CyberWire Daily - Is enhanced hardware security the answer to ransomware? [CyberWire-X]
Episode Date: July 25, 2021With the recent onslaught of ransomware attacks across healthcare institutions, critical infrastructure, and the public sector, it's clear that ransomware isn’t going anywhere. But given how comm...on ransomware attacks have become, how is it that we've been unable to put a stop to them? Companies often overlook the role that hardware security plays in meeting this challenge, and that oversight has become a bad actor's dream. Michael Nordquist speaks about the recent surge in ransomware attacks, and how strong hardware security, combined with software security and personnel security awareness, can be the answer to the industry’s prayers. In this episode of CyberWire-X, guest Steve Winterfeld from Akamai shares his insights with the CyberWire's Rick Howard, and Michael Nordquist of sponsor Intel offers his thoughts to the CyberWire's Dave Bittner. Learn more about your ad choices. Visit megaphone.fm/adchoices
Transcript
Discussion (0)
You're listening to the CyberWireX, a series of specials where we highlight important security topics affecting organizations worldwide.
I'm Dave Bittner. Today's episode is titled, Is Enhanced Hardware Security the Answer to Ransomware?
With the recent onslaught of ransomware attacks coming across healthcare institutions, critical infrastructure, and the public sector, it's clear that ransomware isn't
going anywhere. But given how common ransomware attacks have become, how is it that we've been
unable to put a stop to them? Companies often overlook the role that hardware security plays
in meeting this challenge, and that oversight has become a bad actor's dream.
A program note, each CyberWire X special features two segments.
In the first part of the show, we'll hear from industry experts on the topic at hand,
and in the second part, we'll hear from our show sponsor for their point of view.
And speaking of sponsors, here's a word from our sponsor, Intel.
With businesses facing increasing numbers, types, complexity, and severity of cyber attacks,
looking beyond software to leverage the power of hardware is imperative.
Hardware security matters more than ever as cyber attacks evolve to evade detection by software-only security methods.
Intel Hardware Shield, exclusively found on the Intel vPro platform, provides built-in hardware
security capabilities to help organizations protect, detect, and recover from cyber attacks.
Product assurance, security technologies, and practices must constantly evolve to stay ahead of cyber threats.
And that's what you'll get with Intel Hardware Shield on the vPro platform,
making exceptional security possible yesterday, today, and tomorrow.
Go to www.intel.com to learn more.
more. To start things off, my CyberWire colleague Rick Howard speaks with Steve Winterfeld,
advisory CISO from Akamai. The second part of our program features my conversation with Michael Nordquist, business client planning director at Intel, about the recent surge in
ransomware attacks and how strong hardware security combined with software security and
personnel security awareness can be the answer to the industry's prayers. Here's Rick Howard.
I'm joined by Steve Winterfield. He is the Akamai Advisory CISO and a regular guest here at the CyberWire's
hash table. Steve, ransomware has been around for a long time, over a decade, but it seems to be
having a moment right now with big, splashy attacks against the Colonial Pipeline, JBS Foods.
I saw the National Basketball Association, and the latest one the last week or so was the Kaseya.
I don't even know how to, do you say it, Casilla? Do you know how we say that?
I'll follow your lead.
Casilla, right?
And then a bunch more victims that most of us have never heard of.
Do you have any thoughts about why we're seeing a surge right now?
I would say part of this is it was hard to get people to pay in the past.
If they paid through a bank, it was traceable.
get people to pay in the past. If they paid through a bank, it was traceable. And now,
because of some of these electronic currencies, Bitcoin and so forth, it's easier to collect payment is probably a big part of it. And it's an effective business model. It's just been working.
So they've been expanding it. I saw an analysis by a couple of New York Times reporters.
They were talking about, you know, in the old days, ransomware was mostly targeting, you know, moms and dads, the grandmas, going after 100 bucks a pop.
Then WannaCry happened, and then NotPetya happened, and then all of a sudden the criminals realized there was a bigger, more lucrative victim list if you went after corporations.
And that's when we started seeing the big price tags, 5 million, 10 million to unencrypt everything.
The business model continues to evolve because when we say ransomware, you're talking about
encryption, but they've expanded it to be a double extortion. There was a great report that
Sophos did that says the average time someone's been in a network is 11 days.
And that's both to make sure they've got all the encryption done, but where they can to exfil data and extort both you giving you the key as well as extort not putting that data out public.
If you're under a ransomware attack, do you treat it like an in ransomware attack or
should you treat it like a breach? What do you think about that? Well, I think you're right
because I've heard what you said before about the double extortion. I've heard another person say
it's a triple extortion opportunity. The original will unencrypt it for a fee. That's one revenue
stream. But if your data isn't encrypted, if the victim's data isn't
encrypted and they steal it, then they can sell that on the open market. So that's revenue stream
number two. And then if they're really crafty, they can come back to the victim and say,
we're going to release this to the public unless you pay us a different ransomware fee, right? So
three different revenue models there. So when you come back and say, do I think this is a breach?
I absolutely think it's a breach.
Ransomware is just a specific technique for criminals to make money.
They still have to follow the attack sequence, the intrusion kill chain, to be successful.
I will highlight two things you said.
The first is, you know, you said it's a technique.
And ultimately, I think it's important for us to remember that ransomware is a payload. And it's a payload with a specific business model.
Traditionally, that business model was encryption. There are a lot of ways to deliver that payload,
which takes us back to your comment on the cyber kill chain. I've always liked that as a way to validate my protections. The old saying that
the defender has to get it right every time, the attacker only has to get it right once
isn't necessarily true. Yeah, it's absolutely not true. It's absolutely not true, but go ahead,
finish your thought. Yeah, and that goes to there should be multiple times. To your point, let me paint that with a bigger brush.
What we're saying is if a ransomware group has to complete 100 steps across the intrusion kill chain,
if you have prevention controls in all of those places,
even if that ransomware group gets by one of them,
they're still going to run right into the next one.
So you don't have to
fail one. You have lots of opportunities to defeat them across the intrusion kill chain. That's what
I think it means. Is that what you think it means? I would agree. And the difference between that and
the traditional defense in depth really is the concept of taking a specific set of an attack
vector and mapping your controls to that attack vector.
For those who haven't seen the Cyberkill chain, it came out of those with more of a military
background. And you're saying, okay, if I were to attack a city, the first thing I'd do is send out
reconnaissance, looking for a weakness in those lines. Once I found someplace I thought I could break through those defenses,
I'd build the right forces. It may be rangers and attack helicopters, or it may be artillery and tanks. But whatever those forces were, I'd build the right way to get through, consolidate on the
objective, and establish command and control. I now own control of that town.
The same thought process is true when you're attacking a network.
You want to do reconnaissance.
Once you find that vulnerability, then deliver your payload.
Sometimes that will require command and control, phoning home through DNS or some kind of capability.
I think the ransomware group needs the command and control in order to coordinate where their stuff is,
how they encrypt and decrypt if they're going to do that process for it.
So I don't think that's a step they can skip, which is my point, right?
That it doesn't matter what kind of bad guy you are.
If you're a criminal or ransomware person or an espionage, a spy, or even just a hacktivist, you still have to work your way across the intrusion kill chain
in order to be successful, right? There's no step you can skip except for what you said,
maybe you don't have to recon if you're just going to blank it out, you know, a thousand
attacks a day, right? And you might send something out that just has a message, you know,
send your Bitcoin to this address and we'll send you a key.
So you don't need a lot.
But I would agree the typical one we're seeing is they're using command and control.
There are multiple points that you can disrupt them.
Absolutely.
So I'm personally tracking some 50 ransomware groups.
And I wouldn't say that's a comprehensive list.
These are just groups that I've noticed in the news. So I went looking over at the MITRE ATT&CK framework because this is my
go-to source for all intrusion kill chain information. And I noticed that they're not
really tracking ransomware group attack sequences like they do for cyber spies. You know, if you
look at the Colonial Pipeline attacks, FireEye attributed those attacks
to a group called DarkSide, but the MITRE attack wiki doesn't list them. They don't even list
REvil either. So that is startling to me that out of the 50 groups that I was tracking,
they don't have any of them listed. And you and I were talking before we started recording,
you were thinking maybe that doesn't matter that much. Tell me why that's so.
I don't know if it's not that it doesn't matter.
It's just where MITRE is putting its emphasis right now
is trying to keep that dynamic list up
or can you map for every different trend?
I think if you're going to go back
and talk to your red teams and your pen test teams,
you absolutely need to arm them with go emulate this specific attack group.
And it just gives you better results because it's ensuring your teams are using real world
tools, real world techniques, and validating your infrastructure in a way that you can map back to assuring the three most common or prolific attackers we've mapped to their techniques.
So we talked about intrusion kill chain prevention as one of the strategies to help reduce the probability of a successful ransomware attack.
But there are other ones. If we did follow our zero trust strategy,
is there something we can do there with segmentation that will help prevent a ransomware
attack? So, you know, if we go back to the fact that ultimately ransomware is a payload,
then, you know, what are the different ways to deliver that? So I think the most common is
probably through email.
And if you deliver through email,
you can either have an attachment
or you can send somebody out to a website
where they're going to do you the favor
of downloading that for you.
The next technique you might use is a direct attack.
You know, if you have access to their web pages
and they have vulnerabilities on something externally facing, then you can do a direct
attack. And then the last one we saw recently, the one you talked about, is actually through
the supply chain, third and fourth parties. There are a number of different ways.
And then you go back to what are your most effective controls.
And I think that's what your principals try to talk to is
what are the most common controls that provide the greatest return on investment?
Right, because if you're following a zero-trust strategy,
you're limiting who has access to the important resources in your organization. So even if the ransomware gang was successful in
establishing the beachhead, like you talked about, you know, doing phishing or some other means,
it doesn't mean they automatically get access to the, you know, the material information on
your network if you have made sure your zero trust program is robust. What I'm advocating for is
what you and I talked about in previous episodes is a pretty interesting segmentation plan and
being very careful about who has access to the keys to the city. So we've talked about the
intrusion kill change strategy. We've talked about the zero trust strategy. There's a third one I like to talk about is just resilience, your resilience strategy.
How do you think about your backup process in order to defeat ransomware?
Is there something we can do there?
I do like that.
I always struggle the difference between cyber resiliency and business continuity.
resiliency, and business continuity.
And in this case, ultimately what we're talking about, I think, is, you know,
when's the last time you did a tabletop exercise on how you would respond to this?
You know, and you know I'm a process guy, a program guy.
Yep, yep, so am I. You know, have you actually tested your backups, installed from your backup, operated?
Have you made a decision on your cyber crisis team, you know, legal, your regulatory compliance folks, your public relations on whether or not you would pay?
And if you're going to pay, are you going to use some kind of a broker or third party to do that interaction?
Well, walk me through that because that's a pretty, I don't want to say this.
You know, five years ago, that was a controversial thing to say that clearly we might pay the ransomware.
But you see people paying it all the time now.
So walk me through that thought process.
What would be the indicators for you
advising the CEO that, you know, boss, I think we should pay the ransom? What's the thought process
there? Well, I think some of the factors that need to be considered is what is compliance?
Because if you're in a regulated industry, is the regulator going to be okay with you paying?
And you're seeing different regulators sending different messages right now.
The next thing is talking to the legal team.
What are their considerations?
Talking to the CFO, what does it cost to be without?
And then making sure everybody's aware that even those people that get the keys,
very few of them got 100% back.
Imagine this, working with unscrupulous criminals, didn't get anything.
And I'm shocked.
Shocked, I say.
What?
They didn't unencrypt everything?
Oh, my.
And even those that did get the keys, it wasn't necessarily, you know, 50, 80% recovery.
It wasn't necessarily, you know, 50, 80% recovery.
And there's, you know, a deep, complex story behind those numbers.
But I think understanding that baseline for everybody is important before you're in crisis mode, having worked through that thought process.
Yeah, you know, basic, you know, tactical things come to mind right away when I'm thinking about that is what is the probability that they're going to give us the key after we pay?
That'd be one thing.
You know, is there any evidence that said they have done that in the past?
And second, like what you're saying, is there any evidence that even if you have the key that there's going to be some reasonable process to unencrypt everything? All right.
And in the latest attacks, these last year or so, that is becoming less and
less a viable option. And I got to think, you know, this is software doing all this stuff,
right? I guarantee you that the bad guys aren't spending a lot of time on the decryption process,
right? You know, there's no revenue in that part of it, right? So at this point, I'm thinking,
I don't think I'd be recommended unless I'm totally wiped out.
And none of these other strategies that we've talked about here, intrusion, kill chain, zero trust, resiliency, none of those have worked.
And we're down to, you know, buying the keys back.
Tell me, are you with me on that thought process or am I wrong?
It goes back to the thing that, all hate to say, it depends.
It depends on the industry.
It depends on the business model.
And whether or not they're going to pay, that's why you consider using a broker.
There are companies that specialize in doing the payment or holding the payment until the key comes in and guaranteeing to pay them, you know, and knowing
the reputations. And so I know of CISOs I've talked to that have picked out who that broker
would be, that third party would be, and have them on speed dial if it wants, you know, they've made
the decision to pay to let that intermediary handle that.
You know, and lastly, where you sit geographically determines, you know, how legal it is or isn't to do all that.
Right.
Because the laws in the U.S. are different than the laws in, say, you know, some other
country, you know, some smaller country somewhere, right?
So you have to consider all those things.
Is that what you're saying?
Yeah. some smaller country somewhere, right? So you have to consider all those things. Is that what you're saying? Yeah, and I mean, within the U.S., it depends.
You know, if you think customer information is gone,
then you have privacy laws.
And, you know, it gets complex quick.
One side question that gets,
this is not really about strategies,
but one of the things that people have talked about
for defense against ransomware is to turn to the hardware manufacturers, like maybe Intel.
Could they build us a chip that would be more resilient to ransomware?
Is that possible?
Has that even been tried somewhere in the past?
Ultimately, the more secure your hardware is, the better.
I'm just not smart enough to understand how that's the solution.
Yeah, you know, we've been saying that for years about just, you know, OT and IoT environments
that it's just the manufacturers who just get on board.
But I don't see that happening anytime soon, right?
And so, like you said, I wouldn't put all my eggs in that basket.
If you haven't talked to your leadership, including and quite possibly up to the board,
you know, this is a time to have the discussion before you're in crisis mode.
So please validate your backups.
Please, you know, go out and do those exercises.
Good stuff, Steve.
Thanks for coming on and talking about all this.
coming on and talking about all this.
Next up is my conversation with Michael Nordquist,
business client planning director at Intel.
You know, ransomware is the thing that's plaguing the industry now.
It's definitely hot and it's out in the news right now.
And it's a complicated thing as we actually get into it.
Typically, you've got software that is looking for ransomware and things that are happening.
But as the attackers get more sophisticated, that's tending not to be enough.
And so they're looking for more signals or more ways to actually detect that this comes into play. And I think that's one of the cool things that a company like Intel can bring to the party where we have additional telemetry or more information down at that platform level that we can work together with ISVs that are out there to signal that a ransomware attack might be happening much earlier on and be able to detect that really quick before it becomes a problem.
much earlier on and be able to detect that really quick before it becomes a problem.
Can you help me understand, just really let's dig into the basics here of the differences between hardware and software when we're talking about these things?
Yeah, for sure.
Well, if you kind of take a look at the system overall, it's a stack up of different things
that you have.
You start at the foundation with the hardware and you start building up from there. Then you have firmware that's built into that system. You have
a BIOS that's sitting on top of it. Now, in a lot of cases, you even have a VMM that sits in there,
like a Microsoft VBS, and then you have the OS. And then on top of that, you typically have your
EDR or XDR solution on top of that that's sitting on top of the OS.
So it's got to go through all those different layers.
And one of the things we're able to do since we're down at that foundation level
is we're able to bring some signal
or telemetry information,
patch that through to that ISV
that's sitting on top of the OS itself
to help it make more intelligent decisions
because it would have more information
than just sitting on top of the OS by itself. What kind of information does the hardware have access to that's unique?
Well, so we have some of these performance counters that are actually sitting in the CPU in itself
that can kind of go look and see what kind of actions are actually happening in the product.
Is it starting to do encrypting or some different things happening
down below at the file level, down below that file level to see if there's different things
that are happening that might be abnormal. They could be normal in some of the cases,
but they can give some signal to say, hey, these sorts of things are actually happening.
And they're looking at kind of patterns to decide, hey, is that something that could
be malicious in that space? Does this add any level of complexity here
for the user? How do they go about implementing something like this?
Yeah, so that's the great part about it is it doesn't add any complexity for the end user. So
what we do is we actually have the technology that we work on and we bring out in this space,
and then we work with the ISVs in this space to be able to call our APIs and take a
look at what is happening in this area. And so from an end user, all you're actually doing is,
hey, do I have the latest security software solution from that company to actually be able
to go do it? I just download it. It automatically recognizes that I have that capability on my
platform, and it just takes advantage of it. So from an end user perspective, I've just got to
have the hardware, obviously, in that case. And then I just have to have up-to-date software that's
enabled for this. What about for the software developers themselves? What goes into enabling
these sorts of capabilities for them? Yeah. So we work directly with those folks. And we have a SDK
that we actually work with them on, a software developer kit, where they can actually take advantage of this and do the calls that they need to do. And we found in
this space, it has just been ransomware. So we started way back a couple of years ago, and we
were doing some various things around just accelerating to do memory scanning capabilities.
And so we started working with folks on that. Defender's already got that implemented. There's
100 million plus systems out there deployed that are already using it.
We switched and moved into crypto mining, right?
Because that's another hot area where, hey, we can use these counters to do crypto mining
kind of analysis as well.
You know, we've got Defender, we've got, you know, Silance, we've got SentinelOne.
And then we've kind of turned our attention lately into ransomware and taking similar types of SDKs to just enable that and start taking advantage of that.
And we've got an announcement with Cyber Reason that's out there, but we also have several other ISPs that are going to be bringing out support for it in the coming year.
What sort of competitive advantage does this give to the folks who are implementing it?
What sort of competitive advantage does this give to the folks who are implementing it?
We think this gives a tremendous competitive advantage in this space because you're starting to use some of that telemetry and that hardware that's there for more sorts of things. If you're doing software alone, there's so much that you can get done.
It's not just in the ransomware in this space.
That's definitely one of the cases.
But there's all other kinds of attacks.
We see ROP attacks that actually happen.
We brought in a technology called Intel Control Flow Enforcement Technology, for example.
And that gives you much better protection.
It actually prevents classes of ROP attacks in this space.
And so as we see the OSVs that are out there and ISVs start to take advantage of it, it helps them get that kind of next round of attacks and helps them get in front of some of the attackers in this space
and really utilize some of the hardware that's already there.
How has this affected you and your colleagues at Intel in terms of, I'm thinking as you're
developing the current and next generations of some of this hardware and the community is faced with these sorts of threats, does this give you all an opportunity to put some things into those chips that you wouldn't have otherwise considered?
Yeah, for sure.
I mean, we have our own security offensive team looking for things that are happening in this space. But really,
when we kind of pull together and we work with the OSVs and their red teams and work with the ISVs and their red teams, we start to find different levels of attacks. And we might see different
people that are trying to solve problems saying, hey, I can't solve this by myself. And one of the
things I was involved in was the ROP CET, for example. Hey, in this case, Microsoft was trying
to prevent these classes of attacks,
and they were unable to do it with just software alone. They really needed some hardware support.
And so we sat down, jointly wrote a spec with them, developed that, and built it into our silicon.
And so we're seeing more of those as we look into the future of how do we combine the hardware
and the software to offer better overall protection in this space.
Some of it can be just that traditional, we accelerate it, right?
So in some cases, if you look back on some of the security things, people don't turn it on because it's got a performance hitter.
It's got a user experience impact for that end user.
And so what we're able to do is, in many cases, just try to accelerate that by putting it into the hardware. So you can crank up that security without taking a hit from a performance or user experience perspective. And where does this fit into
the overall defense in depth, the various things that people will have in place to help protect
themselves, their employees, their organizations? Yeah, I think it's just, it's holistically as you
kind of look through it. There's not one answer in this space and it's always evolving, right?
So you have to holistically look through it and say, hey, when I'm making a PC, you know,
purchase decision of the hardware, I'm making a security decision.
Hey, when I'm, you know, choosing an OS and what version of that OS, I'm making a security
decision.
When I'm, you know, choosing my EDR solution, I'm making a security decision, when I'm choosing my EDR solution, I'm making a security decision,
how I'm organizing my infrastructure. You have to holistically look at all these different things
and kind of look at how am I protecting myself? How am I staying up to date? How am I making sure
I have the most current software, hardware, firmware, BIOS in the space to be as protected
as I can be? Yeah, it's a really interesting point. I mean, I suppose one
of the things here is that we're kind of in a world where when you're making these hardware
decisions, you've got to look beyond just clock speeds and number of core processors.
Yeah, for sure. I mean, I think one of the exciting things, Google's already on that
path where they do updates every six weeks in this space and they're updating the OS and
different components. You've seen Microsoft come in now. It used to be, hey, I've got like six
years in between an OS version. Now they're really starting to crank along six months,
nine months in that space where they're updating. And the cool part about that is it's enabling us
to build in not just performance features or UI, it's building in security technologies.
And so we're starting to see some of the security support come in in that space, people turning
things on like virtualization-based security and bringing that in mid-cycle into Windows
10.
It's about CET that I just talked about earlier.
And then as we kind of look ahead, what are some of the other technologies that we can
enable?
And it could be just through that ISV perspective, right? Hey, I know the hardware
is already there. I've got the latest version that I just downloaded and updated my security
software. Boom, I've got extra support in this space. And so from our perspective, how do we
make that super easy for the end user to take advantage of and deploy? What are your recommendations
here? I mean, for folks who want to implement this
sort of thing, what are the types of questions they should be asking? Yeah, I mean, I think in general,
start asking some of the security questions in this space. I think one of the challenges is
it's a confusing area. For us, what we've tried to do at Intel in this space is we've got a commercial
platform called vPro in this space, and it's
got Hardware Shield. If you're not really sure, hey, I don't know what I need or what I don't
need in this space, you know that if you buy that platform that you just get it, right? And so that's
how we're trying to make it easy for that end user. But there's also other programs that are
out there. Things like Microsoft has secure core PCs, for example, and all of our vPro PCs are capable
of being secure core.
So those are some of the things you can kind of look at just from a high level to make
sure you're up to date.
I think one of the things you have to look for is just kind of security assurance as
you go through when you're taking a look at different products, whether it's from Intel
or anyone else.
Do you have that methodology where people are designing their products with security first?
It can't be attack on later on, right? So you have a security development life cycle that starts way
early on. Having bug bounty programs, going out and actually looking for those bugs and finding
them. I think a lot of times people will say, oh my gosh, this person had a bug. They must have bad
security. And I guess what I would caution people is, in a lot of cases, when people will say, oh my gosh, this person had a bug. They must have bad security.
And I guess what I would caution people is in a lot of cases, when people find bugs,
that's because they're looking, right? They're trying to find those things. And then are they being transparent and are they making updates as they find things? So something that could be a
vulnerability hasn't been exploited yet, right? They found it before it's been exploited. They've
got a fix and they've got you actually working.
I think that's one of the things
that I'm super excited about from an Intel perspective
that I think we do really well.
And I think as end customers look at that,
they have to ask those kinds of questions
of their suppliers and their vendors.
What is their kind of security assurance value prop
and promise in that space?
Yeah, it seems to me that your hardware is so foundational to your organization and your
security.
You want to make sure that that's sitting on bedrock and not sandy soil.
Yeah, exactly.
Because attackers go where it's easiest in a lot of cases.
And I think some of the osps have gotten a lot
better at locking down some of the capabilities adding things like virtualization in this space
so attackers will go look at things they maybe didn't look at before because they didn't need to
you know from a hardware level from a firmware from a bios right and that's a lot of the work
that we've been doing the past few years to really beef that up and harden it up which wasn't
traditionally a point of attack but we're you know, attacks get more sophisticated and start looking
at those different areas. On behalf of my colleague, Rick Howard, our thanks to Steve
Winterfeld from Akamai for sharing his expertise and to Intel's Michael Nordquist for joining us.
CyberWire X is a production of the CyberWire and is proudly produced in Maryland at the startup studios
of DataTribe, where they're co-building the next generation of cybersecurity startups and
technologies. Our senior producer is Jennifer Iben. Our executive editor is Peter Kilby.
I'm Dave Bittner. Thanks for listening.