Risky Business - Risky Business #710 -- Why your corporate VPN will get you owned
Episode Date: June 13, 2023On this week’s show Patrick Gray and Adam Boileau discuss the week’s security news. They cover: Fortinet 0day Groundhog Day CISA’s new binding directive on e...xposed management interfaces Confirmed: US intelligence buying commercially available data MOVEit drama rolls on Much, much more This week’s show is brought to you by Red Canary. Chris Rothe is this week’s sponsor guest and he joins us to talk about how MDR providers are helping customers deal with cloud monitoring. Links to everything that we discussed are below and you can follow Patrick or Adam on Mastodon if that’s your thing. Show notes Fortinet Warns Customers of Possible Zero-Day Exploited in Limited Attacks - SecurityWeek Barracuda Urges Replacing — Not Patching — Its Email Security Gateways – Krebs on Security MOVEit announces second vulnerability; Minnesota schools agency breached with original bug Confidential data downloaded from UK regulator Ofcom in cyberattack Ransomware group Clop issues extortion notice to ‘hundreds’ of victims Another huge US medical data breach confirmed after Fortra mass-hack | TechCrunch CISA orders US civilian agencies to remove tools from public-facing internet Microsoft says Azure disrupted after a week of repeated service outages | Cybersecurity Dive Microsoft says Azure outage was caused by ‘anomalous’ traffic spike Microsoft investigating threat actor claims following multiple outages in 365, OneDrive | Cybersecurity Dive Risky Biz News: Ukrainian hackers wipe equipment of major Russian telco U.S. Spy Agencies Buy Vast Quantities of Americans’ Personal Data, U.S. Says - WSJ The US Is Openly Stockpiling Dirt on All Its Citizens | WIRED Srsly Risky Biz: Thursday, July 29 - by Tom Uren National security officials make case for keeping surveillance powers to skeptical Congress - The Washington Post Senators say Biden administration isn’t close on overhauling surveillance law Russian nationals accused of Mt. Gox bitcoin heist, shifting stolen funds to BTC-e North Korean hacking group Lazarus linked to $35 million cryptocurrency heist North Korean hackers stole $100 million in recent cryptocurrency heist -analysts | Reuters An Illinois hospital links closure to ransomware attack Security professional's tweet forces big change to Google email authentication | CyberScoop Can you trust ChatGPT’s package recommendations? LastPass CEO reflects on lessons learned, regrets and moving forward from a cyberattack | Cybersecurity Dive
Transcript
Discussion (0)
Hey everyone and welcome to Risky Business. My name is Patrick Gray. This week's show is brought to you by Red Canary, the MDR company, the Managed Detection and Response Company, and Red Canary's co-founder and CTO Chris Rothy is this week's sponsor guest. him about how mdr companies are handling monitoring cloud-based environments and yeah it's gotten
a lot easier for them to actually do valuable work on cloud monitoring and response uh so that's an
interesting chat about how all that's evolved and it's coming up later but first up it's time for a
check of the week's security news with cyber cx's adam boileau and adam I don't know if I've had a stroke or, you know,
if this is actually what's happening,
but like more Fortinet O-Day
seems to be in the news cycle
this week. And as I say,
yeah, I do get that feeling like
I've had a stroke and I'm like just stuck in
some sort of weird time loop or something.
I don't know. Yeah, it's Fortinet Groundhog
Day every day here at Risky Biz HQ,
that's for sure. I did see someone on the internet having photoshopped all of the fortinet cves into the
this is fine dog and that's that's definitely what uh what it's been like uh so fortinet have
released a patch for 40 os the underlying operating system on a bunch of its products
that address a bunch of bugs but in particular one of these is pre-authentication
remote code execution in their SSL VPN product I mean great I mean I mean it kind of doesn't
really get worse than that for a security product that's designed to be on the edge of your network
and even better the bug appears to have been discovered in the wild prior to
some french researchers who reported the fortinet and had been being used in the wild yeah um so
that's not great um not great at all uh fortinet did patch it quietly in their most recent round
of updates but you know the fact that we've seen it exported in the wild prior to the bug being reported to the vendor is unfortunately you know that's that's a pretty
grim meat hook future right there yeah having to deal with deal with that in your security
perimeter control devices i mean there was some talk that maybe this was the oday that the vault
typhoon uh hackers were using but no no that no, that was a different Oday. Different one, yep.
Yeah, no, this was actually a heap-based buff overflow
parsing the login message.
So the posts to the login part of the web app
that runs the SSL VPN,
parses some parameters unsafely,
typecasts them into a variable that's the wrong size,
leading to a mis-length check,
leading to heap memory corruption.
I mean, how have they not found this, right? like i mean it does kind of feel like the sort of thing that fuzzing would
have picked up yeah um so yeah you know and when you look at when you look at how we got here right
like in the years leading up to the pandemic the push towards identity aware proxies and you know
zero trust everything and like moving away from this type of equipment was happening.
I mean, it was gradual, but it was happening.
And then COVID-19 hit.
Everybody had to go work from home,
and there really was only one option to get going quickly,
which was to deploy VPN concentrators with enterprise features.
And because the industry had been so geared towards creating
the next generation of remote access tech, the only stuff available on the market is all this old crap that is not QA'd properly.
And every time you pick it up and shake it, CVEs fall out, right?
And this was such a shot in the arm to companies like Pulse and Fortinet and whatever.
They sold so many VPNs through the pandemic.
And this is a hangover, right?
COVID-19 extended the life of these companies
and these technologies.
And that's unfortunate.
Yeah, and I think it's also fair to say that,
you know, VPNs are relatively old tech,
as you say, like this is a thing we've been doing
in the security appliance and industry for a long time.
And there was never really much pressure
that these things worked. Like they work in the sense they transport network traffic from A to B, but there was never really much pressure that these things worked like they
work in the sense they transport network traffic from a to b but there was never any reason they
needed to be secure because there were so many other ways to hack things right there was you
know phishing and you know php web apps and sql injection and so vpns never really needed to work
and now they do because we've tied up a bunch of other bug classes the pandemic happened
and these are you know vendors in many cases with pretty old tech and yeah i mean this is you know a
lot of history coming home to roost all at once and bad news for the customers so you and i have
been having this discussion over the last couple of days about well when we talk about this you
know in this week's show you know what are we going to tell people because it's not like the
file transfer appliances like you and i both said, well, we don't think people
should use them. They, you know, they need to decommission them. Doesn't matter which brand it
is, because they're all pretty rotten. You know, try to move towards some sort of SaaS thing,
just work it out. It'll be painful, but you can do it. You can't give the same advice. You can't
tell an enterprise, hey, just turn off your VPN, because there's still a lot of people working
from home. You know, some only a few days a week or whatever, but the, you know, the productivity hit
from just disconnecting your VPN, it's terminal, like it's a non-starter as an idea.
So then we were talking, well, how do you mitigate the impact of having to use a border device that,
you know, it's not just Fortinet, they all suck, right? How do you mitigate the impact of having a domain-joined network appliance
at the edge of your network that is going to get ODA in it?
And there's no good answer to that.
It's a really, it is a really hard problem, yes.
These things handle end-user credentials and admin credentials.
A lot of people use VPNs for service providers
to get into the network to deliver service.
So there's privileged accounts being handled through there.
And even with all sorts of good quality technical controls,
you're still handing over user credentials and user access to this device
to then either authenticate onwards to the main controller
or whatever other mechanism.
They are a single point of failure,
and they're on the edge of the network in a privileged role.
And advice is really hard to give because, as you say,
all of the vendors have had bugs.
They're all long-in-the-tooth products that don't have the kind of security
segregation, defense in depth, or whatever else that you would imagine
that they do.
We've seen conversations about old architectures that don't support
modern exploit mitigations. know it's like stack you know i mean it just boggles my mind that
you can have this much attack surface exposed pre-auth in a product like this like i would
have thought that would be but then again this bug is actually in the auth right so i mean it's in
the login processing so it hurts my brain. Absolutely hurts my brain.
But I think ultimately where I arrived in discussions I had with other people, though,
like talking to the Airlock team yesterday, we were recording a soapbox and we were talking about slightly different context, but we were talking about living off the land when you
do have an authenticated attacker, which is what you wind up with in this sort of scenario,
which is someone coming in authed on uh popping the the the vpn uh appliance you know they said well really you know often
if you know what sort of tradecraft you're trying to stop like you can use technologies
like theirs to stop this stuff right so by only allowing certain things to you know windows
utilities and whatever to execute in certain contexts. But ultimately, if you want to have a higher degree of confidence that you're going to catch
an attacker here, you need some sort of managed detection and response. I also spoke about this
with Dmitry Alperovitch, you know, co-founder of CrowdStrike, and a lot of people would have
guessed by now he's a pretty good friend of mine. So we talked about that as well. And yeah, I mean,
that was his answer as well, which is MDR. Now that's a pretty
expensive, big solution. Like I honestly think people should be doing MDR. That's not just
because Red Canary is a sponsor this week. Like MDR is becoming an increasingly important
part of the mix. So I think that's something people should be doing. But when your response
to, well, we want to usepn and the corresponding control is comprehensive managed
detection and response you know that's a big mitigation if you want to introduce these in
into your network the only mitigation is to do everything else right and spend a lot of money
which is unfortunate you know yeah yeah and it really is and you know having enterprise-wide
good quality mdr is going to solve a whole bunch of problems,
not just that your VPN is bad, like everything else,
your PAM product and your password vaults
and whatever else that are also bad.
It'll address the same problem with other things,
which is great, but it is a very big and expensive hammer
to have to throw at what used to be,
what used to feel like a pretty simple problem to solve vpns
are a mature tech yeah it used to be something that you didn't have to think about because what
could go wrong with a vpn apparently though quite a lot it turns out quite a lot because no one's
ever really looked at them that hard because we didn't need to and you know when we were dealing
with you know trad vpns ipsec site to-site, you know, that code is really unpleasant to read.
I mean, IPsec is just horrible to work with,
and it has remained relatively bug-free, implementations of IPsec,
because everyone just goes, oh, I don't want to have to read that.
So it's kind of security through just being gross,
whereas web-based VPNs, SSL VPNs,
like we can use web bug tech to go find the bugs in them.
But, I mean, you even look at, like someone someone when we were talking earlier on in the week about this uh i said well maybe microsoft
direct access like that's microsoft's bog standard remote access product for enterprise windows
networks on modern windows and it's like ipv6 inside ipsec inside http so that you can get
across people's network without having to deal with IPSec problems.
And, like, it's still gross.
But it's like, there's a degree of, you know,
Microsoft-level gross is a different category
than we wrote our firewall in PHP 25 years ago.
Yeah, they'll just have some suicidal configuration option
that people think they need to tick and gets them owned, right?
Like, that's how Microsoft gets here.
Yeah, and to be honest, also the IPv6 part,
I think is going to get them owned.
Like I've spent some time tinkering with Direct Access
and there's definitely bugs to be found in the way that IPv6 works.
But I don't think you're going to find pre-auth remote coding.
Yeah, it's not like Fortifail.
It's not Fortibad.
Yeah, yeah, yeah.
So Fortibad, I think that needs to be a new term of art.
But it's not just them, right?
Because I thought, look, wouldn't it be great if we could come out on Wednesday and say,
here, use this modern one.
But if you look at it, even the hip and groovy VPN stuff that InfoSec people like, all you
need to do is Google any product name with space CVE and then just go hit the page and
have a scroll and you'll be finding like these, let's be honest,
anything over a seven is a 10, you know,
in the hands of anyone who knows what they're doing.
And, you know, regular bugs in all of this stuff.
There's just no good VPN solution at the moment.
It's crazy.
I mean, you know, the typical answers trotted out
are going to be non-enterprisey ones like OpenVPN,
which is a nasty mess of very old.
No, and this is what i mean like go
go google openvpn cve yeah i mean there certainly has been so and their crypto code is old and
creaky like i wouldn't feel great about that i mean and then there's modern things like wireguard
which like the wireguard governs is pretty good like attack surface wise is pretty good
but then you look at something like tailscale which makes wire guide usable and you know jamie from my work and her buddy emily like they destroyed it like with remote
code exec and and so on and so forth even the new ones you know uh you know probably not fought
about but yeah you know it's very hard to find a vpn solution that you would feel happy putting on
the internet and as you say it's not just just Fortinet. We've seen Citrix bugs.
We've seen Pulse.
We've seen Juniper.
We've seen Palo Alto.
But that's what I'm getting at.
This isn't just a Fortinet problem.
There is no simple way to fix this.
And even if you do go the MDR route, okay,
an attacker pops your Fortinet.
They grab the service account.
They go in.
They start doing some living off the land,
but they do a couple of funny suspicious executions.
Your MDR provider snaps them, they isolate those machines,
they evict the attacker.
Then what?
Then what do you do?
I mean, maybe you got a patch for that particular bug.
What do you do the next, every time there's a CVE,
you're going to roll like MDR response and just, I don't know,
what do you do if it's oday and you're waiting for the
patch do you just shut down your vp shut down your company like i this it's been a while since i've
seen a category of like day-to-day ciso problem that's this bad yeah no absolutely agree and
like the range of security products that are on the edge of people's networks and the functionality that they have like do make it hard to contain them like i'm thinking of a i reviewed a pam
product uh that was for remote access and i got like straight up remote code exec on the underlying
device it's already got the file service like the windows file service mounted so that it can share
files and do stuff through a web interface right so you just like select all and download i'm
guessing yeah i mean pretty much, right?
So trying to bolt detection response
into something that has already got those,
like that it's not anomalous or it's not unusual
for it to be doing those things.
Yeah, I mean, I understand that.
In the case where you're directly mounting the file system
to the edge device, right?
Like, okay, fine.
But I'm guessing that's a configuration option
that one might disable.
But I guess then again
someone could probably just turn it on
and you've got the necessary network access anyway
to just do it without
independent of what the device is doing
and that particular thing was a PAM product
and it also did HTTP proxying
so that you connect onwards
to other things in your network
and it's just like
what normal use of those devices look like is already terrifying
and then trying to find the genuinely you know bad people in there doing it like it's it's really
hard but i don't know that there is a better option than the thing you would do for an attacker
getting into your network through any mechanism which is detection and response well i think i
think for some people like they're a little bit scared to do the 0365 uplift and that would
probably be enough for a lot of organizations that are otherwise using these types of vpn appliances like you know
actually churning users over onto microsoft or google cloud stuff and using one drive instead
of network shares um you know it's not as hard as it used to be like you can do those sorts of
migrations pretty easily so that's another potential solution here but I have a feeling that for a lot of companies out there,
if they could have done that already, they would have.
But that said, I think it's a matter of, you know,
adding up the cost versus the benefit.
And I think those calculations, like as we've just seen,
like how bad it's got, those calculations would have changed.
So hopefully this is enough for some people to say,
okay, well, we're going to do our, you know,
big cloud service SaaS uplift now.
I think this is a good time to do it.
But yeah, in other orgs that are very big
and, you know, have old systems and stuff,
you just can't do that quickly.
So anyway, sorry, you know,
I really hoped that we could do this week's show
and say, all you need to do is X.
And there's just no simple solution here.
It's basically like,
if you want to use one of these things,
you are introducing a level of risk to your environment
that is going to cost you a lot of money to mitigate.
That's the takeaway.
Yeah, and we, as an overall industry,
people providing edge devices that do security critical stuff
have never had to bear the full cost of what their products do
in terms of the risk of the response of all the things that can go wrong.
And pressure on your vendors
when you're making purchasing choices, et cetera,
is a good long-term plan.
But this was a problem that has been going on
for a long time
because there was no market pressure on vendors
to produce a product that worked well.
Well, I don't think it's just that.
I think it's also that the investment in new technology,
the R&D was going into stuff like identity-aware proxies and stuff because people realized that VPNs were kind of a mature legacy technology a bit.
So I don't think it's just about market pressure.
I just think that people were focused elsewhere.
Anyway, let's move on.
Let's keep talking about ancient appliances that are getting everyone owned.
And Barracuda.
This was all over everywhere.
I think this happened just after we finished last week's show,
but Barracuda have urged people
whose Barracuda appliances were compromised
by some APT actor out there using an Oday.
They've told people via a pop-up
in their management interface,
which I do wonder how many people actually log into the things,
but they've warned people that if you have been. But they've warned people that, like, if you have been compromised
and they're doing compromise detection,
you need to throw away the device and get another one, right?
So they're saying it can't be restored to a state of integrity.
You need to just bin it, throw it into a log chipper,
get rid of it and get another one.
Which, look, a lot of people are like,
ha, ha, ha, Barracuda, what losers?
But good on them for actually giving that advice.
Good on them for saying, doing the appropriate thing,
even if it's radical and makes them look bad.
I just think, you know, I think this is good.
Yeah, I agree with you.
I mean, the bug itself is really dumb.
And so in that respect, bad Barracuda.
But it's a big move for a vendor to come out and say
would ship your appliance and we'll give you a new one like that's a big call and i'm glad that
they are doing it and i'm i guess i'm a little surprised that people are surprised by that i
mean we've seen uh hardware level implants as a you know long-term persistence mechanism
you know for quite a while especially, especially in the spook world.
I was reminded of the NSA's Ant catalog
that got leaked 10 years ago, more than that maybe?
About 10 years ago, yeah.
About 10 years ago that contained details
of a bunch of their toys and BIOS backdoors
for Juniper firewalls in there, for example,
so that you can survive the device being reinstalled
or whatever else.
So this has been happening for a long time in the spook worlds so we should have more vendors giving this kind of
answer and i'm glad that barracuda has decided to do that because it you know begins to normalize
what we have needed to be doing for quite a long time so well it's a reminder too and and maybe we
should point this out as it relates to fortinet
as well which is that the people who are there now are often paying for the sins of people who
resigned 10 years ago right so there are actually competent people at these organizations but
there's only so much they can do with such a legacy of fail right yes yeah and like the mid
like that kind of period of 2000s through to 2010 where a lot of
this stuff had it has its genesis we built a lot of terrible crap as an industry yeah and i mean
things like barracudas and whatever else i'm pretty sure they offer like a sass cloudy one as
well right but you know quite often people just want the appliance i think that's it yeah that's
some actionable advice we can give don't buy any more bloody appliances and get rid of the ones you
have you know just yeah exactly yeah if it comes in a custom can give. Don't buy any more bloody appliances and get rid of the ones you have. You know, just generally.
Yeah, if it comes in a custom rack mount case,
don't buy it.
Yeah, no more blinky light boxes, people.
No more blinky light boxes.
We've moved on.
The bug itself, though,
if I can just dwell for a moment on it,
is a beautiful thing.
It's a Perl command injection
in the file names of files
inside a tar attachment of an email.
Yeah, I mean, that's classic stuff right like that
it's beautiful like i love it actually you know i and i've mentioned uh a couple of times that i
was staying with a friend in melbourne um so i mentioned that in the in this week's sponsor
interview but uh he pointed out to me that he found some some very similar bugs in barracuda
back in 05 so i believe it too. I would believe it.
Yeah, so there's a CVE.
Yeah, there's a CVE that he found from 05 and he looked it up and showed me.
I'm like, oh yeah.
Yeah.
It's quite funny.
So these were, Barracuda says they have seen them
being exploited back into mid-2022.
So like if you have a Barracuda in your mail path,
probably having a bad day,
especially if you're the sort of people
who would be targets of intelligence services or state actors or whatever else yeah you might use
good bugs and hardware backdoors well and the file transfer apocalypse speaking of blinky light boxes
the file transfer appliance apocalypse is uh still ongoing i think move it has announced another
um i mean did they find this one themselves or is this another Oday ripping through the wild?
They said, I think Huntress had been reviewing it
after the initial bugs and then Huntress found this extra one.
So yeah, another bug and presumably they're going to patch that.
I have patched that as well.
But yeah, if you have a file transfer appliance like that,
it's probably a bit late for the second patch at this point yeah but i mean think of the next vendor that i mean because
it's clear what clop is doing here is they're actually targeting this as a product category
right so they're going after uh you know they'll just go down to the next one on the vendor list
try to get a copy of it poke it product for vulnerabilities and then they do their harvest
season right i mean they've taken down with the move it stuff uh bbc british airways air lingus like it's just the minnesota schools
like and and i think their harvest um oh yeah they got offcom as well yeah that was move it
um that's the regulator in the uk uh and i think some government over scotia as well yeah like just
heaps and we spoke last week about how they were in the harvest phase, right?
And they would take the data to market at some point
when it already looks like that's happened now.
They've sent out extortion notices to hundreds of victims, right?
So harvest season is done.
Time to sell at market.
And that's where the flop is.
Exactly.
And if you go look at the list of other products in this category like a file
transfer services there's some pretty good looking targets in there like i yeah you mentioned that
last week and it's yeah and it's true it's true and they're just going to keep going which is why
you know months ago we were like yeah maybe you don't want to use these things i mean i think i
remembered some of the more specific mitigation advice that that person on masted and said
one of them was like make sure everything's ephemeral there i'm like i mean you know that would probably yeah that would probably help you
a little bit but you know you can still get an attacker on the box who just copies everything
as it comes in and leaves right so yeah yeah i mean you can contain the blast radius a bit by
stopping it from having 20 years of you know legal data into the whatever else right you can limit
that but yeah. Also,
especially if the person who lands on the system is willing
to spend some time moving laterally
or investigating beyond
just loot and leave.
Loot and leave. I like it.
Where's that term of art from?
I don't know. Was that off the cuff?
That was off the cuff. Hey, I like it.
I like it. And we're still finding out about
people who've been
owned by uh the previous one what is it the fortra was it going to mft yeah yeah the fortra one so
we got a story here from tech crunch about uh some org which is it yeah there's been like some huge
u.s medical data breach you know all this stuff you know eventually it starts bleeding out in like
sec filings and whatever and notices to regulators so we're still finding out about the last round basically yeah and and you know i guess
this will have a long tail like we're still you know there's people who are owned by the excelion
breaches you know that are still dealing with responses to that even now so yeah it'll be a
long tail yeah yeah uh let's move on to some other Well, it is kind of related when you think about it because this is still about blinky light boxes.
CISA has issued a binding operational directive
to US federal government agencies and departments
that they need to get management interfaces
for networking equipment and various network-attached bits of equipment
off the internet, which, you know, I mean, you said to me earlier when we were talking about this, geez, you know, can equipment off the internet which you know i mean you said to
me earlier when we were talking about this geez you know i can't believe it took till 2023 but
that's how it be my friend and uh you know it's good to see them doing this better late than never
that's what uh that's what i think so they've told them they've got to do it and i think what
they're going to do next is they're doing some scanning of like federal government ip space to
like find these things and then they're going to notify various agencies
and then they have 14 days to fix it or else.
But it is a binding directive
and if you're going to target a category of like,
you know, I hate to use the term,
but low hanging fruit.
If you're going to target a category,
this is a pretty good category to target.
It solves what I call the F5 problem
where F5 gear is actually quite useful and no one really makes anything like it.
But if you put its management interface on the internet, you may as well just shoot yourself in the face.
Exactly, yes.
And the idea that management interfaces should only be accessed from a dedicated management zone in your environment or with other controls around them, that seems like pretty old wisdom wisdom yeah that's like the best advice of 2003 right yes exactly but you know the reality
as you say is that a lot of people absolutely do still have management interfaces on the internet
and in some cases you know the management interface is the same as the end user facing
interface and that's a concerning kind of category of things yeah they're not separate. I'm guessing a lot of these
VPN appliances you just log in with sufficient
privilege and there's the management interface, right?
So... Yeah, exactly.
It is a hard problem
despite being an old problem but...
There is plenty of stuff. There's plenty of stuff
out there that does have dedicated management interfaces
still, right? Yeah, plenty of stuff does. And for this
reason, for God's sakes, like even the vendors
of fail, like give you a management interface so you can segregate it and people
don't do it and this is true yes but plenty of them have just bodged it into the same web server
rather than segregating them out for this exact reason so that we can have some you know some
actual segregation of a management zone but that's it's very old think management zone everyone wants
to be on the internet, zero trust,
you know, so on, which is fine if you do the
zero trust part, but most people just get to the let's put it on
the internet part. Yeah.
Forget about the rest and the
multi-factor or whatever else.
Now let's contrast the problems happening
in Blinky Light Box World this
week, Adam, with the problems being experienced
by Azure users
where it looks like they actually
look i got to give credit where credit's due anonymous sudan which is likely a front uh as
we know for for russians uh said that they'd managed to take down azure via a ddos attack
and it looks like they actually did right and and microsoft were able to bounce back but they took
down a bunch of services like microsoft still investigating or whatever and described a traffic anomaly blah blah blah but it looks like if you had to guess
at this stage it looks like an anonymous sudan-led ddos attack actually managed to cause some drama
temporary drama uh for microsoft yeah i mean i i agree this is definitely in the you gotta hand
it to them category uh and there's you know there's a lot of things there's a lot of attack
service in azure and there's a lot of complexity. There's a lot of attack service in Azure and there's a lot of complexity
and a lot of good options for DDoSing Microsoft there.
But yeah, solid work.
Microsoft were saying that, I think,
IntraAdmin and Microsoft Intune
were throwing up error messages.
I mean, being able to brick Intune for a couple of hours,
I mean, that's, you know.
Yeah, that's legit. I mean, there's, you know. Yeah, that's legit.
I mean, there's similar problems with mail and SharePoint and Teams and stuff.
So it's good work.
Yeah, yeah.
So, I mean, no, we don't got to hand it to them.
Sorry, we don't got to hand it to them.
We don't got to hand it to Russians pretending to be Muslims,
pretending to be activists.
What a world.
What a world.
What a world.
So what else have we got here oh now in the same vein
uh now these guys we gotta hand it to them some ukrainian uh hacktivists quote unquote i think
they're called the cyber anarchy squad i don't know if they're ukrainian uh but they were they
are certainly supporting uh ukraine they owned some russian telco and like bricked a lot of their gear and it turns out this
russian telco actually provides connectivity to the russian central bank where all of the banks
have to report transactions so this caused major drama in russia they were actually able to recover
reasonably quickly though but this was this was yeah i mean it was in the russian press uh and
ukrainian press too obviously but yeah it was pretty it was in the Russian press and Ukrainian press too, obviously.
But yeah, it was pretty bad.
I'm actually surprised they bounced back so quickly.
Because that looked like a pretty serious wrecking,
going and bricking network devices and routers and switches
and whatever else.
That seems like it was going to be a roll truck
to the data center and start ripping gear out
or at the very least get your console cable out
and start working. But no, they seemed to bounce back pretty quick but there's a
bunch of email and data that's been stolen from it as well and you know they were only down they
were only down for 32 hours and i had the same reaction as you which is like yeah people rolled
in there bricked a bunch of their routers and they got back up and running in 32 hours i mean
that means they did eviction and restoration in 32 hours that's uh
you know and i think that's what the whole russia ukraine conflict has shown us right is that
organizations these days can be quite resilient in the face of these types of attacks which is
surprising it is but i guess you know also like the process of comprehensively destroying an
organization such that it makes recovery really
difficult like it's actually quite involved because we've kind of been through some of these scenarios
in our work um like wargaming them out sort of thing for wargaming or getting in like when you're
trying to explain what's the impact of the of the compromise that we have carried out in this
particular exercise what could we do and thinking through okay well now we can turn off your backups turn off your data center turn off the backup data center turn off the vmware such that you can't turn the vmware
on because the button to turn the vmware on is inside the vmware like that sort of bootstrap
analysis of how you deal with a cold start or you know that kind of thing like that's not a fast or
particularly easy process it requires quite a lot of thought
and quite a lot of understanding.
So bricking a whole bank comprehensively
is not a thing you're going to do fast.
And doing it under pressure,
if they've snapped you and started the roll response,
like I can understand just doing something quick
to get the hell, get some impact.
Yeah, to get the headline, right?
And this wasn't a bank though, to be clear.
This was a telco that provided services
to the Russian Central Bank.
But yeah, it's, yeah.
Anyway, we've said it.
32 hours, like, actually surprising.
On we go to the next story.
So this next one, actually.
The Wall Street Journal, look, everyone has it.
The ODNI in the United States,
the Office of the Director of National Intelligence,
has declassified a report that was prepared for it
about the US intelligence community's purchasing
of commercially available information, right?
So we've seen a steady drumbeat of news stories
over the last few years from people like Joe Cox,
deserves a call out here
because he's been writing about this an awful lot.
And, you know, certainly the ODI looked into it
and decided, yes, this is worthy of public discussion and has declassified the report.
It is much as you expect, right?
It confirms a lot of the stuff that we've seen reported publicly.
I think there's a number of interesting aspects to this, right?
So Tom Uren, our colleague who writes our Seriously Risky Business newsletter, he's working on this
for tomorrow. And he made a really good point, right? Which is that even if you tidy up the use
of this sort of stuff by the US intelligence community and US law enforcement, right,
at a federal level, because state and local is going to be really hard, you're still going to
be left with problems. So I asked him to just give us a clip on that. And here's what he said. A strict focus on the IC will help clean up the IC. But I think that's actually the
least of your problems, because you can do that. You can set policies. There's a clear hierarchy.
The DNI is in control. Congress controls the purse strings. They'll clean this up over time.
I think domestic law enforcement
is actually much more worrying because they have the exact same access to this data. They can buy
it just as easily as the IC can. And the federal levers to control domestic law enforcement are
just much harder because there's so many different police forces in the US. Oversight is comparatively weak
and I think that's a real problem. And finally, of course, you can't constrain foreign intelligence
collection. They'll buy this data. They probably are buying this data and making a huge amount of
use of it. I think the way to tackle this is to look at the data privacy laws. It just shouldn't be possible
to collect this kind of super intrusive data that can basically replicate an intelligence
collection machine and just sell it to whoever wants it. That's my takeaway message.
So that was Tom Uren there, our colleague. He works full-time with us doing Seriously Risky
Business, which you can find at risky.biz slash subscribe. If you're not subscribed to that, it's really one
of the best cybersecurity newsletters that looks at a lot of these sort of government and intelligence
topics. It really is terrific. But, you know, he makes a really good point and he's made it
previously in other columns that he's written, which is that we just need to nuke the, you know,
forget about regulating the sale of this stuff. We need to regulate the collection of this stuff.
Yeah, I absolutely agree.
The root cause is that so much data is available for purchase
and intelligence services can buy it foreign and domestic.
And so can everybody else.
Somebody wants to dox people,
somebody wants to collect data and use it in ways
that it wasn't intended for.
And normally this gets kind of hand-waved as, oh, well, it's anonymised data
and there's a bunch of safeguards.
The ODNI report points out that they can de-anonymise this stuff, right?
The government knows that they can do that.
Yes, exactly, and so do other people.
And I think solving this in the root, which is good quality privacy regulation in the United States
and in other places in the world, we have different privacy laws, but we have the same
sort of problems of tech companies and ad networks and so on selling this data. And the level of
detail you can get with good quality data being collected is, as Tom says, you know, better in some cases than what you get with
intelligence apparatus going and rolling on them. So, you know, it's pretty terrifying.
And solving it at root, I think, is the best approach, yes.
Yeah. So I've linked through also to something Tom wrote two years ago for us, which was about
a priest in the United States who got outed as gay via data that was obtained by some Christian
Substack publication or whatever. And it's, you know, it's a pretty interesting read. I think it
was one of the first bits of media that really pointed out that this is going to be a problem
when it comes to foreign intelligence services using this type of data. And, you know, that
example of the priest was just given as a really good one. But, you know, I've also been reminded
of a conversation I had around the time of the Snowden disclosures so I was at the Black Hat that was immediately after that and I did bump
into a friend of mine who held a senior position in the intelligence community which I won't
describe the agency or the position for obvious reasons but you know I at that point the Snowden
stuff was still really fresh and I'm like mate you know what the hell are you guys doing and he said
well don't believe everything that you read you know the oversight's probably a lot better than you uh than than certainly uh our mate
edward is um suggesting and uh you know he said there's a lot of bad info out there but he also
said something really interesting which is that like if you want to be worried about your privacy
he's like if you if people knew how much data a company like google and facebook were
collecting on people uh you know if and he said if we had 10 of their insight it would be a game
changer for us right so there a lot of the the most intrusive data has been held by private
companies for a long time or commercial commercial entities i should say rather than private companies
because they're public companies um but i think what's changed and the odni report
actually does mention this because i skimmed it earlier you know the that data doesn't just belong
to the major tech firms anymore you know we've got this entire ecosystem of shady sdks that support
you know data broking and ad placements and whatever and you can just buy this stuff now
like google's not going to sell you this sort of data on its users,
but we've got this whole shady ecosystem that sprung up around it
and, yeah, we need to look at the root cause.
I agree with Tom.
Yeah, I'm absolutely on board for that as well.
When you see the amount of location data and really detailed stuff
that comes out of SDKs for putting advertising in mobile apps,
it's pretty scary.
And I know, like, some of the reporting from Joe Cox at AirDow
about the quality of that data and what you can do is, yeah,
really sobering.
And we should have good quality privacy law, but that's a long-term goal.
Well, when we say we, we mean America should.
Yeah, so I've linked through to two write-ups on that one,
one from the Wall Street Journal.
And Del Cameron, it must be said, did a great job of writing this up for wired um tom
also had some interesting stuff to say about how like it looks like in this case the examples that
are cited in the odni report look kind of reasonable uh as well and not all that scary but
also that that's not the point right um it you know we should not be um uh just saying oh well
it's okay because because what they're doing seems all right like we need need you know, we should not be just saying, oh, well, it's okay, because what they're doing
seems all right. Like, we need, you know, reform, definitely need reform. Now, speaking of reform,
Section 702, the surveillance power, as everybody knows, it's coming up for renewal. And, you know,
given that the FBI was sort of caught doing silly things with it, it's kind of forced, you know,
various parts of the US government to
actually come out and be a little bit more open about what sort of stuff they use 702 for so that
they can sell its renewal as a positive thing. And we got to learn some interesting things because
of this, Adam. Yeah, they've got some actual examples of things that they used 702 powers for.
There's some examples relating to, say, colonial pipeline, the breach of that,
which is, you know, that's kind of, we don't often see the insides of these investigations,
because they're, you know, not our business so much, but seeing it tied to that specific
capability, I think, you know, that it's a good example. And of course, it's a very compelling
one when they're trying to convince Congress people. Yeah, yeah. I mean, to be able to say,
and they specifically say that they used 702 authorities to identify the people behind the
colonial uh pipeline attack and actually retrieve the ransom uh so you know take that bad internet
people yeah so it's a great example and of course you know we're considering how much it gets used
it would be nice to see you know a whole bunch more but they have
to pick a couple that are palatable um for releasing in the audience and so on but they
you know they give some others about you know tracking uh drug traffickers for example um you
know the fentanyl situation in the united states obviously is one that's relevant to many of its
authorities that's a good one they they put in there as well but you know this conversation is
just really complicated the like what do we do with 702 you know is it going to get it's probably
going to get reauthorized well it's going to get reauthorized i mean come on that's going to happen
but you know we've got another story here from martin matashak which kind of suggests that um
you know they're dragging the chain on some of the reforms that various panels and whatever
are recommending because that fbi stuff was not ideal right so and and it's kind of heading the direction that we hoped it would
which means that there will be some reform here but apparently like it's just not going that quick
and like it's it's going to come down to the wire again right yeah and the representative deputy
director of the fbi was at one of the committee hearings and was basically saying like why don't
you guys mandate some of the policy changes that we've made for example to try and reduce misuse of 702 data by fbi
investigators um and that's you know they had some numbers that say you know the number of queries
have dropped you know after they've made some policy changes etc etc yeah but it doesn't matter
right like because even if you drop even if you drop it by 80 it's like which queries have gone
anyway i think the fbi has largely you know fixed this but that you know you're not just going to take their word for it
after what we've said that seems to be the thought from the you know various centers right why should
we trust the fbi to self-police when they have shown that they haven't in the past and yeah it's
fair enough i mean yeah honestly fair enough um anyway let's be oh my favorite story of the week
absolutely when i first saw this i first saw this in catal oh my favorite story of the week absolutely when i
first saw this i first saw this in catalan's coverage uh i think monday when i was editing a
um one of his news uh news podcast scripts and yeah the people the people who did mount gox like
so the the the hack of the mount gox exchange when was? 2010 to 2013. So the hack of the Mt. Gox exchange has been one of
those big internet mysteries for a long time because a lot of people thought that the guy
who was running the exchange, they were Japanese Bitcoin exchange, an early one, and a lot of
people thought that the guy who was running the exchange had sort of siphoned off the money.
But what looks like happened, like the DO has now charged two russian guys with doing
this uh with doing pulling off this caper they stole 647 000 bitcoins over an extended period
from mount gox they sold some of it to a shady exchange that did a wire transfer for millions
of dollars in cash and then they founded btce which was a really shady uh cryptocurrency exchange
that laundered a bunch of money. So they took their crime coins
and then just did more crime-related Bitcoin stuff with it.
But I'm just, you know,
apparently these charges were laid in 2019.
They're just being unsealed now.
But for me, this is like, you know,
like they found Jimmy Hoffa's corpse
or it's, you know, proof of Bigfoot or something.
Like it's just, they've solved this mystery for us.
Yeah, for the children listening
who weren't born when Mt. Gox was a thing,
yeah, it's funny seeing a story come back
after so many years
and now we do get a little bit of closure, I suppose,
about exactly what happened.
But I do love the idea that they robbed Mt. Gox
and then set up another competing exchange
that would do money laundering to
launder the proceeds yeah and i was wondering how you launder money with other money that people are
trying to launder like how does that work you know what i guess like i would have thought you'd start
a legitimate exchange and try to launder your stuff in with the legitimate you know not do a
shady one where everything going into it is bad laundering with other people's laundry like i
it's kind of genius in a way but
um well apparently not because they just got invited but you know well exactly yes the doj
filed charges in 2019 against uh alexei biluchenko and alexander verner who has the the two russians
accused of doing this and the former was a biz partner with the guy who started bdce who got
picked up in greece i think a few years back
now and got extradited to the us so yeah it's a bad time to be a mid-2000s bitcoin criminal i
suppose yeah the wheels of justice turn slowly but they do turn it turns out yeah and you remember
we were saying like a lot of historical blockchain crimes are going to get punished right and this is
just one more of these but yeah yeah, Internet Bigfoot captured.
Well, not captured.
Internet Bigfoot indicted.
Yes, I got a photo of Internet Bigfoot.
Now, really funny.
We got two headlines in front of us.
We've got one from Darina Antoniuk at The Record,
which says,
North Korean hacking group Lazarus
linked to $35 million cryptocurrency heist.
That's from June 8th.
And then we've got this next headline from June 14th, which is North Korean hackers stole $35 million cryptocurrency heist. That's from June 8th. And then we've got this next headline from June 14th,
which is North Korean hackers stole $100 million
in recent cryptocurrency heist,
which is the same hack.
So we spoke about this one briefly last week
and someone actually,
this is the atomic wallet thing
where I said that they'd confirmed
that they'd had a bad time.
Someone wrote to me and pointed out
that they didn't actually confirm it.
They just said they were aware of reports,
but it looks like it's confirmed now.
And something like 5,500 digital wallets were hit by the North Koreans
and they drained them.
Do we know how yet?
So we haven't seen specifics,
but Atomic Wallet has had some flaws in the past.
And obviously the Lazarus are pretty good at looking at crypto stuff
as a whole ecosystem, like looking at crypto stuff as whole
whole ecosystem like looking at the web apps looking at the people looking at the you know
company systems around it so yeah we're not 100% sure if it was like straight up crypto hacks or
whether it was a little more holistic but either way 35 million or 100 million maybe that's it was
35 now it's 100 so yeah maybe that's just accounting for the cryptocurrency fluctuations.
Maybe both headlines are true.
Maybe, who knows?
What else have we got?
So I just wanted to quickly mention this one.
An Illinois hospital is closing
and one of the reasons they've cited for closing
is they got ransomware and that prevented them
from being able to claim money from health insurance firms
and it just put them under.
They're done.
They're closing, and I think it's a regional hospital,
and this is going to cause real problems for the community there.
Kevin Collier wrote this one up for NBC,
and I've spoken to Kevin about the way that he approaches
covering ransomware, and he will only cover something these days
if it is something new or serious or whatever,
because there's just too many ransomware attacks.
He can't write them up anymore.
But I can certainly see why he chose to cover this.
It's really depressing.
Yeah, it is really sad to hear.
And hospitals are such, they're vulnerable in themselves,
but also they serve vulnerable people.
So it's kind of like double victimization.
And yeah, hard reading and just kind of rough
because the problems in healthcare are so difficult to solve.
And we're going to just end here, Adam,
with a link to an interview with the CEO of LastPass
that's been published on Cybersecurity Dive.
I found this pretty interesting, right?
Because like they acknowledge mistakes were made, right?
And particularly, I thought the stuff
around communications was interesting
because they said what we're trying to do is develop complete pictures and then do
periodic updates where what they should have done was a more constant flow of information and talking
about stuff as they sort of discovered it um just an like they did make mistakes uh but i think this
is an interesting sort of post-mortem from the ceo's perspective about what they did wrong yeah
i thought it was really interesting as well because, you know, seeing the insides of
the decision-making and then also understanding what they took away from it, like what the
things that they learned from the process were is just really useful because we don't often see that.
And, you know, I know anecdotally plenty of people have been like, oh,
LastPass got hacked and I'm not going to use them anymore. They're the ones you want to use.
Well, exactly right.
It's the ones that have done a good job of responding to such an incident
and turned out that it wasn't catastrophic in the end anyway.
Yeah.
So seeing the insights of what went on, I think, is just really useful.
Well, and they say there's no evidence of follow-on attacks, right?
And on the users as a result of this.
And they also point out their renewal rate took an 8% hit,
but they expect that it's going to recover.
They've got some really good people over there.
I spoke to a couple of their people when I made my oopsie
on suggesting that this was North Korea.
It still could be, but it certainly was an oopsie,
and I shouldn't have said it.
But I did wind up talking to a bunch of their people
and like Chris Hoff is over there as well.
Like they got top-notch security people.
Which you'd certainly hope so,
given the role that they play
and the service that they provide.
And I just, you know, I compare it
to some of the other vendor responses
to breaches and incidents.
And it's just really refreshing
to get this kind of insight
and to hear it from the horse's mouth.
So I think, yeah, totally worth reading.
Well, mate, that's it for this week's news.
Thank you so much for joining me to talk through all of that.
A pleasure as always, my friend, and we'll do it again next week
and then we're actually off air for a couple of weeks
after next week's show.
Excellent.
We can plan some terrible things to happen.
I'm looking forward to it very much.
Yeah.
See you later.
That was CyberCX's Adam Boileau there with a look at the week's security news.
We're going to chat now with Chris Rothy. He is the co-founder of Red Canary and is its CTO. And he's joining me to talk about how managed detection and response firms like Red Canary are now helping customers monitor Azure cloud infrastructure guy. So I wound up discussing this interview after I recorded it with him. And essentially, yeah, he told me the same thing that Chris did and you're about to hear,
which is that out-of-the-box signals from services like Azure are actually pretty good these days,
right? So you can plug an MDR provider into this telemetry and they can actually tell you useful
things. Anyway, here's Chris Rothy talking about how MDR companies are tackling cloud
infrastructure monitoring and response. If you think about MDR, what are the core
features of MDR that inform what telemetry you need? And so from our perspective, there's sort
of five main things. There's 24 by 7, 365 expert investigation of any potential threat. There's
advanced threat detection. Detection engineering would be another term for that that you need to apply to the right data sources. There's having
a great global threat intelligence team that's able to collect different pieces of intelligence
and bring them to bear in your detection engineering pipeline. There's threat hunting
continuously to apply new intel to old data. And then the response side, the R side, is proactive
response and
remediation, right? Being able to take action on threats and shut them down. So if you accept that
as sort of the core, what is MDR in order to deliver the outcomes that companies need, which
is detecting threats and shutting them down before they cause damage, then the question starts to be,
what types of data do you need to do that job in different environments?
For endpoints, largely for the last decade, that's where most of the action was.
It's where the most threat actors were landing.
The best source we ever found for that was endpoint detection response data. That telemetry telling you every process, what every process did, is the perfect set of data to do detection engineering on top of and find those threats
in a really robust behavior analytic type way. I think the words that describe it best are
execution events. I always like that. Just execution events. That's it. And look at them.
Find the funny ones, right? Yeah, exactly. And that is like a core to our view of the world is
you don't want to convict it. You're just looking for things that are interesting that need a human to look at them.
Because products and tools can convict things, right?
If we could write perfect analytics that say that's definitely bad, then you don't need a security team and you don't need an MDR, right?
It's that gray space where, hey, this thing looks like normal user behavior, but it's actually an adversary doing it.
That's where MDR really
is critical. So as you go beyond the endpoint and you say, hey, now we have users that are using
mostly SaaS tools. And so the identity is sort of the center of their world. You have cloud
infrastructure where maybe EDR is in place on the workloads, but you also have this cloud control
plane with all these different service primitives that you can use.
What are the right telemetry sources in those environments?
And so through our last couple years of learning and growing in those areas,
we've sort of zeroed in on in the cloud space.
It's really the cloud API telemetry, right?
So in the AWS world, that would be CloudTrail.
And similar to the EDR analogy, it's everything everyone did to the cloud control plane. Every resource they created, every resource they stopped, every security group they modified, that's what's in that telemetry. And ultimately, that's the same level of detail that you need in order to then build detection analytics on top of it. Similar in the identity space, like from the
Octas of the world, Azure AD getting that fine grained login telemetry, and then apply that
into the email and productivity space when we're talking O365 and the unified audit log and all
that kind of stuff. Those are the prime telemetry sources in sort of the modern conglomerated IT
world. You know, is one of the reasons that this wasn't really possible earlier and is possible now because everybody through the first decade of cloud had a different
approach, right? So every cloud environment was just such a snowflake that trying to get,
you know, some managed detection response company to look at the logs and even know what was going
on was basically impossible. Whereas now, you you know it seems like there are more standard approaches to how people spin up these cloud
environments so you know the the badness kind of looks a little bit more uniform am i making sense
here like is that something that's happening yeah and i think there i think there's a couple ways
to look at it and um one is sort of a adversary's view of it. And another would be, what are the
tools that are actually available view of it. So from an adversary's point of view, when it was so
easy to compromise endpoints, because everyone would click the link, why would I mess around
trying to break into, you know, something in a cloud service provider, you know, it's sort of
like an analogy would be like, if I'm a sales rep, who's, you know, I've got my tactics of send cold email or, you know, send packages in the mail and I get, you know, way better response rate on one versus the other.
Let me just go with what works.
Let me play the hits.
Right. adversary, why bother trying to attack a cloud infrastructure when I can just get access to endpoints and do my thing from there and take advantage of it by delivering ransomware or
whatever else they were using to monetize. So that's one angle of it. The other is,
to your point, the cloud platforms, the cloud control planes, the cloud service providers
have all sort of matured to, and really talking about the big three here, AWS, GCP, Azure, have all matured to
have a relatively similar portfolio of services, right? There's nuances, there's differences
between them. Yeah, but it's not like it was, right? Because people forget that AWS, you know,
10, 15 years ago looked like what DigitalOcean looks like now, right? Like it was just, it's
like, yeah, you can run your own Linux machines on a hypervisor and there was no you know telemetry source so there was no standard
way to do things either because it was really like yeah just bring your own vms and and you
can run them in the cloud but that's not that's not for sure yeah right yeah and i think the other
you know evolution over time is uh is the shared responsibility model that exists with the cloud service providers now. And if you've never seen that, the concept is there's effectively an above the line and a below the line. And all the things below the line are effectively the cloud service provider's responsibility. So when you think about that from, if you're mapping your traditional on-prem security thinking to a cloud environment and part of, you know, how many socks have I been in where
somebody's like, you know, one of my dreams is to take our badge reader data and correlate it with,
you know, event logins to computers and stuff like that. This stuff's gone, man. There's no
physical security. Like that's all below the line. That's, that's out of your purview. Um, and so
where that, so that's great. That means from a security perspective, there's lots of good things
of not having to worry about that, uh, as, as a user of the cloud, maybe the negative of it is
everything that's above the line is your responsibility. And that in some cases is
stuff that you've never had to think about before, right? Because it wasn't a part of the universe when you were
in an on-prem, a data center type environment. So I think that's, that's the other angle of it is
as that shared security or shared responsibility model has matured, security teams are realizing
how much they have to take on in terms of securing things above the line. And that's, that's where
detection and response starts to apply where it's like, oh, wow, now that we have visibility, now it's your point that we have this common set of like activity telemetry that's coming out from the different CSPs.
Now we got to do something with it, right?
Otherwise, we're negligent in finding those attacks.
Yeah.
I mean, you know, some of the early approaches around cloud-based stuff was like you'd shim in a network sensor, right?
And sort of plumb things together so
you would have basically like a network ids in your cloud instance and then maybe you'd do some
endpoint telemetry uh you know if you're running a bunch of linux things you'd throw in some
sort of edr like uh security agent to send logs back but that's not really what we're doing anymore
is it i mean that's still a part of it.
Yeah.
Yeah.
The way we like to categorize it is you've got the MDR in our world, MDR for the cloud control plane.
So you need to detect threats in the control plane. Again, use this analogy of the control plane is like an OS.
Yeah, yeah, yeah.
Like a computer.
But I guess that's what I'm getting at.
That's the new part, right?
Right.
And we've said this on the show, too, something like aws is essentially like a server operating system
yeah like it is it is an os yeah absolutely so that there's that piece and then there's you know
mdr for the cloud instances those have some different flavors now with containerization and
and uh serverless functions and things like that that aren't you know those aren't uh like on-prem native there's no mindset of how do we monitor a serverless function so those are new new things
that we have to have to figure out and figure out what it means to detect threats to them
yeah so i mean how are people handling you know serverless right because it's it's it's not super
super common um i mean as you know i'll just tell the audience i'm traveling at the moment i'm in melbourne i'm staying at a friend's house uh this friend happened to have developed you know
serverless as your apps uh i think some years ago right had a greenfields opportunity to do some
development actually did these these serverless apps and it's it was incredible uh what he was
able to spin up in an incredibly short period of time using serverless. But then you think, okay, well, how do you get insight into what it's doing?
I mean, how do you get insight into what it's doing?
Like, how are people doing that?
Do you have to basically build your own logging in serverless apps?
Or do the cloud providers, you know, basically extract some generic telemetry for you?
Yeah. And I think to add on to your question, what's actually relevant?
What does it mean to
compromise a serverless application, right? If the thing just spins up in response to an API request,
does its job, and then shuts down, what is the actual vector there, right? So you have like
traditional things like web application attacks, SQL injection, if what your serverless app is
doing is serving a web page or
whatever. And so, you know, the database that probably underlies your serverless application
needs to be protected from that standpoint. So any app you're building serverless needs to,
you know, implement the same types of safeguards on the front end of it to make sure you're not
vulnerable to those types of attacks. But in terms of like what we think of as like a compromise,
really to compromise something serverless like that,
you've got to get in through the control plane and inject code.
And so that comes back to, you know, what are we monitoring for there, right?
Monitoring for changes to those applications
that maybe were made outside of the CICD pipeline.
They were handpoked in there, there you know by who or by some
api i mean you keep coming back to the same thing right which which makes a lot of sense which is
from an mdr perspective the one generic like info source that you can make best use of is going to
be that control plane logging right and that's something that you could just plug in doesn't
matter how diverse the environments are that you're having to monitor there's going to be some stuff that just sticks out like a sore
thumb i mean that's that's essentially what you're saying here right yeah absolutely and it's not a
once it's not um it's not everything right like as always in security it's part of a solution
you know you need also what we would historically call a cspm cloud security posture manage uh
management thing like a whiz,
like a lace work to look at those,
uh,
the configuration changes,
help highlight vulnerability type type activity.
Um,
which is another kind of interesting thing I think about cloud security is
the definition of a threat seems to move a little bit more to the left.
Like,
yes,
absolutely.
Vulnerabilities are,
are,
um,
you know, more like threats than in like a you know uh like how many vulnerabilities are on your laptop at any
given time right probably lots and it's like so what they're not accessible there's nothing anyone
could do with them in the cloud you sort of can't have that same attitude so of your customers right
uh like what sort of percentage of them have you doing this? Because I'd imagine that, you know, the market has only recently kind of wrapped its head around the idea that MDR can be trusted, right? Like that's new. And I'm guessing that this is a small but growing business line for you. Is that about right yeah correct and it's really about the profile of of the company you
know a lot of especially cloud native type companies who never had a a on-prem infrastructure
that they lifted into the cloud those are sort of the early adopters in this space you know maybe
we were monitoring their corporate environments and they were the ones who were asking us hey can
we apply some of those similar stuff, the people who did lift and shift
would have been the ones who did the network sensors in the cloud
and who plumbed in the like EDR like telemetry
and they have it feeding back to their SOC
or their existing way of doing monitoring, right?
So that's why I'm curious about who's embracing this
and it makes sense that it's the cloud first,
you know, new hot young things.
Yeah.
Well, and think about the profile of those companies from just like things to monitor.
They've got, let's say, I don't know, let's pick a company like Red Canary.
We've got, you know, somewhere between 500 and 1,000 employees or something like that.
We've got thousands of machines running in AWS at any given time, scaling up, scaling
down, databases, data storage, pipelines, like all this stuff all the time. It's a much bigger environment than our user population, right? That's a typical
of like a SaaS company or a cloud native company. So those are the early adopters in terms of MDR
for cloud. But as more and more people get out of the on-prem infrastructure business,
we expect it to grow there. All right. Well, Chris Rothy, thank you so much for joining us on the show to talk through all
of that. And let's see where all this goes. Thanks, Patrick. I appreciate you having me.
That was Chris Rothy there from Red Canary. Big thanks to him for that. And big thanks to Red
Canary for being a Risky Business sponsor. And that is it for this week's show. I'll be back
tomorrow with another edition of the Seriously Risky Business podcast with Tom Uren in the Risky Business News RSS feed.
But until then, I've been Patrick Gray. Thanks for listening.