CyberWire Daily - Red teamer's perspective on demotivating attackers. [CyberWire-X]
Episode Date: August 14, 2022Cybercriminals are motivated by one simple incentive - money. Their favorite tools are bots to leverage sophistication, scalability, and ease of use. The effect is the creation of the underground bot ...ecosystem. This community allows threat actors to work together and continually improve their tactics. They sell bypasses for rule-based anti-bot solutions to other less technical fraudsters. In this episode of CyberWire-X, the CyberWire's CSO, Chief Analyst, and Senior Fellow, Rick Howard, is joined in the first half by Hash Table member Etay Maor. Cato Networks’ Senior Director Security Strategy. They discuss this reality that has put defenders at a serious disadvantage and the mitigation steps to consider for future attacks.. In the second half of the show, CyberWire podcast host Dave Bittner talks with our episode sponsor Kasada's founder Sam Crowther talking about what he saw first-hand as a red teamer at a major Australian bank and what inspired him to reimagine bot mitigation with the founding principle of undermining the attacker’s ROI. Learn more about your ad choices. Visit megaphone.fm/adchoices
Transcript
Discussion (0)
You're listening to the Cyber Wire Network, powered by N2K.
Hey, everyone.
Welcome to Cyber Wire X, a series of specials where we highlight important security topics affecting security professionals worldwide.
I'm Rick Howard, the Chief Security Officer, Chief Analyst, and Senior Fellow at the Cyber Wire.
And in today's episode, we are talking about bot mitigation by undermining the attacker's ROI.
A program note, each Cyber Wire X special features two segments.
In the first part, we'll hear from an industry expert on the topic at hand.
And in the second part, we'll hear from our show's sponsor for their point of view.
And since I brought it up, here's a word from today's sponsor, Casada.
If you've spent a lot of time and money fighting automated attacks,
but still feel like you're losing the battle, you're not alone.
The truth is, bad bots adapt in seconds and evade expensive, difficult-to-maintain defenses.
Now there's a better way, with Kasada.
Kasada has flipped the script on bots, ending the game of whack-a-mole.
Kasada's elegantly simple, yet superiorly effective approach puts the burden where it belongs,
on the attackers, not your business.
Stopping bad bots for good.
Kasada takes just 30 minutes to deploy and shuts down malicious automation in real time
with no manual setup, no annoying captures, and no complex rules to manage.
Kasada stops the bot attacks others can't. Start today with a free instant test at kasada.io
slash cyberwire. That's K-A-S-A-D-A dot I-O slash cyberwire. And we thank Kasada for sponsoring our show. I'm joined by Itai Moore. He's the Senior Director for
Security Strategy at Cato Networks. Itai, thanks for coming on the show. Thanks for having me.
So today we're talking about removing the financial incentives that motivate cybercrime
as a strategy to reduce the probability of material impact due
to things like ransomware. And just to put some context around that idea, the threat intelligence
team at Palo Alto Networks Unit 42, they published research in June of 2022 saying that the average
ransomware payment is just short of $1 million. That's a million with an M, all right? And that's
a lot of dough.
So if we're going to try to remove the financial incentives to cyber criminals, that seems like a pretty tall order.
So when you hear that as a potential strategy,
in other words, that's what we're trying to do,
what comes to mind in terms of tactics
or the how you would go about it?
When you think about this problem, Itai,
what are you thinking about there?
So when I hear something like this,
the first thing that comes to mind is actually a strategy or an approach that I really
like that has been suggested by David Bianco years ago, the pyramid of pain. And that concept talks
about what is it that organizations have to do in order to cause maximum pain, so to speak,
to the attacker. To the criminal, yeah, okay. Exactly.
And it's like a pyramid.
At the bottom, you have things like dealing with hash values and domain names and IPs.
Not that there are bad things to deal with, right?
Like if you want to put them on a deny list or on a watch list and so on.
But at the top of the pyramid, you really have their tools and their TTPs.
So how they think, how they operate.
A concept that I think is kind of missed throughout the pyramid of pain when sometimes people look at it and only focus on the top is the holistic approach.
So you actually have to touch and acknowledge each and every step that the attacker has.
I think to stop an attacker, you really have to look at the attack as a holistic event
and not as a set of separate events.
Yeah, it's one of my pet peeves in the industry that for the longest time,
security practitioners like us, you know, we would focus on the eaches, the technical eaches.
Let's prevent this exploit from happening by patching.
Let's stop this piece of malware from happening.
On and on, this bad IP address.
And that doesn't seem to be
enough. And to stop the incentive from these ransomware people to make a million dollars on
whatever victim they're going after, like you said, it has to be so painful to them that they decide
to abandon it altogether and not even go for it. And what you're saying is it needs to be a much
more comprehensive defensive posture designed for, like you said, specific adversaries.
Is that what you're getting at?
Instead of approaching it as, hey, let's stop the phishing
or let's stop the malware that has infected the device
or we need to stop the whole thing and try to approach it
and stop each and every step of the way,
which, you know, at first we seem, hey, we have a set of problems.
When you look at a ransomware attack, you know, especially one of the visualizations that I really
like is when you take these attacks and put them on the MITRE attack framework, and it becomes
really obvious that there are multiple stages of all these attacks. And instead of stopping just
one of them and say, hey, instead of many problems, we have actually many opportunities. We have many choke points, so to speak, in order to stop this.
If we can actually look at the attack as one holistic event
in which we can use all the different security tools that we have
in order to share context and be able to stop it.
I feel like this is known throughout the industry but hard to implement.
I mean, the original white paper from Lockheed Martin back in 2010,
the intrusion kill chain paper,
they're the first ones that came up with the idea that instead of trying to block the eaches,
that we would design our defenses around specific adversary behavior in their entire attack sequence.
And if you look at the MITRE ATT&CK framework,
probably the most comprehensive
open source collection of that kind of activity, you know, those sequences have anywhere from 30
to 100 steps, right? And like you said, that's an opportunity to prevent prevention controls in each
of those steps. So even if the bad guy gets through one of them, they still got to figure
out a way through the other 29 or 99, depending on how complicated their sequence is.
Yes, the kill chain has been around for a while.
But we've been looking at it as a set of solutions.
I would call them very siloed solutions.
And I get it.
I'm a security guy, and I say, hey, just integrate everything and make everything share context and information.
It's so easy.
Why are you not doing that?
It's not.
If it's such a great idea, how come nobody's doing it, right?
That's what you're saying.
The trade of this, you walk into the SOC and you see security engineers and analysts.
And, you know, as much as it's nice to take a photo of somebody sitting in front of six screens,
for them, it means sitting in front of six or more security products
and trying to correlate and connect this information.
And actually, what we're seeing is that
a lot of these security professionals
are becoming integration engineers
trying to share the data between,
hey, I have my threat intelligence feed
and how do I weed out the false positives
and feed them into my firewall or to the endpoint
or to the SIM and take that and feed it to something else.
And so it is becoming very, very hard.
I'll also mention one of my pet peeves is when I see articles on the internet that say, hey, company X got hacked due to a phishing email and company B got ransomed due to a vulnerability in their system.
point of failure when actually when you have a breach and when you have a ransomware attack,
you actually have a systematic collapse of all your security products and procedures because it's never just the phishing was to get in. But then they had to do lateral movement and
collect passwords and do this and that. And there's so many other steps.
I totally agree with you there. That's one step out of the 30 or the 99 that the adversary had
to do. And what you said is correct, that wholesale failure of your entire defensive posture
because they had to do all these other things
to be successful.
I totally agree.
I cringe every time I see that.
And when there's $1 million at the end of the day,
of course, they're going to take the extra steps
and do these things.
Well, let's go back to what you said before
about the complexity.
This is 2022.
When the Lockheed Martin researchers did their paper, that was 2010.
Most of us only had our own data centers and maybe a couple of headquarters buildings.
The complexity for implementing a defensive posture for intrusion kill chain was hard enough then when we only had that.
But today, we're scattered across all kinds of data islands, multiple cloud providers, SaaS applications.
Now people are mobile everywhere.
So the complexity of this entire thing has been really difficult.
So as a security practitioner, what's your advice to CISOs and CIOs out there?
How do they think about this?
And there's even more, right?
There's IoT and devices and bring your own devices.
Oh, yeah.
Let's not forget those.
So, yeah, it is indeed extremely complex.
I was asked a while back, what was the number one threat today to companies?
And I said that the number one threat is actually not any of the threat groups that everybody
discusses.
The number one threat is the complexity of the solutions that we currently have in place.
And I'm not trying to be as smart as about it.
I really believe in it.
in place. And I'm not trying to be as smart as about it. I really believe in it. Having an average of 30, I think, to 50 in a large organization's security solutions is not easy to manage.
That's one element. The other element is, going back to what you said, is we also want to make
sure that with security, we have the policy following the user and not us trying to constantly
chase them and trying to see if we can apply the same security requirements and policies from whatever it is. If it's a user, if it's a
cloud application, if it's in your data center, if it's somebody working in the
office. It has to be some form of consolidation or actually convergence
of all these different elements that would allow you to have
a central location to create a policy that will
follow the user, to look into every network flow
and every element of any connection to your network regardless of what it is and apply those
apply context that's extremely important we're talking about actually if i have to break it down
let's say there are four stages here first of all be able to collect everything all the network
connections that are out there whatever it is is, wherever it's coming from.
Then add context to it.
You know, which user was it from which network?
What were they trying to do?
Apply the policies that you want to that specific connection. And then, of course, enforce it using the different security capabilities that you have in place.
So if we have any hope of putting prevention controls or even just detection controls for all the known adversary
groups in the MITRE ATT&CK framework. And last time I looked, there was about 150 different
campaigns that those guys keep track of. And that's not a lot, by the way. It seems like when
you read the headlines that there's millions of these hacker groups out there. It's not. It's just
a small number. And we know 90% of what they do in cyberspace.
So it should be an easy thing to put those prevention controls or deploy those prevention controls in the security stack that you're running in your organization.
But all this complexity we're talking about is what's causing the problem.
And what I think you are outlining is that it's a shift in the security practitioner thinking.
that it's a shift in the security practitioner thinking.
Say early 2000s, when we all sought out best-of-breed tools,
we needed the best anti-malware solution.
We needed the best firewall.
We needed the best intrusion detection system.
And so we would go out and buy all these eaches.
And like you said, even small organizations have 15 security tools in their security stack.
And Fortune 500 companies, I've seen some with well over 300 security tools because they have the money to do that.
But managing all that complexity has been difficult.
So the shift then is away from best of breed to tools that are good enough and are automatically orchestrated for you across all those data islands.
for you across all those data islands, right? We need one policy that says, here's the prevention controls for PandaBear, and it deploys it to all the data islands that we have, the cloud providers,
the mobile devices, the SaaS application, whatever it is. I'm looking for that kind of a solution.
Is that what you're advocating? Exactly. Like you said, from the early 2000s about
layered security, and I like the approach of layered security, but it doesn't mean that for each layer you have 10 different, so to speak, boxes, and then you have other layers as well.
Or the same kind of box for the cloud, but a different vendor back in your data center, right? That makes it even harder.
Exactly. I mean, I don't envy the security person who has three different firewall vendors at 15 different locations, and then they need to update the policy.
Like you said, Panda Bear, we found a new IOC or we found a new signature. Update all of them.
What about patching all of them and changing the policies? And there's so many other things.
So chasing these boxes globally and also locally, that's the on-prem kind of thinking.
globally and also locally is that's the on-prem kind of thinking. And I think with organizations constantly talking about digital transformation and what we need to do in order to be the best
in our business, same thing has to happen with security and networking. We have to get out of
this on-prem mindset. So to go back to the original question, then we're trying to remove
the financial incentives for cyber criminals to be successful, I guess. We're trying to prevent them from getting a million dollar payout. That means we have to completely simplify our approach
to deploying prevention controls for known adversaries, especially ransomware groups.
That's kind of where we're falling down here, right? Deploying and managing and yeah, the whole
life cycle of a security product. Now, not you or I are naive to think that criminals are going to start selling ice cream tomorrow because we put some new signatures in place or put in some new products.
Of course they're going to.
What? Sure they will.
I like pistachio. have to start implementing, and especially in terms of the ease of management and the ability
also to, like I said, going back to my initial point of having full visibility to everything.
And trust me, it hurts me as a security guy to give the IT guys the kudos of, it starts with
the network. It starts with being able to see everything because we've seen this several times
and in ransomware attacks as well. If one path was blocked and, oh, wait, that company has a user who is
working from home who brought in his own device, that's my way in. So we have to have full visibility
to everything. So it starts with seeing everything on the network and then applying, like you said,
not necessarily just best of it, but something that we can manage, something that will provide
us the context, something that will give us a holistic view and actually turn all these
small elements that we've been looking at so far to actually multiple opportunities to stop the attack.
Well, it's all good stuff, Itai, but we're going to have to leave it there.
That's Itai Moore.
He's the Senior Director for Security Strategy at Cato Networks.
Itai, this was a fantastic conversation.
Thanks for coming on the show.
A fantastic conversation. Thanks for coming on the show.
Next is Dave Bittner's conversation with Sam Crowther, the founder and CEO of Casada.
So today we're talking about a red teamers perspective to demotivating attackers.
I'd love to dig in and just start with some high level stuff here.
Can we sort of established a ground level baseline truth here?
I mean, what are the things that motivate cyber criminals?
Look, I think the cyber criminals, because, you, because there's obviously many different types of actors online, money, opportunity to bring in cash to either support their families,
support themselves, or a little bit extra on the side. I think that's one of the biggest
motivators, unfortunately. And so what does that mean for the defenders in terms of having that be the reality?
How does that inform how we set up our defenses?
What it helps us and I guess forces defenders to take a good reference on is how much is there to be made, right?
is how much is there to be made right and i i think it that really will inform the investment that's going to be required or at least like inform how how much like effort and deliberate
decision making needs to happen in order in order to protect it right like a really good example
would be like if someone's selling you know stolen customer customer accounts on a website for $2 a pop, that organization basically has to make it cost $1.99 or $2 or more for every valid stolen account that gets leaked.
And that sort of just changes, I guess, maybe some of the decision making that's going to happen around the defense.
And how have we seen this play out?
I'm thinking of
things like ransomware that's become more focused over time, and we've gone from irregular phishing
to spear phishing. It seems as though the loot that these folks are going after in many cases
has gotten bigger. It has, right? And that's what's driving the more sophisticated actions,
because I think a lot of anti-spam technologies
for email and whatnot have lifted the bar.
And so while generic phishing can be profitable in some cases,
clearly the ROI is not there, right?
And so that's why they're moving, I guess,
more upmarket in their attacks, so to speak,
and moving to spear phishing,
moving to more damaging cases of ransomware
and hitting organizations maybe in places that they weren't previously hit purely because
there was somewhere easier they could still make a profit.
You know, there are some old sayings about this sort of thing.
Obviously, we talk about low-hanging fruit.
There's the other old chestnut about, you know, if you and I are being chased by a bear, I don't have to outrun the bear. I just have to outrun you. To what degree is that
true here with this sort of thing? I mean, is this a matter of raising that fruit so that there's
less for the bad guys to grab? It definitely is, right? And unfortunately, there is absolutely an
aspect of you don't need to outrun the bear.
That is an unfortunate truth.
And so understanding where else they're going to go is critical.
But that also forces folk, and I think is a very good conscious thought that needs to be had in discussion, that needs to be had, can they go elsewhere?
Because there will absolutely be cases where they can't, where you are the only one that has what they want.
And that's obviously a very different dynamic.
But if that's the case, again, it needs to inform the way
in which you think about defending yourself moving forward.
Well, let's explore that.
I mean, what are some of the ways that people can make it
so expensive for these bad actors that it's not worth their time?
Well, this varies a lot based on the problems that are being faced. And I'm obviously very
familiar with the space that we operate in, which is really focused on automated tools being used
to abuse websites, mobile apps, e-com platforms and whatnot.
So a really good way to increase cost across the board,
especially in the area that we operate in,
is actually increase the skill that's required to take out an attack.
Because it inherently narrows down the number of people
that are going to be able to come after you,
which means that internal
security folk can dedicate their resources to the ones who are going to cause the damage,
which sort of creates a nice little cycle of it makes it more expensive for those more
sophisticated folk because there's more resources focused on them.
And I suppose for your staff, it means they're not chasing around, they're not swatting at flies.
Exactly, right? That's the less flies there are to swat at and the more actual big juicy targets
there are to focus on, the better it is for us as the defenders. Can you take us through how this
works? I mean, what are some of the specific things that organizations like yours puts in
place to slow these folks down?
There's two real components to the way we think about this. One is skill, right? Because that's
a great way to waste someone's time if they need to learn totally new things that are likely to go
elsewhere. And the other is actually compute cost, right? In a day and age where you can spin up a server for 15 cents an hour and launch some pretty devastating attacks, if we can actually make it cost more at the compute layer, that is a great way to disincentivize any sort of malicious behavior at scale.
It really undermines truly thei equation that they do it's going to cost
me x dollars to generate you know to crack n accounts and i can sell them for y dollars right
and if that equation does not make sense they just will not do it well help me understand how that
works how do i increase their cost yeah so what we've done specifically, and this is actually, this was attempted in the
early mid nineties for email is we basically designed this concept of an asymmetric proof
of work, right? So I think of it as a math problem. It's far more difficult to solve than it is for us
to verify. And so what that lets us do is have a strong asymmetry in the amount of compute required in order to even attempt to
launch attacks than it does for us to defend them and so like thinking like that is okay how can you
asymmetrically increase the cost of the compute layer like proof of works are a very good way to
do that there also can be other ways right likepitting connections. There's a plethora of different mechanisms that can be used. But being very strategic about them is very important because all of a sudden you can take someone's infrastructure cost from $20 to launch a significant attack to tens of thousands of dollars if they're not careful. And that is the ultimate scenario.
And how do you do that while simultaneously not increasing friction for the legitimate users?
Yeah, so making sure that everything is done invisibly and at the compute layer is absolutely key, right?
Because the reality is bots and automated tools, when they're used to attack, are used because they can scale.
used to attack are used because they can scale. And so while the impact on an individual may not be substantial at all, right, and will often completely go unnoticed, when you scale that up,
it becomes very problematic because, you know, the attackers are not doing, you know,
one login every day. They're doing millions of logins an hour a minute. And so that's when,
that's when, you know, their costs exponentially go through the roof. How does someone
measure success with this? If I'm reporting back to my
board of directors and I say, hey, we put something like this in place,
what sort of numbers do I have in my back pocket to show them?
Look, so there's usually a combination of the business metrics
and that could be decreasing fraud, decreasing customer complaints, increase in like conversion from new accounts that are created.
But then on the flip side, you know, there's usually metrics which could be shown around like, well, how many attacks are these folks attempting?
You know, today versus yesterday versus last week.
attacks are these folk attempting, you know, today versus yesterday versus last week. And so if you can actually see a decline in the attack traffic, you know, it's having a great job because that
just verifies, you know, not only are they not making the money, the business can see they're
not losing the money, but the attackers aren't hitting as hard because it costs them too much.
Is there such a thing as sort of a, I don't know, a reputational advantage among these dark web operators?
Do they talk?
Does Word get around and folks say, hey, don't waste your time on this organization.
They've got things buttoned up pretty well.
Yeah, absolutely.
That is something we find is the folk who are responsible for launching a lot of these
attacks or providing the tools will often just not support organizations that have good defenses in place because they know it looks bad on them, right? Like if they
sell something to someone else, you know, in order to maybe help crack accounts on a website and it
doesn't work properly, it reflects poorly on them as the seller, right? Like they have these
unbelievable marketplaces where they're all rated. And so, you know, it's in their best interest
to target websites that are going to be easier for other folk.
So what are your recommendations for people who want to explore this, who think something like this might be a good solution for them?
Where do they begin and what sort of questions should they be asking?
The first sorts of questions and the first steps are usually to be, how do we figure out if this is a problem? And why would it be a problem?
So looking at interaction points that someone is likely going to go after, right?
Simple things like actually visualizing maybe login traffic over the last 14 days, right?
Does it follow a beautiful cyclical path, right?
Day and night, day and night, or is it all over the place?
What are the sort of rates of chargebacks on purchases? Those sorts of questions are important ones. And businesses will obviously
have their own specific interactions like that. But from there, it's very easy usually to go,
okay, there is a problem here that needs investigating and to look at actually going to solve it.
investigate and to look at actually going to solve it.
We'd like to thank Itai Moore, Senior Director of Security Strategy at Cato Networks,
and Sam Crowther, the founder and CEO at Casada, for providing some clarity to us around the idea of botnet mitigation. And we'd also like to thank Casada for sponsoring the show.
CyberWire X is a production of the CyberWire and is proudly produced in Maryland at the startup studios of DataTribe,
where they are co-building the next generation of cybersecurity startups and technologies.
Our senior producer is Jennifer Iben.
Our executive producer is Peter Kilpie.
And on behalf of my colleague, Dave Bittner, this is Rick Howard signing off.
Thanks for listening.
And on behalf of my colleague, Dave Bittner, this is Rick Howard signing off.
Thanks for listening.