CyberWire Daily - From small-time scams to billion-dollar threats. [Research Saturday]
Episode Date: February 22, 2025This week, we are joined by Selena Larson from Proofpoint, and co-host of the "Only Malware in the Building" podcast, as she discusses the research on "Why Biasing Advanced Persistent Threats over Cyb...ercrime is a Security Risk." The cybersecurity industry has historically prioritized Advanced Persistent Threats (APTs) from nation-state actors over cybercrime, but this distinction is outdated as cybercriminals now employ equally sophisticated tactics. Financially motivated threat actors, especially ransomware groups, have evolved to the point where they rival state-backed hackers in technical capability and impact, disrupting businesses, infrastructure, and individuals on a massive scale. To enhance security, defenders must shift focus from an APT-centric mindset to a broader approach that equally prioritizes combating cybercrime, which poses an immediate and tangible risk to global stability. The research can be found here: Why Biasing Advanced Persistent Threats over Cybercrime is a Security Risk Learn more about your ad choices. Visit megaphone.fm/adchoices
Transcript
Discussion (0)
You're listening to the CyberWire Network powered by N2K.
Cyber threats are evolving every second and staying ahead is more than just a challenge,
it's a necessity.
That's why we're thrilled to partner with ThreatLocker, a cybersecurity solution trusted
by businesses worldwide.
ThreatLocker is a full suite of solutions designed to give you total control, stopping
unauthorized applications, securing sensitive data, and ensuring your organization runs smoothly
and securely. Visit ThreatLocker.com today to see how a default deny approach can keep your company
safe and compliant.
Hello everyone and welcome to the CyberWires Research Saturday.
I'm Dave Bittner and this is our weekly conversation with
researchers and analysts tracking down the threats and vulnerabilities, solving some of
the hard problems and protecting ourselves in a rapidly evolving cyberspace. Thanks for joining us.
In my opinion, the impact to real life individuals, the disruption to their work, to their healthcare, to their schools, cities, libraries, homes, is very, very significant by threat actors,
especially ransomware threat actors.
And I just think that historically it has been underappreciated and under-resourced
in terms of defense against these threats.
That's Celina Larson, threat researcher and lead for intelligence analysis and strategy
at Proofpoint.
The research we're discussing today is titled, Why Biasing Advanced Persistent Threats Over
Cybercrime is a security risk. Well, let's walk through some of the history here together.
I mean, how did we coin the term advanced persistent threat, and what led us to where we are today?
Yeah, so it's funny because the APT moniker, which is of course advanced persistent threat
and is essentially only used for threat actors that are operating on behalf of states, right?
So Russia, China, DPRK, all of these, you know, big time bad actors that are operating
on behalf of intelligence agencies all over the world, advanced persistent threats.
So I was digging through the history, the resources,
and it was reportedly first coined in 2007
by a US Air Force Colonel named Greg Ratray.
So this is of course, you know, based off of stuff
that people have posted on Twitter, blogs.
There's no real sort of like point
in the dictionary definition when it was added
to, you know, the Webster's English dictionary that we can say this is when it was created.
I can add just as a name dropping aside here that I have interviewed Greg and he did indeed
claim attribution of the term.
Yeah.
So it's been around for quite some time.
You'll notice that it did come out of the government,
which I think a lot of folks who work
in cyber threat intelligence and cybersecurity
and are working in defense now have backgrounds
in whether that's military, government,
intelligence agencies.
And I think in many ways that has contributed
to this bias of focusing on nation state adversaries.
I mean, even the term adversary, right?
Like, that's something, you know, it's tossed around a lot in our industry, but to the average
person, it's not an adversary, it's a hacker, you know?
Like, it's someone who's messing with my life.
It reminds me of, like you'll see on the local evening news,
there'll be some sort of local crime
and the police will use what I call cop speak,
which is, you know, a perpetrator entered the edifice
and drew his weapon and it's like a bad guy went in
and had a gun.
Yes.
Exactly, exactly.
Yes.
So I mean, thinking of the roots here.
When we look back on the history,
does it make sense that there was a focus on APTs,
particularly in the time before
the explosion of ransomware?
I think so, but again,
I think that kind of goes back to the bias, right?
So I think how we know about APT, whatever threat actors, is
large part and due to me and the APT1 report back in 2013, that was, you know, Chinese
cyber espionage, and that's how it really became this industry standard. So we're thinking
about APT, we're thinking about nation state actors, we're thinking about, you know, the
trouble that they caused in large part because that's the mindset and the focus of a lot
of people that are working on these problems.
But you know, cybercrime, ransomware, and certainly banking Trojans even before ransomware
were a multimillion dollar business, right?
You have actors that were working on banking Trojans essentially to steal people's money.
And they were using real money as opposed to cryptocurrency
to commit crimes.
But in the early and mid 2000s,
that's consumer focused ransomware.
So it's not the big game hunting that it evolved to
in 2014 through 2016.
But you have in 2007, banking Trojans, Zeus, Gozi, they really created this business
models where threat actors were targeting banking details and at very large scales.
And then when Bitcoin really came on the scene, that was again 2009. So this is early days
of Bitcoin, but it really disrupted the criminal ecosystem and you have things
that grew out of the sort of usefulness of crypto
as a criminal enterprise.
So you have Game Over Zeus, Crypto Locker Ransomware.
As I said in the paper, they sort of kickstarted
the age of the cybercrime kingpin in the mid 2010s.
So you have the big sort of botnets
that started as banking Trojans,
evolved to be loaders for ransomware
that we know today, Emotetric bought Drydex.
And then, you know, this is really when
it started becoming a problem.
But I don't think we focus on that enough
as an industry in general writ large
because I do think in part we were still very much biased towards APT.
And I think to the benefit of the threat actors, frankly, because they were getting, making
lots of money, you know, and going after schools, hospitals, you know, city and state governments,
you know, a lot of entities that were getting hammered by
ransomware, but it wasn't really until Colonial Pipeline happened in around 2021 that we started
thinking, oh wait, maybe ransomware can be bad.
Certainly there were people working on this problem for a long think my, I told this story at SleuthCon last year, but my sister has been impacted
by ransomware four different times.
She's worked in the healthcare industry.
And since, you know, 2016,
she's had multiple different ransomware attacks
impact her life in different ways throughout the years.
Most recently, even last year, she was impacted by it
and it took down an application that she was using for important life things.
And she's just like, this is just my life now,
I guess this is just what happens.
She's like, you'll never guess what happens, Selena.
And I'm just thinking, this is,
my sister is just a regular person
who's had her life disrupted by criminals multiple times.
And she just feels like that's the norm.
And that is what really makes me sad.
How much of the bias do you think we're dealing with today?
I mean, your average CISO who's out there
deciding how to divvy up their resources,
how are they dialing it in?
I think actually I do have to give a little bit of credit to marketing and journalism
in general as well for highlighting APT because frankly, spies are cool.
You think it's very cool to have these stories on espionage and disruption and stealing information
to improve their standing in the global economy. But I think a lot of it is just like, people
think APTs are cooler. And so they want to learn about them. They want to know about
them. They want to make sure that they are protected by them. But in general, your
average organization is at a much, much greater risk of being impacted and targeted by cybercrime
than any nation state threat actor in general. And I think it's changing a little bit as
we continue to talk about it and continue to have these types of conversations. But
I still think it's very much there because there's this idea, you know, APTs are cooler.
We'll be right back.
And now a message from our sponsor Zscaler, the leader in cloud security.
Enterprises have spent billions of dollars on firewalls and VPNs, yet breaches continue
to rise by an 18% year-over-year increase in ransomware attacks and a $75 million record
payout in 2024.
These traditional security tools expand your attack surface with public-facing IPs that
are exploited by bad actors more easily than ever with AI
tools.
It's time to rethink your security.
Zscaler Zero Trust plus AI stops attackers by hiding your attack surface, making apps
and IPs invisible, eliminating lateral movement, connecting users only to specific apps, not
the entire network, continuously verifying every request based on identity and context.
Simplifying security management with AI-powered automation.
And detecting threats using AI to analyze over 500 billion daily transactions.
Hackers can't attack what they can't see.
Protect your organization with Zscaler Zero Trust and AI. Learn more at zscaler.com
slash security.
Hey everybody, Dave here. Have you ever wondered where your personal information is lurking
online? Like many of you, I was concerned about my data being sold by data brokers.
So I decided to try DeleteMe.
I have to say, DeleteMe is a game changer.
Within days of signing up, they started removing my personal information from hundreds of data
brokers.
I finally have peace of mind knowing my data privacy is protected. DeleteMe's
team does all the work for you with detailed reports so you know exactly what's been done.
Take control of your data and keep your private life private by signing up for DeleteMe. Now at
a special discount for our listeners, today get 20% off your DeleteMe plan when you go to joindeleteeme.com slash n2k and
use promo code n2k at checkout.
The only way to get 20% off is to go to joindeleteeme.com slash n2k and enter code n2k at checkout.
That's joindeleteeme.com slash n2k, code n2k. I wonder too, because it seems to me like particularly in the earlier days of APTs, it
was kind of a get out of jail free card for any organization who got hit.
You would just, your communications person
would stand up in front of a microphone and say,
there was nothing we could do.
We were attacked by foreign adversaries
with endless resources.
And so, you know, poor us,
there's absolutely nothing we could have done.
And people would kind of say, well, that makes sense
and go along, go on with their business.
And only occasionally would we later find out that it was a kid, you know, in a club
house or a tree house or their parents basement, you know, who brought down this major organization
or something.
Yep.
Yep.
I mean, absolutely.
So the way that we talk about different threat actors
impacts the way that we think about different threat actors.
And I think, you know, having that sort of APT moniker
is a little bit of a get a jail free card.
However, I would say on the flip side of that though,
not all APTs, you know, state actors are advanced
and many cyber criminal actors are considerably more
advanced and sophisticated than some state adversaries.
We've even seen some crossover with cyber criminal threat actors operating on behalf
of governments.
There are certainly examples of this happening in Russia, for example. And there's, you know, there's like overlap there too.
And I think, you know, from just like a fundamental
like defense and like TTP perspective, in many ways,
and this is my super mega hot take,
and I know a lot of people are gonna disagree with me,
but you know, in many ways,
attribution doesn't actually matter.
It doesn't matter if there's a financially motivated
threat actor or an espionage threat actor,
what matters are the behaviors
and making sure that your organization is defended against them.
There are, of course, situations in which attribution does definitely matter.
It depends on, you know, we're really going to, but from a fundamentally technical perspective,
if we're seeing the increase of ransomware actors, cyber criminal threat actors using
zero days, investing and developing tooling and resources that are in many ways
more advanced than what we're seeing from APT or state actors.
There's not that sort of like distinction between, oh, state actors are a lot more advanced
or oh, cyber criminals are just dumb kids, we don't have to worry about it and by insurance
we'll take care of that or whatever.
They're operating at a level that is very high and you have to be very, very mindful about it.
And the impact is so much greater
to the general population and our communities at large.
Like a ransomware attack on a school
has significant impacts to the students' safety, their education,
their resources.
If a school is closed because they had a ransomware attack, parents can't go to work, so they
have to rearrange their lives.
There's all of these follow-on repercussions from a lot of this activity that, in my opinion,
makes it a threat to our communities and our
way of life and national security, you know, in different ways from the state actors, you know,
stealing IP or, you know, pre-positioning potentially for potentially critical infrastructure
disruption, which of course would have its own very large impacts. But yeah, I don't think it's an either or anymore.
And I think, you know, we have to be very, very mindful
of that, we have to check our biases at the door
when we're thinking about cyber defense
and fighting back against these adversaries.
What about some of the federal organizations?
And I'm thinking specifically of folks like CISA, you know,
are they overly focused on APTs at the cost of the hospitals
of the schools of those sorts of things?
Or is it a sense that they're out there, you know,
fighting the good fight, doing the best they can
with what they've got?
That's a good question.
I know it's a very hard problem to solve.
There are of course limited resources that, you resources that various agencies have to be mindful of, but
I do think that there is still a bias in what we're thinking about, what we're looking at
from sort of a national level sort of assessment.
I think we've seen a lot of great success in other countries kind of dealing with this.
I think the NCA is a great example of the National Crime Agency in the UK.
They have done a really, really great job prioritizing ransomware in particular, but
a lot of these cyber criminal operations that are having very, very big impacts to the people
and their communities.
And we've seen the disruption of LockBit, Kronos, we've seen some certainly Operation
Endgame, which of course, US law enforcement and US government agencies were involved in
as well, which was a massive, massive blow to cyber criminal operations, which was a
huge win.
But yeah, I do think it could be talked about and focused on a little bit more in some of these conversations. But of course, I do know
that I think China is really the main APT that I think a lot of organizations and intelligence
agencies are really focusing on, which of course is totally reasonable with the various
activity that has come to light over the last year. It is impactful and it is very, very important. So I do understand that there are courses of
balance and it can be very, very difficult to figure out where to put those resources when we
have limits. I wonder, because I find myself, and this is just my personal take on this, that I find myself sometimes frustrated that we have
situations, for example, where hospitals have to shut down.
And you brought up the point that we have lost lives
because of this.
If a foreign nation were sending people here
and physically shutting down hospitals, the response to that would
be one of overwhelming force, I believe.
And yet here we are.
Do you understand my frustration or I guess maybe head scratching is a better word for
it?
Dave, absolutely.
I have the same reaction. I have the same, I have the same reaction.
I have the same reaction.
And I think it's really challenging to, you know,
focus on this and say, well, you know, it's understandable
or like to kind of be working in a space
and you're like, this is such a big problem.
Like, why aren't we doing more?
Why can't we do more?
And I mean, certainly just people in my own life
who have been impacted by this
and have had some of these experiences,
certainly in healthcare in particular,
the impacts are just so awful to the people.
Like not being able to get your medication,
not being able to have your surgery,
potentially having ambulances diverted
to other places for care.
You know, it's like, it's very, very impactful
to the human experience.
And I don't know why, you know, there was,
it has, you know, taken quite such a long time
for everyone to be like, oh wait,
this is like a big problem.
And I don't, I think in general,
the cybersecurity industry could use a little bit
more empathy all around,
not just for ransomware impacting various organizations that have a really, really,
really very difficult time and often times are shut down.
But also, we've talked about this in the past too, like romance scams, scams in general,
people being impacted and targeted by crime that is quote unquote, just digital.
The same reason, you know,
someone came up and personatched you in person,
you know, people are going to care about that.
That's going to be really, really hard.
But if someone, you know, social engineers you
and steals your money, there's just this lack of empathy.
And to me, that's been probably one of the most difficult
parts about working in this industry is sort of seeing that
and being like, wait, this is a big deal.
We should care about this.
We need to focus on this.
And other people may be not necessarily agreeing.
So how do you suggest we move the needle here?
How can we redirect to the conversation and get the emphasis where it needs to be?
So I think it's really important to change you know, change the mindset across the board,
how we're talking about these threat actors,
how we're understanding some of the risks and impacts.
I mean, I mentioned this before,
but the reality is most organizations
are at a far greater risk of being targeted
by cyber criminals.
And I think it's really important, you know,
threat intelligence practitioners, you know,
people reporting on this, certainly in the media,
is to make, you know, to tell those stories
and the impacts from a business
perspective, but also very much a human perspective.
And I also think it's very important for us to focus on the TTPs, the tactics, techniques,
and procedures, and not necessarily the who, but the how.
So if you're in your organization and you're developing detections and you're trying to
prioritize what do we care about?
Maybe think less about the who, but think about the how.
You know, what are the major techniques that are being used by these adversaries?
What are the ways that we can make sure that our organization is offended?
How can we be educating our users to not necessarily fall for some of these techniques?
And really make sure that, you know, regardless of who is behind
the behaviors, do as much as you can to prevent any sort of exploitation of known, you know,
TTPs so that you're defended, whether it's a state actor that's using them or whether
it's a ransomware actor that's using them.
I think, too, you know, we've seen some really great successes over the last year
in terms of when it comes to disrupting cyber crime.
And I think, you know,
that old chestnut public-private partnerships,
which is a phrase, you know,
that I think it's thrown around a lot,
but it is also very important.
And I think Operation Endgame is really sort of the standard
at which all of these things should be, you
know, upheld to, right?
I mean, we saw it was a cross-government, cross-country, many, many different organizations
were involved and they went after, you know, not just the ransomware itself, but the ecosystem
that enabled ransomware, right?
It was, of course, you know, a long, long time investigating, but it was a lot of sharing between many, many people to having a common
collective goal of disrupting these things, you know, cutting the head off the snake,
so to speak. But of course it was five different heads because it was multiple different malware
families. But it's, it's huge. I mean, it was, Europol called it the largest ever operation
against botnets, which played a major role in the deployment of ransomware.
That was a huge win.
And I really, really hope that we can learn a lot from that and hopefully moving forward
see much, much more of that.
All right.
Well, the research is titled, Why Biasing Advanced Persistent Threats Over Cybercrime
is a Security Risk.
Selena Larson, thanks so much for joining us.
Thanks so much for having me, Dave.
I will happily talk about e-crime with anyone.
There you go.
Our thanks to Selena Larson from Proofpoint for joining us.
The research is titled, Why Biasing Advanced Persistent Threats Over Cybercrime Is a Security
Risk.
We'll have a link in the show notes.
And that's Research Saturday brought to you by N2K Cyberwire.
We'd love to know what you think of this podcast.
Your feedback ensures we deliver the insights that keep you a step ahead in the rapidly
changing world of cybersecurity.
If you like our show, please share a rating and review in your favorite podcast app.
Please also fill out the survey and the show notes or send an email to cyberwire at n2k.com.
This episode was produced by Liz Stokes.
We're mixed by Elliot Peltsman and Trey Hester.
Our executive producer is Jennifer Iben.
Peter Kilpe as our publisher, and I'm Dave Bittner.
Thanks for listening.
We'll see you back here, next time.