Tech Brew Ride Home - (Bonus) How Ransomware Works With Cybereason's CISO Isreal Barak

Episode Date: May 22, 2021

Cybereason's CISO, Isreal Barak uses the recent Colonial Pipeline incident to give us a deep explainer on how Ransomware and Ransomware as a service works. Sponsors: Cybereason.com NordVPN.com/ride... coupon code ride Learn more about your ad choices. Visit megaphone.fm/adchoices

Transcript
Discussion (0)
Starting point is 00:00:00 On April 4th, 2023, around 2 in the morning, a man was found stabbed multiple times on a sidewalk in downtown San Francisco. Hey, who did this to you? What happened next turned the story into a political firestorm. Reports have identified the victim as Bob Lee, the founder of Cash App. From Bloomberg Podcasts, this is Foundering, the Killing of Bob Lee, beginning April 16. Welcome to another weekend bonus episode of the Tech Meme Ride Home. I'm Brian McCullough, as promised. One of my favorite ever cybersecurity interviews with Cyber Reason's CISO, Israel Barak,
Starting point is 00:00:48 explaining to us all how these cyber ransom incidents work. Enjoy. Israel, Barack, thanks for coming on the show. You're the CISO at Cyber Reason, right? That is right. Thank you, Brian, for having me. Yeah, well, so I wanted to kind of lead off with the joke that you guys probably seem like you've been busy lately. But actually, is that the right way to frame it?
Starting point is 00:01:14 Have especially ransomware attacks gotten more common lately? Or is it just that there's been a lot of high-profile incidents lately that a lay person like me is more likely to be aware of? So I think one of the things that are happening in the ransomware space is that the impact of the average ransomware incident on an enterprise, enterprise victim has become a lot bigger. In the past, ransomware incidents were either mitigated with something as simple as having a working backup of some of the data that you have on the endpoints, or there were just not something that was very impacted. full to enterprise organizations in general and that were more impactful on smaller businesses and individuals that ended up losing, you know, losing photos and the likes of that. But over the past two years and this past year, especially, ransomware operators have shifted a lot of their resources to focus specifically on what's going to create an impact and a large
Starting point is 00:02:17 impact on enterprise organizations. And I think we're seeing that every day in the field. I mean, almost to that end, and I'm already going to start bringing up colonial pipeline, but I feel like it was generally believed that, you know, until recently, that only a state-sponsored bad actor would be able to paralyze, you know, critical infrastructure. But is that, are we just seeing that the scale and like the ease of doing this thing, this sort of thing has shifted a bit? Yeah. So you're right. I think when we're thinking oftentimes about industrial control systems and operational technology networks for manufacturing environments. And we think, you know, we try to portray to ourselves who might be the probable threat
Starting point is 00:03:03 actor that would target these. Then we often think about the state-sponsored organizations, especially when we read the CISA reports and others, other DHS-related information. And they often portray that picture or they paint the picture as primarily a, a state-sponsored adversary. I think what we're seeing on a day-to-day basis is that the vast majority of fed groups that are targeting environments that are either can impact O.T. and industrial control system environments are actually cybercrime groups. And the vast majority of them really have no specific expertise in those environments. They don't know how to operate that type of equipment.
Starting point is 00:03:54 They don't have specific expertise in OT technologies. But what they do know how to do is to run various cybercrime playbooks and specifically ransomware playbooks. And sometimes, you know, we saw this with the colonial pipeline. The impact was to their IT environment, not so much to the industrial control system environment, but the impact of the IT environment led to mandatory support systems that are needed to deliver a service being shut down. And hence, even though the production or the OT environment wasn't impacted directly based
Starting point is 00:04:32 on publicly available information, the impact sustained in the IT environment essentially led to shutting down the business for a fairly long period of time. So what you're saying is the ultimate fear of, you know, someone causes a reactor to overheat or like, you know, the pipeline to explode or something. That's not specifically in this case what we're dealing with. It's more just blocking up your data. You know, the interesting thing when you look at these cybercrime groups that end up impacting OT environments, and we've seen the number of cases just in this past year of cybercrime
Starting point is 00:05:09 actors that ended up impacting an OT environment. The biggest risk in that is actually, it's actually, I think, interesting. Because when you think about an estate-sponsored adversary that goes into an OT environment, usually these adversaries practice a lot before they actually carry out a mission. So when they go into an on-target operation, they usually understand what is it that they're going to find when they get there. And they usually practice in advance on how to safely operate that thing and not lead to an undesirable impact. because usually they would try to lay low and stay sort of stayed on the radar for a long period of time and only cause an impact when they want to cause an impact but avoid undesirable results. So to a certain extent from a safety perspective, when you think about it, it's actually safer to have an APT actor in your OT environment than a cybercrime actor because a cyber crime actor, they don't necessarily practice on this in advance.
Starting point is 00:06:16 they don't have any sort of OT expertise, they go into the environment, usually for the sole purpose of wrecking havoc, right, and then getting a ransom payday out of it, right? It can be locking down data, disrupting services, stealing, exfiltrating data out of it, but primarily the service disruption can lead to, especially in an OT environment, can lead to safety issues that were not intended, right? The threat actor did not actually intend to disrupt the production activity or the manufacturing activity, but they ended up causing that because the thing in your mind, it's almost more dangerous that these people are sort of willy-nilly and not practiced on it. So you're almost more afraid of what happened to pipeline. I think the bigger risk here is the unintended consequences of having these threat actors be able to impact those environments.
Starting point is 00:07:16 Well, so this dark side group, specifically in the colonial pipeline attack, you know, on the show, I said that what blew my mind about it is it felt like ransomware as a service. Like they have this whole platform of tools that they're willing like a software as a service sort of thing. Like here's, use this one unified dashboard to do all the things you need, you know. Is that sort of thing something new, this ransomware as a service thing? this like they're just a platform for any other actors out there that want to do dirt. Right. So ransomware as a service is not a new thing. It's been around for quite some time where the model has been around for quite some time.
Starting point is 00:07:56 And the value proposition hasn't changed much of what a ransomware as a service platform would offer its clients and its partners. Generally speaking, the primary value proposition is, payment processing, right? Because anyone can encrypt files. Getting away with ransom extortion is something that's a little bit more difficult, right, especially after you get paid and especially after you want to convert that crypto into real world money. So getting away with that is a little bit more difficult. So the anonymity in the payment processing is actually the number one value proposition that a RAS or ransomware as a service operator offers their clients because the client drops. the ransom the ransomware and they compromise the network but it's the rass vendor that manages the entire payment processing and the back and forth monetary process that ends up putting money
Starting point is 00:08:56 in the actual attacker's hands happens in the background between the rass operator and the affiliate right and the attacker right so you know the attacker themselves are not exposed to tracking of crypto transfers they're not exposed to sorts of techniques that are based, basically allow law enforcement to track monetary transactions, right? It all happens behind the scene. So payment processing is the number one value proposition of a RAS operator. And that really hasn't changed much.
Starting point is 00:09:27 The bigger thing that changed, I think, over the years is the level of specialization that exists in this ecosystem where everyone sort of knows what they're supposed to do, right? Every vendor or part of that ecosystem, they know. know what their specialization is. And they usually focus on building that specialization and delivering more value around that. So for example, Darkside focuses on ransomware as a service, right? Offering a payment processing and a platform to interact with the victim and monetize on a successful attack. But one of the things that they don't do, for example, is initial access.
Starting point is 00:10:09 They don't hack into targeted environments. And oftentimes, the people that use dark side don't hack into target environments. So what they do is dark side partners with organizations or teams that provide initial access as an example for a partner. These teams specialize in just one thing, getting initial access into organizations. They open the door, right? They gain access into the network. And then they sell that access to a dark side user. affiliate, sometimes they're called. The affiliate buys access into that network for, you know,
Starting point is 00:10:47 $10, $15, $20, maybe, maybe a little bit more. They buy the access and then they carry out the rest of the mission to exfiltrate data to move laterally in the network. And then at the end, they drop the dark side payload and then dark side encrypts the data, make sure that, you know, relevant data is exfiltrated, services are disrupted in as far as, as wide as, as range has been scope as possible in the target network and then they collect to the monetary transaction with a target or with the victim. So I think the most interesting change is really the specialization that exists in the ransomware ecosystem. That has changed a little bit and again, please forgive me for being completely a new for all of this stuff. But like Colonial faced a double ransom essentially, right?
Starting point is 00:11:42 And I get the sense that that's new because I've heard, you know, people are told, you know, backup your data so that if this happens to you, you can, you'll have your own backups. So like essentially the ransom will be moot. But this two-sided double ransom thing sort of gets around that, right? Can you explain how that works? Yeah. So double extortion basically leverages three primary drivers, right? Pressure. Pressure. areas that can lead a target into into negotiating with the criminal. Pressure area number one actually has nothing to do with data being encrypted. It's about service disruption. It's about creating a situation where one day, at a certain point of day, people go into the office and manufacturing is shut down, right?
Starting point is 00:12:35 Or their IT, the entire ID infrastructure is shut down. and they're unable to deliver a service. And so the first impact is service disruption. They achieve that by encrypting not only data, but basically disrupting system configurations, right? Domain controllers, file servers, databases. They would go into all of these and create a major service disruption. So that's the first pressure point.
Starting point is 00:13:03 If you want to go back, Mr. Victim, if you want to regain business capability, business, or business, or business operations, then we need to have a, you really need to have a conversation with us. 100%. 100%. You're unable to operate. That's impact number one.
Starting point is 00:13:22 Impact number two is we have your data and you're locked out of your data. So if you want your data and you want us to avoid exposing your intellectual property or the personal data, right, that you've, that exists in your system and that we stole from you, then you really need to have a conversation with us. And so those are the three key pressure points. The service disruption, the giving you your data back, and avoiding exposing all that sensitive information, maybe personal information that can lead to sanctions that,
Starting point is 00:14:00 regulatory sanctions if exposed, that's the third pressure point. Having backups hopefully can help, with one of these pressure points. It can hopefully help you recover some of the data that was locked away and encrypted. There are still challenges with that because a lot of organizations, even if they have backups, they may not be working backups, they may not be complete backups, et cetera, et cetera. But it's really just one pillar out of those three pillars.
Starting point is 00:14:32 Usually it's about regaining business operations. That's the more impactful pressure point for most organizations because they do the math and they say, well, if we negotiate with these guys, we may be able to get back in business within, you know, three, four, five days. If we don't negotiate with these guys, then we can still go back to business, maybe, but it will take us that much longer. And that time equals money. And we need to think about what the best, what the best alternative is for now. And insurers in the space oftentimes also apply pressure to resolve this in the simplest and most straightforward way possible. That makes me wonder, and I'm not asking you to name names.
Starting point is 00:15:16 I'm just broadly. Are most people just paying up at this point? Is that kind of the standard practice at this moment in time? So it's a very good question. I think we're seeing a lot of enterprise organizations paying the ransom and treating this as tuition. They're basically treating this as, okay, we sort of needed this to understand the nature of the risk and what needs to be done to mitigate it going forward, but they're positively considering paying the ransom or negotiating the ransom
Starting point is 00:15:53 to accelerate the time that it will take them to regain business operations. The other thing that we've been seeing, and I think it's an interesting trend, is that some enterprise organizations have been advocating for adding a specialized clause into cyber insurance policy, policies, basically extortion, cyber extortion policies that would allow a victim or an insured party to refuse to pay the ransom. That's very interesting thing, right? The insured, right, the enterprise organization, the insured want to have a clause in the insurance policy that allows them to refuse to pay the ransom. Insurance companies are often present to pay. Exactly. Exactly. Exactly. Because. in most cyber insurance policies today,
Starting point is 00:16:44 it's going to be the insurers, the insurance company's decision, whether to pay or not to pay. And basically they can tell an enterprise organization or an insured entity that they can choose between either carrying the entire cost themselves or negotiate a ransom payment that will be covered by the insurance companies,
Starting point is 00:17:05 at least in large portion of it. So that's, that's, That's a challenge. Okay. This also made me think of one more completely naive question, which is, once you've been penetrated, like, is the game over and the only decision is whether or not to pay? Like, once you get that pop-up that says you've been compromised, your data is encrypted, are you pretty much screwed and there are very few options available to you? So the biggest, or the biggest challenge here, an opportunity for defense. is to reduce meantime to response. So when we look at a typical double extortion,
Starting point is 00:17:47 it's an operation, right? It doesn't happen over a minute or two minutes. It's an operation than an adversary is conducting in a victim's network. These operations can take anywhere between several hours to several days to several weeks, depending on the size of the network, between the moment in time where the adversary was able to gain that initial access until you actually see that ransom note and there's a large scale business disruption. What that means is that what we really need to get better in as defenders isn't to get ourselves out of a situation of here's a ransom note and the entire
Starting point is 00:18:28 business is now down and now we sort of need to devise a creative way to get out of this situation. What we really need to get better in is reducing our, the time that it takes us to detect when that adversaries are in our environment, but they're fairly early on in their operation. And if we can detect that early enough and contain and remove them from the environment early enough, then we would be in a position to avoid that entire, that entire impact.
Starting point is 00:18:56 Well, which, believe me, because I've read the ad copy, I'm sure Cyber Reason will be happy to help you with the very kind sponsors of the show. Let me wrap up by asking two slightly broader things. To prep for this, I was reading a bunch of blog posts on the Cyber Reason website. And one of the posts made an analogy that occurred to me, which was to the golden age of piracy.
Starting point is 00:19:25 And by piracy, I'm not talking about Napster. I'm talking about literally, you know, 1600s, 1700s, like literally, you know, black beard, people on boats and Queen Elizabeth enabling people to steal Spanish bullion and things like that. Is that a good analogy in the sense that obviously, and we haven't even got into things like the solar winds hacked and things like that, but does that hold right now where you have, for sure, nation states doing, you know, their actual security services doing dirt for the government, but they're also sort of not just looking the other way, but sort of enabling this sort of, what do they used to call them, freebooters? You know, the actual piracy like they used to do, you have plausible deniability where, you know, you might, certain people might not be pissed if a pipeline went down on the east coast of the United States.
Starting point is 00:20:22 Their fingerprints aren't on it, but it doesn't like, it's not like they're mad about it. So am I right about that? That's sort of what we're seeing right? Yeah, yeah. So I think what we're seeing is, the answer is yes. I think in some regions of the world, and I think you can see a very prolific ecosystem that does it in Russia. And you can see another very elaborate ecosystem around that in China and a couple of other places. But I think what we're seeing in those areas is that an ecosystem was formed between the government and private organizations that we may refer to as cyber crime organizations, but in their own homes, home countries, they may not be referred to as such. And the relationships are intricate, right? It's quid pro quo, right? On the one hand, you know that as a private organization, you may get called in to carry out some outsourced work for the government as a government contractor. But on the other hand, if you play along with that, then you enjoy a certain freedom to carry out
Starting point is 00:21:28 private endeavors, right? And oftentimes these ransomware operations and others, by the way, other forms of cyber crime aren't considered in those ecosystems as criminal activities in the sense that they need to be, they need to be investigated and maybe there has to be some sort of, maybe they need to be some charges pressed against them. The interesting thing is the dynamics in terms of, in terms of, in terms of, in of the relationships between government agencies and the individuals and corporates that conduct this type of activity. You also see situations where in some of these regions, it comes down to people, right? There are people that, you know, during part of their day, they do government work and their government employees,
Starting point is 00:22:20 but they also enjoy a certain degree of freedom to do other things, right, to pursue private endeavors, that again, we may refer to as cybercrime activities but are not referred to as such in those places that are completely private and it's completely sort of a private endeavor and everyone else, everyone looks the other way when they do it. And so you see both organizations that serve as subcontractors or as contractors for the government to carry out outsource missions but also enjoy a certain degree of freedom to carry out private, private cybercrime endeavors. And you also see it on the individual level where certain, you know, just individuals that are government employees almost during the day, right, is in doing private, private endeavors that are
Starting point is 00:23:08 cybercrime endeavors during the second part of their day. Well, listen, I mean, Sir Francis Drake was a pirate, but also was a sir, got very rich from doing piracy, but also, you know, was a noble and was Queen Elizabeth's favorite back in the day. The history hat there, sorry, everybody. But my final question, you know, obviously for any enterprise listening, large or small, maybe go talk to cyber reason and they'll help you out. But for individuals, average Joe's, are the basic simple things that an individual can do to protect themselves, still just password managers and two-factor authentication, or is there something else we should be doing?
Starting point is 00:23:53 Yeah. So the biggest initial access vectors, right? The biggest techniques that ransomware operators and affiliates and partners of ransomware operators use to start that process or start a ransomware activity are still very much the same three things that we've been seeing over the years. exact same three things. They just, you know, grow, you know, they just get better in specialization and in updating those procedures to use newly acquired information. But the top three procedures that they're using to drive ransomware operations are number one, fishing, right? Number one, it's still user, user based execution, email-based fishing or social media-based fishing. That was actually, that was a question that I never got to. So even with these corporate and huge, big, you
Starting point is 00:24:46 know, headline hacks. It's still that. It's still just someone clicking a link that they shouldn't have. That's the number one avenue to get in. That's still the number one avenue that these Fed Actors are using. So user awareness training, email filtering, web filtering, endpoint security tools that can block malicious content from getting executed on the endpoint. Better security, hygiene, reducing the attack surface of the endpoint. It's the exact same thing. for that we've been we've been using over the years, I've been preaching for over the years to reduce the, or reduce the likelihood of a fishing attack being successful.
Starting point is 00:25:26 The second primary vector that they're using are, um, uh, unprotected online services, right? Things like RDP, right? Say if we're hosting a service and we have RDP access or SSH access, we have a server. It's hosting one of our systems on the cloud or on-prem.
Starting point is 00:25:44 It has a weak password. maybe, it's accessible via the internet. That's the second most prevalent entry vector that these actors will use. So you really want to make sure that we properly manage our credentials, privileged account management, two-factor authentication, etc. To make sure that these weak remote access interfaces aren't taken advantage of. And the third entry vector that these guys, are using are taking advantage of vulnerable or exploits or software vulnerabilities that exist in services that we have online.
Starting point is 00:26:26 So if we have, for example, if we have an email system that we host somewhere, if we have a Microsoft Exchange system that we host that is offers an outlook web access for our teams to, you know, have email when they're remote, email service when they're remote, we really want to make sure that we patch it, right, against the most recently found vulnerabilities. So everything that has to do with software patching, attack surface reduction in terms of network access to ports they're not, and services are not being used on these internet accessible software products. And that's generally speaking, reducing the attack surface by deploying the most recent patches and keeping our software up to date. that's probably, I would say, the number one most effective thing to have against that third entry vector. So just best practices and hygiene and reducing the available target area, it's, you know, crime never sleeps. It's never going to go away. But if you just lower your profile, that's the best you can hope for, essentially. Right.
Starting point is 00:27:35 Yeah. Israel, thank you so much. That's one of the best conversations I've ever had about cybersecurity. So much appreciate it. Thank you so much, Brian, for having me.

There aren't comments yet for this episode. Click on any sentence in the transcript to leave a comment.