Ash was purporting to be this London based photographer. And if you looked at their Facebook page, they had watermarks from the sites, they’ve stolen images from you. know, and again like the people that Mia Ash was interacting with. We’re not looking for photography services so that was sort of lost on them but.
You know, there was no way to get ahold of me Ash, if you did want to procure her for photography services and the website, no phone number.
And it turned out to be a persona run by this really prolific group likely backed by or working on behalf of the Iranian government.
I love that, actually, it’s a sad twist on it. I have a friend of mine who is a fitness expert in Californian, Nice, fairly famous. And he has been the victim of his purse, is Personage being hijacked to run fitness scams on the Internet? They’re using his name and his credibility in the industry to run fake like nutrition and other things scamming. So they basically stolen his persona to run any crime.
And in phishing campaigns, using is like this, which is a horrible way to think, but it’s like the, any advice for that? I don’t think I haven’t thought of any way. You can sort that, really other than, you know, And, to be honest, with that particular research, Because a lot of images of this.
So, the woman whose images were being used was actually a photographer. So, it was hard to say whether she was the inspiration for the persona for It was just a coincidence, but she had a lot of pictures of herself online.
And I think the thing that made me the most uncomfortable about that particular campaign was not, you know, the repercussions in the corporate world, but that that woman’s privacy and Oliver pictures. Granted, they were wide open, but that was probably the harder conversation that we had to have when we were going public with that research was letting someone know, like, Hey, there’s this whole persona that’s using all kinds of pictures of you for nefarious reasons.
That’s how the feel like a form of I mean, it’s just an exploitation, it’s just it’s a horrible thing to go through. I mean, that’s kind of great to be with me as real name was, argument you know that the crepe factor in that particular campaign, which was pretty high.
It’s pretty high up. the, I guess, the way I’ve always said to my business associates, to the only way you can, towards that kind of activity for your employees and the black males. You got an audit on an audit, on it. You know, I like to say Eric Snow deny both at the same background. Same clearances, same polygraph, the whole nine yards, but he did what he did and the only way you’re ever gonna catch that as audit or anomalous behavior in your environment. But, you know, if, if, if, they’ve compromised your admin, well, who’s who’s, who’s auditing the edmonds? wanting?
The watchers, Yeah, you’ve got to have that and I think it’s, it’s, it’s all about, you know, defense in depth and thinking of it, you know, and is symmetric and asymmetric ways and and, you know, this is a human run endeavor. And so there’s always gonna be someone trying to outsmart on the other end and you just can’t be complacent in this environment.
Graham: Allison. I’m gonna leave the last four minutes up to you. I want to thank you and IBM’s X force for letting you participate and I like I have lots of friends in the IBM ecosystem and and and I’m, I’m, I’m a big fan.
But any thoughts from your line of work or the X force that you want the, the rest of the world?
Know one of the things we didn’t get to talk about was in detail, was ransomware and just sort of the shift that we’ve seen over the last few years.
And again, while I live in the nation state space, primarily with my work, you know, I’m not blind to what’s actually happening and what most people are dealing with, and you know, I think I’d be remiss to not talk about really how ransomware has evolved over the last couple of years. So let me know.
I mean, you and I know ransomware used to impact like a handful of machines on a network and then Ransomware has moved to locking up entire networks with the Adversary’s. Look a lot a move a lot. Like the nation state actors, you know, we know that these events cost millions, in many cases for large organizations to overcome.
Now we’ve got ransomware apps as a service, meaning all you need is to be vetted by the ransomware owner and now you can write access to the ransom or to their to their network, but …
and this has been I think it’s been in the last 12 months. But again, time is super relative in the in the time of pandemics, right? But we’ve got ransom or actors like the folks behind me that are now taking information from compromised networks and threatened due to expose your intrusion, if you don’t pay. So, no, I just put my, you know, IR and network defender hat on after having it off for about the last 10 years Was an availability issue prior to this.
And now we’ve got to be worried about the confidential confidentiality of our data when we have a ransomware incident involved and, you know, they have proven that if you don’t pay, they will start leaking information.
There’s been a lot of really highly publicized cases that have happened over the last six months where this is occurred, and I just, it’s hard to imagine what’s next in this space?
And just how challenging these sorts of things are to defend against, Yeah. But you bring up a good point. I mean, there’s in ransomware attacks, it’s not just spray and pray. There is a land and expand into there is a time you can a block and B, you can detect.
In fact, we, we developed our product. We added an RDP, you know, control.
Because 33, 89, it’s always left open, right, In effect. You know, the city of Boulder, when they, when they did their you know, they try to circumvent their answer when they rebuilt in the cloud, and guess what, They lift 389 over because that’s what Microsoft uses by default. So they just loud the ransomware actor to crosswalk right up into their environment.
And that means so when you look at the simple things that you can do, In fact we spend a lot of time in our product trying to lock down the initial vectors of ransomware. Because, you know, small business, I think last year, the FBI said the average ransomware fee, the ransom itself is $63,000 on average, which doesn’t sound like a lot, the scheme of things.
But if you’re a small business, you know, that can put you out of business. That can be your payroll for a quarter, Right. I mean. And so, and then that’s starting the cleanup, when the re architecture, and paying for the IR and how to use get $63,000 in Bitcoin. Because I don’t, I don’t know about you, but I don’t have that handy, and I don’t think most of you either.
Exactly, and, you know, and, I mean, besides being preventative and aware.
I also encourage you, folks to think about the worst day for the worst thing happens, like, you know, what do you do, are you paying or you’re not paying it? How would you go about doing it, who to notify? Do you have a backup, an analog in hardcopy paper of all of my server information, all my vendor information?
Like, if you had to reconstitute everything, do you have a ready source of, you know, a pointer of where all that information is?
And that’s a good, actually probably a good point to end on, you know, if you don’t have an incident response plan or you do like the worst time to test it, just have an incident response plan. Get one.
The worst time to test it is when you’re having an incident.
I mean, there are million companies out there that will run scenarios for you, you know, we’ve got a couple of cyber ranges at IBM where we will host companies and go through their plan and let me tell you the technical aspects of recovering from an incident.
And you and I know this very intimate way. Those are not the challenging parts. You know, you’ve got to run through this stuff and make those decisions. Like you said, am I going to pay the ransom? If so how You’ve got to have those decisions made before you actually have to make them in a real life incident.
Yeah. Everybody forgets the added stress strain and pressure.
The time to think rationally is always sort of secondary when the when the crisis and is happening and you know cooler heads prevailed before you know the trade ranger and train the ones that are prepared for the worst day. And then the ones that don’t come back. I think I think in saying that the report they said something like 60% of businesses that get hit with ransomware don’t recover when they go out of business within like a year. So it’s it’s a significant emotional event and as huge economic consequences.
That’s why we built an entire product line around trying to lock things down that our initial vectors for for ransomware and it’s it’s a huge problem in our customer base. Which is why we sort of tailored our defensive posture against you know those indicators.
Alison, it’s, we’re right at time.
And …, I love having these conversations, and you’re one of my, not only my favorite researchers, but favorite people, like, My hats off to you. I don’t know how you do everything that you do, you balance. You know, being, you know, all things to all people, and you do an amazing job at it. And so you’re always one of my personal heroes. And thank you for spending your time with me and PC matic today and I’m sure that our customers will be better for the discussion No problem. It was exciting to be able to do it again.
Thank you. And as as my vice president of sales and marketing has told me, as soon as I hit the Send button, we’re really done. Done. So this is your last chance. Any final words? No, no. Just keep fighting the good fight, everybody. Like, I get it, I guess I will leave on one note, you can still win.
I mean, we live. But you don’t have to be a victim of ransomware. You have to need an IR. There are things you can do before, the worst days, is over.
And so it is still winnable on its people against people, and we can still, absolutely, Let your hearts not be troubled. Alright? I’m gonna end this, if I can figure out now.
Take care, Allison.
1,229 total views, 2 views today