Transcript for: Exploring the Complexity of Cybersecurity
[Etay] Okay, so this
is the price is wrong, an analysis of security complexity. I noticed the line to
my friends over there, who were talking about Hacktivism, maybe I should add that into the title, they had a very long line. Because we will be talking about
different types of attacks, not just an analysis of
complexity of security, but we'll also be looking
at several attacks and how they happened, the complexity that they
introduced to the victims who were trying to analyze them. And I'm actually excited
to show you this today because some of these attacks,
two of them specifically, have never been exposed before. So I wanna show you some of
the tactics and techniques that attackers are using. The section today, an analysis
of security complexity, is actually gonna be looking at security and security incidents
from multiple angles. So we'll be looking at the security side, so how defenders are having
to fight the complexity that is brought on by point solutions. We'll be looking at how this
came about, why this started, and why we reached this point today. And we'll be looking, as I
mentioned, at the attackers, both from how they launched their attacks, as well as some of the offerings from the criminal underground and what they're providing in
terms of services and tools to battle the security tools
that we are putting out there. We might skip some slides towards the end because I have way too many
slides for just 15 minutes, but we'll also talk about
the criminal's perspective as to why this is happening. So we'll try to get to the core of both the defenders' and
the attackers' complexity. The mandatory disclaimer slide, you've probably seen this in
all the other presentations. A couple words about myself. My name is Etay Maor, I'm the Chief Security
Strategist for Cato Networks and the founding member of Cato CTRL. For those who don't know, Cato Networks is the provider of SASE, Secure Access Service Edge, actually the first and only single vendor SASE solution out there. And Cato CTRL, CTRL for
Cyber Threats Research Lab, is the group that I founded, which is the threat
intelligence group within Cato. And you'll see today,
actually, parts of our report that we are going to be
releasing tomorrow, I believe, it hasn't been released yet. So you guys will be the first viewers of some of the statistics
and data from that report. Prior to joining Cato, I was Chief Security Officer at IntSights, which got acquired by Rapid7. Before that, I was executive
security advisor at Trusteer that got acquired by IBM. And before that I was head of
the Cyber Threats Research lab for RSA Security, got
acquired by EMC/Dell, and I'm not even sure
who owns it right now. I'm from Boston, I an Adjunct
Professor for Cybersecurity. I teach a course called Designing Offensive and
Defensive Capabilities: teaching students how to defend, but mostly how to attack
the infrastructure that they are trying to defend, actually finishing this semester and as I sometimes tell, I started my career back in high school, not in a very good way, I
wasn't a very good student, so I hacked into my school's
database and changed my grades. My father, who was Department
of Defense, loved it. My mother, who was a teacher
in that school, didn't love it. So I got punished. Actually, my parents, I
was a really bad student. My father didn't even believe
that I'll finish high school. So now every time I get
an email at Boston College that starts with dear Professor Maor I have an auto-forward rule
to my dad's email account, that's like professor, but
enough about my family, although I will mention one
more thing about my family a little bit later, let's get into it. So the realization and actually the cause for security complexity today. There's a quote that I
really like from the movie, "Pirates of the Caribbean," "The problem is not the problem. The problem is your
attitude about the problem." Which I think really summarizes
what we're seeing today. I mentioned, I said, I'm
gonna mention my family one more time, I used that
sentence in an argument with my wife a couple
of months ago, don't. The price is wrong for that one for sure. I think I was right, the
couch was comfortable. But it's the attitude towards the problem, because I've been doing cybersecurity for roughly 25 years
now, and to be honest, the attacks themselves hasn't
changed all that much, right? We're still talking about phishing, we're talking about malware, we're talking about social engineering. Even ransomware is something
that started in the late '90s. So the attacks themselves
haven't changed all that much. And don't believe me when I say it, towards the end of the presentation, I'll show you that the criminals
are saying the same thing, but our attitude to it
is actually the problem. And where does it start? I stole this slide from
Fisher, from Michael Fisher that summarizes, well, it
doesn't even summarize, it actually shows you the
different layers of security and the different tools
for each and every layer. And to be honest, this is a
little depressing to look at because while I do firmly believe in multiple layers of security, having so many point
solutions for each layer, for a defense in depth, is unmanageable. Statistics that we read about today, talk about roughly 20
to 25 security products for small and medium businesses, over 60 security products
for larger organizations, for larger organizations. That is extremely hard to
manage, not only to manage, but actually it's been
put to the test constantly by threat actors, and the
results aren't that great. So how did we reach this situation? I wanna talk about the single
point of failure fallacy, 'cause you might see these
headlines when you read the news, and I'll show you some more updated ones, actually ones from last week
that support this as well. Whenever a breach happens,
you'll read something like this, hackers breach LineaseOS servers via unpatched vulnerabilities. And you read this and you think, oh, okay, so unpatched vulnerabilities, that's the problem, right? If they just patched
their vulnerabilities, that would've never happened. And then you read something like Colonial Pipeline were breached due to compromised passwords. So if only Colonial were
good with their passwords, none of that would've happened, right? Twitter was an insider hack, and here's an example of
$55 million that were stolen due to phishing or bad
coding like SQL injection. The problem that I have with
each and every one of these headlines is they point to
a single point of failure, which is completely wrong, and a misunderstanding of what
a breach really looks like. Let's go backwards. Do you think Colonial
Pipeline only used passwords to protect their system? Of course not. They had a lot of different
solutions, antiviruses, anti-malware, or SIEM, DLP, I'm assuming, a lot of different tools
inside their network. When a breach happens, it's a complete collapse of
all the security processes and all the security tools that the organization
or the enterprise had. Yet we keep pointing out
these single point of failures as if they are the only problem and not everything that is included in the security stack of the
organization that was breached. Why? And I hope RSA Conference
doesn't get mad at me now, I'm from a vendor as well, right? It's because vendors will
sell you a point solution for each one of these. Oh, you're worried about vulnerabilities, we have a solution for that. Oh, you're worried about malware, we have a solution for that. Oh, you are worried about
intrusion detection? We have a solution for that. And what you end up with
is the previous slide that I showed you, of
multiple layers of security, but so many different products in order to actually implement it. You might have heard this, this is a myth that I really
have a hard time with. I'll tell you something
that I didn't tell you when I introduced myself, I'm also part of the RSA
Conference committee. I actually help with hackers and I used to help with
hackers and threats, now I'm in intelligence and analytics. So I get to see a lot of the presentations that you'll be seeing in
this awesome conference today in the next couple of days. But sometimes I run into these myths, these sayings that are not only wrong, but actually sometimes
really hurt the industry. This is one of them that I really hate, I'm gonna enjoy taking it apart. The defenders need to
be right all the time, the attackers need to be right just once. Really? Let's take a look at what
an attack really looks like. And to do that, I'm going to
use the MITRE ATT&CK framework, I'm sure a lot of you're
familiar with MITRE ATT&CK, if you're not, a very
quick explanation of it. Let's have a laser, I have a laser. What you're looking at here
is the MITRE ATT&CK Framework. On the top you can see
the different tactics that attackers use from left
to right during a breach, for each tactic you
have multiple techniques that they can use. And what I've done here is I highlighted the REvil Ransomware Gang and how their attack usually happens. And as you can see, when
I immediately showed it, usually when you read
about it, you're there. But let's take a look. So usually they start with initial access using compromised credentials. Then they do WMI and then
they do process injection. But look how many times the attackers have to be right to reach their end goal. And how many times the defenders, well, the defenders need
to be right just once in order to detect, mitigate,
or prevent the attack. Of course, don't rely on a single solution to just detect one of these, you need to have a holistic
solution to look at everything. But saying that the attackers
need to be right just once is an oversimplification
of what really happens. When I hear the attackers
need to right just once, I hear, I have a product to sell you for that specific thing
that you're looking at. So this is the reality
of how attacks happen. And of course this constantly
changes and gets updated. I also thought it was important to mention that we are fighting an asymmetric fight because the same groups that will target large organizations and enterprises will end up also targeting
the smaller ones. And you don't get to have a
level of Fortune 500 security in small and medium businesses. On the other hand, they
have to face up against the same ones that the top 10 US bank, and the top 10 commercial
websites have to fight. It's an uneven fight. It makes it even more
complex for the little guys, especially when you're talking
about shortage in people to run these systems and an
understanding in how to do so. So let's take a look at the
infrastructure complexity because this would've
been a very different talk if I've done it, let's
say about 10, 12 years ago when the CISO would walk
into his organization and everything was under their control, everything was local,
you'd have the perimeter, you set it up, you'd protect the perimeter and everything inside was safe. It's very different today, right? Because you have your branches,
you have your data center, you have global branches, you
have people working from home, you have cloud applications
that you don't even control that are part of your infrastructure, so anything that happens to
them might also happen to you. We'll talk about that as well. You have third party
suppliers and all of a sudden the Chief Information Security Officer finds themselves not
controlling everything but being in charge still of the security of their organization. So they inherit the security
of these other areas that they don't have any control over, which adds another layer of complexity. Let's talk about the security complexity. If you look at what some of
the analytics firms are saying, here are some of the trends for 2023. In the middle you can see
restructuring approaches. And the first one there is cybersecurity platform consolidation. I don't have the laser
on this, okay, whatever. Be kind of careful with
the word consolidation, I'll talk about it a little bit later, because taking a bunch of point solutions and mushing them together doesn't really solve all the problems, it solves one of the problems that security complexity raises, but definitely not all of them. This is an article that I
highly recommend reading. It was written actually
by my CEO Shlomo Kramer. Shlomo, for those who are not familiar, the founder of Checkpoint,
the founder of Imperva, and now the founder of Cato Networks. And I like this article because there's a lot of
self-reflection there. IT security is broken and it's my fault. And I wanted to highlight
one specific sentence in this article that he wrote. The security industry was
innately set up to build point solutions to stay ahead
of attackers' latest methods. This point solution culture, which admittedly I helped create, has now become the IT security
industry's biggest enemy. He's not talking about ransomware, he's not talking about
any types of attacks or vulnerabilities, he's saying the actual solutions that we're using are the biggest enemy. Maybe the problem is not the problem, maybe the problem is our
attitude about the problem. I have a lot of memes in my slides, so you'll have to excuse my sense of humor because I was looking at network security and the different vulnerabilities. Now I will warn you,
usually the guy in yellow that's giving a hand gives
the guy, the network security, the white guy, a hug, my versions are a little bit more violent. (audience laughs) Because this is the situation
that we are facing right now. We have to ask ourselves
with these point solutions, are we adding solutions
or are we adding problems? I'll discuss this a
little bit more in depth in a couple of slides. So let's take a look at the
consequences of what happens when you have point solutions. And the number one thing that
I wanted to mention here, kind of that really hit me
as soon as I joined Cato, was the loss of visibility means that there are security gaps. If you're not looking
and seeing everything that is happening on your
network, you are missing out. That's why it's still mind boggling that you have the NOC
and the SOC separately. We can't afford to have
that situation anymore. Because if you are not looking at each and every network flow and everything that's
happening on your network, you are going to miss,
you're gonna have those gaps, Minimal contextualization, if at all. When you have multiple point solutions, they each look at the
problem in their own silo, which means they rarely share information. And when they do, by the way, it's due to a lot of manual
work done by security analysts. So we're missing a lot
of contextualization with the attacks. Management overhead,
you're ending up with, well, multiple point solutions, you're gonna have multiple policies. And by the way, when I say
multiple point solutions, it's not just, you know,
DLP and CASB and IDP and IP and so on and so on. Even between firewalls,
you'll go into organizations, you'll find multiple firewalls, that have to be configured
with multiple policies, something that always fails. So ending up with multiple
security policies, how are you gonna apply that? False positives and missed attacks. Well that's a result of
everything we just said. Actually, if you take a look at this, I'm gonna discuss a concept that I'm sure a lot of you're familiar
with towards the end. We're talking about the
OODA loop here, right? The observe, orient, decide and act. But I'll talk about
that a little bit later. Two issues that are another
result of the complex with point solutions are updating and patching
and misconfiguration. Now if you ask my MDR team,
and I'll be very conservative because the head of the MDR might be here, I didn't see him and I know 'cause I'm
presenting with him tomorrow, they'll say that 85% of the
attacks that we see today are a result of misconfiguration
of security tools or unpatched security tools. I'll add on top of that,
another issue that is happening over and over and over again, it is the fact that the
security tools that we use are the actual entry
points for the attackers. So they actually attack the security tools and that's their initial access to get in. I'll show you that when
we go into the dark web and some of the solutions that
the attackers are offering. But that always reminds me of the very sophisticated
security gate, this one. So are we blocking the attackers or are we giving them a
ladder in to our organization? That's a very bad design, but I love it. Let's move to the cost. And here I'm gonna quote a
report by the Ponemon Institute, IBM run a report with them every year. I remember when I was at IBM, we used to look into that and contribute. So let's take a look at the IBM
Cost of a Data Breach Report from 2023, and let's take
a look at the hard costs, the actual numbers. This is one of the statistics
that they advertised, I'm gonna read it from
here, just the headline, increasing data breach
costs for organizations that had high levels of
security system complexity. They actually included
multiple points about this and multiple numbers. This is the one that I
found the most fascinating. It's a table that actually shows you which elements or what you
do in the organization, whether it's processes or
tools, how much the blue ones, the blue ones are with a minus, that's because they reduce
the cost during a breach. And the ones on the bottom are a plus, that means they add to
the cost of a breach. So if you take a look
at the bottom portion, I'll zoom in for you right there. The number one cause or
the number one contributor for the cost of a data breach
is security system complexity. But that's not all, you need to kind of have
some more critical thinking and look behind the numbers here because security skills shortage,
non-compliance with regulations, and several others are actually inherited due to the complexity. I'll discuss this as well. So I think the number, well it is the number one contributor, I think the actual number is much larger. I had to mention another thing here that has to do with complexity and has to do with a little bit of looking behind the
numbers that we are shown, regarding detection time. This is a point that really bothers me every time I read about
detection time of attacks because there's sort of
a feeling like detection is getting better. It used to be, I don't know, 18 months and then it became a year and then it became about
eight months or so, and it seems the number is going down and I don't think that's actually true. And so I asked myself, where
did the detection time go? And I'm sorry for the dad
joke, but it ransomware. Sorry, dry humor, I know, but I try. What do I mean by it ransomware? Well, if you take a look
at the numbers again, this is from '22 and '23. They're saying in the IBM report, average cost difference between breaches that took more than 200
days to find and resolve and those that took less than 200 days, there's I think like a 25% difference. And if you look at the times, you'll see that the detection
times seems to be going down. That is false. Ransomware is the number one contributing for that being false
because there are three ways in which a breach gets detected. Either ideally, well, ideally
you don't get breached, but if you do, ideally you detect it, the organization detects it. If not, the detection may
come from a third party, usually law enforcement or your clients that start
seeing something happening, or law enforcement gives you a call, "Hey, we're seeing x, Y, Z on the dark web on a ransomware leak site." The third and the worst one
is when the criminals tell you that you've been breached, and that's exactly the
case with ransomware. Because with ransomware they
could have been on the network a lot longer, but they're
actually telling you that they're there by ransoming your files and then you notice it, and so the breach time is going down. But that's because the
attackers are notifying you. And if you've read about
some of the latest attackers, I think it was BlackCat, BlackCat actually really
liked the new SEC regulations where you have to report within four days, they actually tell their victims, "Hey, if you don't report
this, I will report myself hacking into you to the SEC, because you're gonna get a lot of fines, so you better pay me before
I tell the law enforcement," which is insane to think about. Here's just one recent example just from a couple weeks ago. I guess everyone is familiar
with Change Healthcare, UnitedHealthcare, the huge
breach that is happening there. Hackers were inside Change
Healthcare's systems nine days before the attack. Yeah, after nine days they
decided to deploy the ransomware. So great, we detected this
attack within nine days, skews the number, now
detection time goes down, completely wrong, they could have stayed a whole lot longer on that network if they really wanted to. Because they already evaded all the different point
solutions that they had. In addition, it goes back to another thing that I mentioned before, UnitedHealthcare used stolen
login credentials to break in. Yeah, so they used a Citrix
server with stolen credentials, but there are a lot of other
things that were deployed on enterprise networks that also failed to detect the attack. So we need to look behind the numbers and behind the statistics
that are given to us. Oh my god, I'm looking at the
time, I didn't even start yet. Okay, some soft costs, like I said before, are we adding fat or
muscle with every device that we're bringing to the organization? I know Hollywood likes to show
security operation centers as a person sitting in
front of like six screens, it looks really cool, but that person is crying
maybe at night as well, because you're trying to take
multiple security solutions and you know, how do I take
my threat intelligence feed and take 'em to my firewall and spread 'em to my end
point and send it to the SIEM? How do I evolve false positives? What we end up with, and again,
I teach in BC, in college, and I talk to students
after they start working, they're like, Etay, this
is not what we imagined, we're doing a lot of integration,
we're doing a lot of, yeah, that's the security
work you need to do right now because you're working
with point solutions. That's the problem, that's the complexity. And then you get the burnout
and from the burnout you get, oh, we don't have enough
people to have here. And the result of that is
you get product champions, which I know vendors love, but it's really terrible
for the organization. How many times have I heard when I talked to security
operation centers, like okay, who manages that system? Oh, that was Aaron, but
he left and it's working, we're not gonna touch it. Really, 'cause you have
these security champions that know how to do everything
with a very specific product, but when they leave because
they get a different offer from another organization
that's suffering from burnout, what do you do with that system? And the question that arises is do we even know our own networks? If anybody here is from
a military background, this should look, or
intelligence background, this should look pretty
familiar, the CCIR. What does a commander need to know in order to make good
decisions on the battlefield? A lot of people talk about the PIR, priority intelligence requirements, I decided to translate
this to the civilian world. And what are the questions that
security operation managers need to ask themselves? What do I know about the adversary? That's a very common one, that a lot of threat
intelligence organizations or vendors will help you answer, what does APT1 do? What does FIN27 and so on, what are these different groups doing? What does the adversary know about me? So that's through human
intelligence, usually, you go into criminal
forums, you ask questions, what are you planning and so on? And the question that a lot of times is not being asked enough is what do I know about myself? I'm not trying to get
all philosophical here, but do I really understand my own network? Because I know what happens if I ask a CISO what
their network looks like. I'll get this nice visual
file that's gonna show me the servers and the DMZ and
everything's gonna be lined and everything's gonna be really nice. But when you start asking
questions, you find out, oh, there's some gaps here. Why? Oh, because you'd walk around and you'll find a wireless
router that somebody plugged in that's unmanaged because
somebody needed Wi-Fi. Or you'll find a user on the network that Jennifer used to do testing and she had a privileged
user, Jennifer left, but nobody closed that user down, and that's exactly the things that the attackers are looking for. So let's take a look at the networks and here comes the research
that I mentioned before, this is the research
we're going to release, yeah, I think tomorrow. So the research is based
on over 2200 organizations. We looked at the first
quarter of this year a bit more than the first quarter, we also included parts
of December of last year, roughly about one point
26 trillion network flows that we have analyzed. What we do with Security
Access Service Edge is the convergence of
networking and security. So we actually provide the
networking for our customers, so I can see every network
flow in the network. We're talking about multiple industries from different shapes and sizes. And we looked at inbound,
outbound and WANbound data. And with that I'm gonna show you, you'll see some of the
first ones are not very nice in terms of graphics because they're still the
Excels that we were researching. Some of them you'll see the end result. The report itself is about 50 pages long, we're not gonna go through it. We're just gonna go through
a couple of examples, this is the first one. And here, if we're looking at a network, we're looking at the top 10
inbound CVEs by traffic volume. And the reason I wanted to include this is I wanted to show you what types of CVEs we see threat actors trying
to target our customers with. And there's the usual suspects here, number one is PHP
arbitrated code execution. Number two is Log4j. But what you'll notice is a
lot of them are not very new, they're not very new. Actually, if you take a
look towards the bottom, there's one there from
2014, which is a decade old. You know, you take some of these, you plug them into Shodan and
search for the vulnerabilities and you'll get millions of devices that are still vulnerable. So these systems, the
attackers are using this because they're having success
targeting other networks. And so they're trying
this and you'll see 2014, there's 2021, there should be a 2017, was the first one, is a
2017, nothing new here. There's a lot of information in this one, I'm not gonna go into all of this, but this is a MITRE ATT&CK based on CVEs. What I wanted to show here, aside from there's a lot
of things to, actually, if you want to deep dive into that there are differences
between industries. On the bottom, those are industries, you'll see a much
different version of this in a couple of slides. But some of the colors,
you'll see them all over, some of the colors will,
or some of the industries, sorry, have very specific trends. I'll go back to this in the next slide. Here, you're looking at
the top 10 medium risks suspicious activities in
WANbound communication. So we look at inbound, outbound, WANbound, and we look at high risk,
medium risk, and low risk suspicious activity. These are things that security
solutions won't even look at because they're not confirmed attack, they're not signed, but they
are suspicious activities. Now, I used to work, if you
remember from my resume, I used to work for a company
without mentioning its name, that dealt and actually
created risk engines. And I have a problem, this, okay? I think this is off, back, okay. I really do have a
problem with risk engines because what risk engines do in many cases is they take a look at what criminals do and then they try to identify that as the high risk events on the network. Unfortunately, the threat
actors know how to remain under the radar and do actions
that actually look like the actual victims. And so what you end up with
is this weird situation where these solutions come in and say, "Okay, what's your tolerance in the SOC? How many alerts can you tolerate a day? 500, okay that's 3% let's say
of the total number of events, we're gonna mark the top three
most suspicious activities." But that's not usually
where the attackers are. And we'll see that when we talk about the criminals themselves. This is from the final report, so you'll see some nicer graphics, or at least I hope they're nicer. HTTP versus HTTPS in WANbound, inbound and
outbound communication. And what really hurts my
eye when I look at this is the WANbound one. Look how much of it is HTTP traffic. We're talking about all our customers. 62% HTTP, which means if an
attacker is on your network, he's having a blast, 'cause we feel comfortable
with our WANbound traffic, we don't encrypt it,
that's one explanation. Another explanation is
we're using legacy systems or systems that simply can't use HTTPS and anybody who's on the network, well, all you have to
do is drop a listener in one of the endpoints or somewhere, start logging packets
and you're pretty good. This is WANbound HTTP/HTTPS
traffic by industry. And here, by industry, you can see that there
are different trends. Not surprising, which one is it? One, two, three, the fourth
one that you see there, that's finance. Most of the communication
there is encrypted. Right next to it, and actually
a little bit towards the end, are, where was it? Transportation and it was
I think, which one is it? Construction, which are not secure. You can see that the
green part is very big. So you can see different
trends in different industries as to who encrypts more of
the data and who doesn't. Last example, SSH versus TELNET. You see the same thing as
you did with HTTP and HTTPS when we're talking about
inbound and outbound, we're securing these communications, when we're talking about
WANbound, we feel safe I guess. And so a lot of the
communication is not encrypted, which lowers the complexity
of course for attackers. So let's take a look at the attacks. I'm gonna look how much time I have. We're gonna skip one of the examples that I have here for the sake of, because I need to make up for the time. This is an example of a ransomware attack that happened against a
very large, let's call it, chemical manufacturer in the US. I was interviewing the team
there after it happened and I was asking questions about, "Hey, how did this
ransomware attack happen? Let's go step by step." And the CISO there actually told me, well the first step is we
received a phishing email and somebody clicked on it. I was like, hold on, hold on, what do you mean? Don't you have anti-phishing solutions? And I quote, he said, "Yeah,
they got lucky this time." I was like, okay. Somebody clicked on it and then there was a
connection to an external site, which I was like, "Hold on, what do you mean a connection
to an external site? You don't have anything that
looks into suspicious activity, that looks into websites
that you've never visited, or websites that are known to be bad?" They said, "Yeah, but we
found it about two weeks after the event happened. The alert was there but we didn't see it." Okay, there was a connection
to an external site and then it downloaded a payload. The payload, I said, well, hold on. And then tried to stop me, he was getting a little bit annoyed. He said, "Yes, I know the
download of the payload, yes, that was missed as well." And every step of the way, this is actually kind
of your run of the mill ransomware attack was missed by all their different security solutions. Some of it was missed, like
he said, they got lucky. Some of it, the alert was actually, they actually created the alert, the systems did what
they were supposed to do. But it's finding the
needle in the needle stack, the SOC operators didn't even look at it. We actually ran this
attack against our system to see what would've happened. And as you can see here, I'm
not gonna go really in depth, but each and every step of the way, whether it was the phishing
that was blocked by the system, whether it was the anti-malware,
they used Mimikatz, kind of your run of the mill tool. I'll actually go back to Mimikatz when we look at the criminal activity, was blocked by anti-malware. The downloading of Cobalt Strike, which is another kind of like
very classic way of attackers when they run a ransomware
attack, everything was stopped. On the other hand, when
you use point solutions, that's a problem. This is a very interesting case
of another ransomware attack that shows you that I don't
think we quite understand well enough the threat
actors and how they think. So this is a ransomware attack. And what was interesting
about it, when I interviewed, this organization didn't
even have a CISO at the time, they just had an IT manager, which was kind of shocking
because they told me this is not, this is the group that
targeted them, Ryuk, but they told me this wasn't
our first ransomware attack. I was actually surprised
they didn't have a CISO after the first one. But yeah, they said this
isn't the first attack. And they described to me the attack. And there were three things
that really kind of jumped out. The first one, they were already
attacked almost a year ago before this ransomware attack. The second thing is the attack, the initial access was
through third party controls, but what's interesting is there were ransomed within minutes. So by the way, here you go, another number that's gonna
skew the total detection time, 'cause the attackers could
have stayed for much longer, but they actually did it in minutes. They knew what they wanted to ransom. And the third part was the
attackers tried to target servers that didn't even exist. And as soon as the head of
IT told me that, I told him, okay, I know exactly what
you're dealing with now, this is a classic case of
ransomware as a service. Because remember that attack
that happened a year ago? You thought that by paying the attackers to get the decryption key
and to not publish everything on your leak site would
solve your problems. But that's not actually how
the attackers thought about it. They had a foothold in
your infrastructure. You didn't find everything
that they were doing and you paid them. What did they do? They went on the dark web
and they advertised like, hey, we have access to this organization. Who wants to buy it? We'll install whatever you want. And this is ransomware as a service. How do I know that? First of all, everything
was ransomed within minutes. So they knew exactly
what they wanted to do. On the other hand, the flip side of it, the new attackers tried to
ransom servers that didn't exist because between the time
the first attack happened and the second attack happened, some of the servers were
removed from the network. This is a huge indication that something is
happening on your network. If somebody's trying to reach
servers that don't exist, that means you have somebody
bad on your network. They had deception and
they didn't even know it, or a honeypot I should say,
and they didn't even know it. It's very similar to
creating a canary token. Just create an admin user,
call them super admin user. Nobody touches that user. As soon as somebody tries
to guess the password to that user, it means
somebody bad is on your network because that user doesn't really exist, they actually implemented
that without knowing it, but they missed it. And so there were three
things that the attacker here could monetize on, the decryption key, not publishing the information and then also selling the infrastructure to another affiliate, that's
their affiliate program. Wow, I'm really bad with time. I'll show you this very,
no, we'll skip this, this is gonna be a bit too long. If you wanna see this, it's
actually a great thing, it's from my presentation from last year about living off the cloud attacks. Highly recommend, you
can find the recording on RSA Conference, I just
wanted to highlight this 'cause it aligns with what we're talking, so I'll skip the next two attacks. I keep talking about complexity but it doesn't mean that
simplicity means doing less. When I say to uncomplex a situation, it doesn't mean we want to do less. We actually wanna do the same if not more, just with easier systems. I really like these two pictures of the F15A on the left
hand side and the F30, is it two or 35? 35. It's the F35 on the right hand
side, both amazing machines, both can do a lot of different things. The one on the right's a little
bit less complex to manage, as opposed to all the different gauges that you see on the left hand side. Now you see a convergence
of everything into a system that can look at it and
provide the operator with a much clearer picture. I talked about the OODA loop before. You have to observe everything,
you have to orient yourself, contextualize, make the decision, so have a a unified policy and
then be able to act upon it. But not from multiple solutions, you have to do it from one place. Otherwise complexity again,
goes up, you have gaps, you miss and so on. Let's take a look at the criminal side. So we're gonna look at some examples of what criminals are
selling on the underground. Some of this is kind of like, hey, we've been seeing this for years, some of it I think is relatively new. Let's take a look at a couple of examples and just to make sure, how am I with time? I have 10 minutes, roughly, 10 minutes, I need about 50 more,
but we'll do it with 10. The criminals complexity. So let's take at a couple of examples. Here, you're seeing some Russian forums that are selling domain admin accounts. The one on the top, they're
selling, what is it for? 15 bitcoins I believe, access to a company that's worth $12.5 billion
with 33,000 employees. They're selling the domain admin accounts. On the bottom, you see one
from my original home country, from Israel, $3,200, access to
a Homeland Security company. Domain admin accounts. Usually, this is actually
not super typical, 'cause usually you'll see
this in an auction form where they'll say the price is X and it goes about by
increments of whatever, 100, 200, $500, or you can pay right now and get the product if you really want it and get it yourself. Access to RDP and VNC. So computers that have remote
access and aren't secure. So they're selling access to that. By the way, of course I'm not advertising or saying you should
do any stuff like this, these you can easily
find on Shodan and Census just by searching, you
don't need to buy this, don't buy it of course, and don't do anything bad
or anything like that. Remote code execution This was interesting, this is Genesis, this is a website that was
shut down by the FBI last year. It's an identity shop. So they were selling access
to computers that were hacked. The number, what was
interesting is during COVID they went up from 50,000 to
350,000 infected computers and you can just buy
access to these computers. They infected them with malware. What I found really interesting, now there's a lot of
brokers of stuff like that, what I found really
interesting about these guys is look how beautiful it is. You can search for stuff,
you can go up there and say, okay, just show me websites or computers that have access to .mil
or .geo sites, right? I want those computers. So I clicked on one of them. So here you have a computer with, this is a computer from Netherlands, if I remember correctly, yeah,
Netherlands, sold for $22. You have access to the browser, you have access to all
the different resources, Facebook Live, LinkedIn, OnlyFans, I need to choose a different
example. Spotify, Twitter, whatever this user access
then has credentials to. And like I said, this
website was shut down by the FBI last year. About three weeks later, this
group created a new website that as far as I know, is still up. What else is up for sale? This is a little bit small,
I'll read it out to you. So these are crypting services
and initial access brokers. I'll go over this really quickly. You can see here that they
advertise things like crypters. So they'll say, hey, if you're malware, I'll make malware undetectable, right? Because we're dealing
with point solutions. So no problem shooting
just point solutions. It's a much bigger problem when you're dealing with
a holistic solution. But most organizations
have point solutions. And they show here, what you're
looking at the bottom here, they're saying, oh you want
to use a tool like Mimikatz? I mentioned it before, right? Mimikatz, like everybody uses Mimikatz. All the antiviruses can detect it. I will crypt it for you
once I crypt it for you. Boom, nobody can detect this
tool, this very simple tool. Access through security providers, I have a lot of examples of that, but there's a lot of brokers
that sell stuff like this on the dark web as well. And they even advertise of course, that they're looking to hire people. This was kind of like, hey, remember when there
was an AT&T, Verizon, T-Mobile breakdown a couple of months ago? I was like, I wonder if that
has anything to do with it? Probably not, but it was interesting. More interesting than this
is these guys, Lockbit, one of the biggest
ransomware groups out there, they were advertising, they're
looking to hire people. So I wanted to see if I
can go and work for Lockbit to make some extra money. So you have the list
of needs of them here, had it translated. So if you want to join them, you need to have higher
education, I have that, basic skills in operating
systems, I have that, knowledge of English, got it, ability to work with
error tracking, I hate it, but I have that. No other job, that's a problem. No personal life, I have none. No harmful habits,
ability to keep secrets, online 24 hours, and greediness. And they're looking to hire people. And I was actually quite
shocked that they advertised it in this, while closed
Russian forum, still, that they advertised this. But look, they're finding
the point solutions for them, to the point products that
we use in the enterprise. Speaking about jobs that
computers may take over, although I don't really believe they will. I keep telling my students, you know, AI is not even close to taking
over humans, not even close. But people who know how to use AI are gonna replace those who
don't know how to use AI. So I force my students to use ChatGPT as part of their course and so on. So I think we're starting to
see, oh, we do have a laser. Now, I find out. I'm gonna use it all the time now. Are we getting it wrong again? This was again, my
sense of humor about AI, 'cause I feel like we're getting this, everything we just talked about, all the security complexity that we have with the security stack, I feel like we're going
through the whole thing again with AI. And again, I hope RSA doesn't kick me out, but just go to the floor now and see which vendor
doesn't have AI mentioned on their booth. I don't think you'll see
more than five of those. There are a lot of security
frameworks out there that talk about AI. You have NIST, you have Google SAIF, the Secure AI Framework. You have the OWASP top 10, an OWASP for LLMs and
for LLMs applications, which are very good, I highly
recommend reading them. And there is also ATLAS from Mitre, which is actually getting buffed now. You'll see a new version of it, I believe, in a couple of months, you'll see a much more
buffed version of this. But the attacks, we're still
seeing the same things. And the complexity, I'll show you this, this is still work in progress, marketing really hate me for this slide because it's very ugly. But it gives the point that I wanna make, it makes the point. When I think about LLMs,
I think about six elements as a hacker that I can attack. I think about the prompt,
I think about the response, I think about the model, I
think about the training data, I think about the
infrastructure it all sits on and I think about the
recipient of the information. And with that, let's have a blast, there's so many things that you can do. Prompt injections, data disclosure issues, insecure output handling, data leakage, hallucinations, over
reliance on the model, model theft, training data poisoning. The fact that the model has to
be built, trained, and tested means it falls for copyright, bias, and feedback poisoning attacks, insecure malicious plugins,
attacking the infrastructure, denial of service attacks,
supply chain attacks, excessive agency when it comes to the
recipient of the information, and this is just a
partial list of everything that you can do to, or not everything, but some of the things
that you can do to an LLM, just a partial list. And now if you go, you'll find point solution
vendors for each one of these. So we're adding more complexity,
more and more and more. A quote from one of my favorites, and I know I have five minutes, a quote from one of my
favorite basketball players, Kobe Bryant, "Why was I the best? Why was my secret? I never got bored with the basics." Neither do the attackers. I told you, don't believe me, I'll tell you that the
attackers are saying it. So let me show you two slides. First one is from a presentation by Brook Chelmo called "Two Weeks with a
Russian Ransomware Cell." It was presented at RSA Conference, I believe four years ago, maybe it was RSA Conference Asia. Brook actually interviewed a
ransomware group from Russia, talked to them about
why you do what you do and how do they do it and
why they hate the west and all kinds of things. And he actually had the guts to ask them, okay guys, what do I do to
avoid being targeted by you? And they actually replied. So I took a screenshot and stole his slide because that's how good
of a presenter I am. And this is what they said,
secure vulnerable ports, use proper passwords, watch
for misconfigured firewalls. You look at this and say,
this is so unsurprising, like haven't we been saying
this for like 20 years? Maybe the problem is not the problem, maybe the problem is our
attitude about the problem because the criminals are saying that the simple stuff still works. I wanna show you another example. This is from a very
long ransom negotiation, I'm not gonna include it,
it's like 10 pages long. After a victim agreed
to pay 3.7, $3.8 million to a ransomware group, the ransomware group
sent them this message. Here are a list of recommendations to avoid such things in the future. So great customer relationship management by the ransomware group right there. He didn't ask for this. So they just sent it out of the blue. I have the laser. Turn off local passwords. Force end of administrative sessions. Like, really? Look at this one, check for the
granted privileges for users to make them maximum reduced privileges to access only two exact applications. They're basically saying zero trust without using the word zero trust. None of this is new,
none of this is complex. Trust me, you say zero day, I won't shut up for another three hours and I'll keep talking here,
but they don't need that. It's your average run of the
mill things that still work. Bruce Schneier said it way,
way before me, years ago. "Complexity that were sending of security and our systems are getting
more complex all the time." So it's time for us to
reevaluate and think, hey, what do we do about it? So first of all, we need to distinguish between platform and platformization. You're gonna hear platformization a lot, platformization is
taking a lot of products and mashing them together, it
doesn't solve the problems, it just puts them all in one place, you're still missing context, you're still having gaps in visibility. It's not what are we doing
versus the how are we doing it? And here I'm referencing
specifically Gartner, that when they talk about SASE,
Secure Access Service Edge, they're saying it's
not about the features, it's about how they're delivered. Make life easier for the enterprises rather than just adding
more and more features. Start with the basics,
give it to them in a way that's consumable, upgradable, scalable, and not just add more point solutions. This is just an acronym
that I created, STOP-A. It's strategical,
tactical and operational, You need to look at all the
levels, process analysis. Are we adding complexity or
are we adding capabilities? I know I said it a billion times already. Is the problem the problem, or is the problem our
attitude about the problem? With that, I wanted to thank you. Come visit us at booth 4401. We also have a capture of the
flag running in the sandbox if you wanna try and hack AI, we're gonna be running that tomorrow in the next couple of days. Thank you very much, I'll stare
around for some questions. I hope you enjoyed the rest of the day and these great sessions. Thank you very much. (audience applauds)