From a risk management standpoint, the cyber security threat landscape has jumped the shark. The ability to distinguish various threat motives, threat vectors and related impacts to an organization, its people, and its mission, has arguably devolved over the last 5 years. We’ve been playing Security Risk Theater for too long, and it is time to get down to brass tacks and identify what first things’ first actually looks like going forward in 2020. If we are not able to do this as a community of practitioners and leaders, the industry will be stuck in a seemingly endless state of entropy, chaos and risk.
There are times to reflect back upon the history of cybersecurity and learn from it, and this will always be the case. However, there are also times to abandon historical notions of lessons-learned and push forward into that great unknown whose precipice we are now upon. The perspective of this author, and indeed this author’s raison d’être from here on out, is to vocalize and mobilize, as clear and as loud as possible, that which is upon us and that which we must now solve together as a community. In short, we need nothing less than a willing, aware, and impassioned collective of leaders to embrace and expound upon a movement of hyper-awareness.
While there are myriad lenses through which to observe and articulate the thrust of this awareness movement, we will focus on just one for now, which I believe to be the most important:
The raw velocity of the threat landscape requires an even greater velocity of the cyber defensive landscape.
Forget About Threat Actor ‘Sophistication’
While there is much noise, FUD and dramatic dialogue about the sophistication of the threat landscape, I do not believe it is sophistication that has given the adversary the upper hand. In fact, the most severe destructive events of 2019 involved TTPs (Tactics, Techniques, Procedures) that were trivial in complexity or sophistication by any measure: reusing stolen passwords? Connecting to remotely accessible RDP services? Have a user click on a malicious Word document executing Visual Basic code? A website dropping malware in today’s flavor-of-the-month language?
As they have been for decades, these are the most trivial and universally understood means of attacking an organization or user to gain a foothold.
Oh, but what about the crazy sophisticated trojan payloads these days? From where I stand, they are no more sophisticated than they were nearly 20 years ago when I wrote a paper entitled Trojan Warfare Exposed, in which I highlighted the multitude of features available in the commodity SubSeven Trojan of the era. Well over 150 discrete features and capabilities that when compiled were still less than .5mb in size.
At the end of the day, malware is still doing malware things: gaining footholds, extracting passwords, evading and persisting, moving laterally, sniffing keystrokes, and helping criminals extort their victims.
But wait, you say, “we didn’t have ransomware back in 2000, did we?” If by ransomware you mean criminals extorting computer users for money, well, we did actually. And it was simply called a trojan, and hackers used trojans all the time to intimidate, extort and coerce their victims into taking actions or giving up information. A list of things hackers were doing in Y2K with trojans (taken from the above-linked paper):
• Fake Windows Logon Script
• Key-Loggers that send strokes to hacker’s email
• The Matrix
• Intimidation (do it or else)
• Simple trojan Chat box
• Microsoft Text-to-Speech engine manipulation.
• AIM/ICQ/MSIM spies, and/or impersonation
• File download from PC into a customized dictionary attack.
• Passwords stored in registry, DUN account settings, etc.
• Remote Network Sniffers
Suffice to say that it is not sophistication that is the modern attacker’s advantage over us. From an attacker’s point of view, your network and your entire security stack is much more sophisticated in terms of raw code development, integration, compute power and design.
Hacker’s must face any number of disparate and diverse technologies in order to successfully evade, persist and move about a victim environment. Pundits argue that hackers only need to be right once to succeed, whereas defenders need to be right 100% of the time to prevent an incident. Those pundits haven’t spent enough time as an offensive red teamer. It is the opposite that is true: A hacker needs to be right 100% of the time to pull off their objective undetected, and it is the defender that only needs to be right once, to fully interrupt and halt the attacker’s kill chain.
But we don’t think of the problem space this way as an industry, as we have been in a state of reaction since the ‘breach era’ of 2013 thru to the present. We lament and exclaim to one another that it is only a matter of when, not if we will be breached. It is against this pretext that we have come to believe the adversary is more sophisticated than we are. But they aren’t.
Speed is the Enemy’s Invisible Advantage
If there is one thing I learned in the 15 or so years I consulted in the Department of Defense (DoD) cyber space, it is this: No matter how much visibility, continuous monitoring or data crunching you do as an enterprise, none of it matters one lick if the enemy outpaces that effort.
This was incredibly apparent when one of the least sophisticated nation state threat actors at the time was able to compromise, persist within, and exfiltrate data from a million-device enterprise. It was also a painful lesson (at the time) in the area of web application security. Immense effort went into monitoring the logs of critical web applications, but none of the effort ever successfully prevented the risk impact to the mission from occurring.
Similarly with call-back (aka “C2” or “command and control”) detection, NetSec teams became inundated with alerts, all of which needed to be vetted, and all of which were acted upon after the callback connections had occurred, along with the additional tools, payloads, or data exfiltration taking place within those connections that had already occurred.
This same ‘time lag’ the Department of Defense struggled to address, is the same time lag we are all struggling to address. It is the reason we are on our heels.
So we see that it is neither the sophistication of the threat, nor our inability to detect after-the-fact that gives the adversary the upper hand. When an accident happens on the freeway, there is often nothing sophisticated about what happened to cause it. And, when the forensics team comes to investigate what happened, they can usually piece together what the root cause was, what the safety failures were, what the driver behaviors/choices were, and what the damage/impact was. That is what hindsight gives us: 20/20 vision.
Human beings relish in the ability to understand what has happened. We usually don’t even care how a bad thing might happen until after it has happened. That’s when shareholders pick up the phone. That’s when attorneys come into play. That’s when public statements and notifications need to be made. That is when we become interested as defenders in what just happened.
But by the time we initiate and complete those after-the-fact activities to get smarter about what happened, the adversary has already won in every sense of the word. They’ve gained security control without authorization. They’ve impacted the organization before the organization even realizes it. They’ve elevated privileges, run queries, grabbed data, or destroyed it. They’ve. Already. Won.
Reject the ‘Good Loser’ Mentality
Yet here we are still trying to frame this entire landscape in human time frames… minutes, days, weeks, months and years. One minute to detection? Are you kidding? We turn up to the game a minute after the final whistle? It’s already over!
Don’t talk about dwell times and how millions can be saved if you can just keep a breach dwell time under 200 days instead of the average 285 days. That’s hotwash. That’s risk offset. We have fallen into the fake comfort of explaining what happened, of justifying our failure. We do all the things a professional sports team might do after they lose the game.
And we’ve gotten so good at these things that it has affected our very ability to perceive and attack the problem. It has become the language of cyber security. There are even vendors that proclaim the ‘standard’ of how long it takes to detect, alert and remediate an incident should be measured in minutes and hours. As if the actual adversary even cares what a vendor’s SLA might be. As if we are still living in the 2013-2015 post-breach ‘wake-up call’ world. As if our primary role as a CISO is to be able to describe with perfect visibility, exactly how the enemy of the organization just succeeded in negatively impacting our organization and its mission. How far we’ve strayed from the basic tenets of information security of the 1990s! How much profit and pleasure the adversary takes in us having done so!
And let’s be honest: how much profit and pleasure has the security vendor industry also taken in perpetuating the problem by never fully solving it and charging for EPS (events per second), alerts, data retention time in the cloud, incident response services, and (insert all the fantastic cyber
pew pew here)?
What Does 2020 and Beyond Look Like?
We’ve seen this coming. We’ve all talked about it. I predicted it in 2016: That ransomware campaigns would begin to leverage much more than just encryption routines to extort us. It was extremely forth-telling that a Mexican Oil and Gas company got targeted by a DopplePaymer ransomware campaign (whose lightening-fast payload performs over 2000 malicious operations on the host in less than 7 seconds) that also affected its cardiac/hospital care center in Tabasco even as the author of the malware embedded a comment in their code that reads:
“We don’t care who you are and why this happens. No one died. That’s all”.
That same ransom note also threatened to dox (expose, leak) or sell sensitive information that the attackers said they exfiltrated prior to encrypting their network, should the victim not pay the ransom in time. And speaking of time…time matters!: Vanderbilt recently completed a study showing that over 2100 cardiac patients die every year in America due to cyber breaches and ransom events and their effect on hospitals… and it comes down to the additional 2.7 minutes it takes to get an EKG performed before a doctor knows what the correct treatment is.
It was even more instructive when on the 25th of November this year, we learned that the ChaCha (aka TA2101) ransomware gang actually did dox 700mb of data from their victim (Allied Universal, $7B valuation) when Allied decided not to pay the $2.1m ransom that has since ballooned to $4m after a delay in payment. This marks the first publicly-known event where such ‘secondary extortion’ has been exerted on a victim.
That will in turn lead to other universally ugly evolutions, such as dropping CP (Child Pornagraphy) files inside an organization to exasperate and overwhelm a victim into paying. We’ve already seen this happen during non-ransomware targeted attacks, when attackers left CP behind on purpose, knowing that doing so changes the forensics landscape by requiring HR intervention and CP reporting laws to kick in.
Entire email account inboxes can also be leveraged as well: there is nothing that is off-limits in the mind of the criminal extortionist. Case in point: the same attackers that targeted Allied also gained access to private Allied.com email keys that had been stored in plaintext, and which could be used by, say, an emotet campaign operator to spoof malicious spam from. This ostensibly represents yet another form of risk to Allied, which effectively applies even greater pressure by the attacker.
Putting It All Into Perspective
Most organizations realize they are victim to a ransomware event only after the first few machines begin to get encrypted. By this time, the majority of attack kill chains have already played out. Footholds were gained, credentials stolen, lateral movement achieved, spreading via domain credentials and tools accomplished, persistence established and (as we just learned above) sensitive data already exfiltrated.
Note that the same ‘low and slow’ breach story of 2013-2015 isn’t what is at play here. Attackers can much more easily discover and exfiltrate sensitive data now, and whether this data is the ‘crown jewels’ or not is nearly irrelevant in the context of the modern hyper-velocity kill chain. It is leverage, nothing more. It leverages the imagination of the victim more than it leverages the value of the stolen data on the dark web.
It doesn’t matter if the attacker gets salted password hashes, secret sauce formulas, customer lists, PHI/PCI, or inventory/warehousing data, so long as it is seen that the attackers simply stole data the reputational damage is done.
Just like Fin6 might pivot from an initial RDP foothold to a one-word query for a gift-card portal on a BigFix device, the modern extortionist hacker might simply reduce their exfiltration strategy to “What’s the most amount of data I can find/access/exfiltrate the soonest?”. And though it may sound like a bold assertion, there is simply no reason why any criminal group targeting an organization wouldn’t simply grab already leaked or sold data for that organization from the Deep Dark Web prior to launching a targeted ransomware campaign to claim they have access to and have exfiltrated current data.
No matter how we imagine 2020 and beyond to play out, one thing is certain: It will continue to play out faster than it has in the past. It will continue to overwhelm — by speed, not sophistication — legacy security controls and after-the-fact visibility efforts. It will continue to reward the criminals that are the laziest and the quickest. It will continue to employ as many forms of leverage as an attacker can easily bestow on their victim. It will continue to move at the speed of computing itself when it comes to how fast a given payload can execute, modify, evade, persist and control a target asset.
This applies not only to Traditional IT workstations and servers, but also to VDI environments and within the cloud workload migration story unfolding before us. The technology, intelligence, and security enforcement required to stop these fast moving threats needs to be present in both the cloud as well as at the edge (on the endpoint), whatever that endpoint may be. To the extent we do not solve the speed advantage the attacker has had over us, we will remain embattled, in retreat, and at risk. The real threat convergence story revolves around speed, not sophistication.
So What Can We Do?
Thankfully, there are organizations that have already realized this new reality and have adapted their strategies, their staffing goals, their security stack and their understanding of what true risk offset looks like going forward. Mostly, these are those organizations that have either endured an event like WannaCry or NotPetya two years ago, or they are the ones that have had their production or services directly affected by these more recent ransomware variants like DopplePaymer or Maze, etc. I’ve said it before and I’ll keep saying it:
There are now only two kinds of organizations in the world today: Those that have been through these kinds of destructive fast-moving events, and those that have not; these two kinds of organizations look, feel, budget, staff and operate completely different from one another.
You can almost reduce the modern CISO challenge down to the task of getting an organization that hasn’t been through a major destructive event to act like they have anyway, so that they can take the necessary steps to get ahead of these fast moving threats and prevent such an event from ever happening.
Hint: this isn’t about back-up and restore strategies and different risk offsets. This isn’t about 1/10/60 SLA’s with cloud-native vendors persuading you they have a chance at stopping code-on-code run-time threats. This isn’t about reacting and setting expectations with the board that it’s only a matter of time before the bad day happens.
No, this is about the hard work of actually beating the adversary at their own game: speed.
To do that, I’ll leave you with what is probably the best word to describe the entire movement upon us: anticipation…but a new kind of anticipation that focuses on where and when the actual fight in the ring is happening… not on the locker room after the fighter has already lost and is bloodied up and battered, trying to restore herself.
When the bell rings and it is go-time, the fighter doesn’t get to dial up The Cloud for answers. She doesn’t get to crowdsource her intelligence from all the onlookers in the stands. She doesn’t even get to listen to the coach shouting from the ropes. Nope. She needs to keep her eyes on the opponent’s hips and anticipate the next move, and even more importantly, respond in fractions of a second, with a counter-punch to knock them out.
After all, when is it OK as a boxer to be on your heels? For those who know, the answer is: never.