Ransomware As Canary For Societal Disruption

Okay, thanks Dave. Yay. Okay, so I talked about this quick disclaimer. I'm representing myself today, not my organization. Like I said, Navy back in the day, bounced around a DOE, uh bunch of product companies, worked at Draos, worked at Huntress, which actually will come up in from an MSSP perspective uh in a little bit in this discussion. I was at the MITER Corporation for a little bit. Now I'm a data miner, but I'm here as Joe, which means I get to say whatever the hell I want as long as you're not live streaming this to my employer and I say something that they don't like. But anyway, the state of the now, which I was getting into,

ransomware more brutal than ever. Uh, you know, 44% of all breaches in the DBIR that came out this year had some ransomware component involved in them. Now certainly that is a subset of already existing security incidents, but you get the idea. So talked about critical impacts of services and health care and education. And this does have important considerations to it in terms of financial impacts. Again, it was mentioned yesterday in the intro to this track that hospitals don't have that many weeks worth of runway that if they're not generating revenue to the point where they are able to continue to operate. Then there's also the service impact component to things as well where if I don't have it up, then how the hell

do I operate? Whether it's electronic medical records, whether it's the, you know, everyone here who has a kid school right now, I'm sure, is used to having the Chromebook or whatever else and online education platforms that are supplementing or deleting a lot of items to say nothing of getting into incidents like just being able to do email, etc. All right, sorry we're just kind of blowing through this because of our technical difficulties here, but yes, getting to our Dusseldorf example, there was the Doppel P Doppel payr ransomware event that resulted in an ambulance rerouting which didn't, you know, the ransomware didn't kill someone, but the delay in service ended up resulting in impacting quality of care, which I think

is the important way of putting this, which I know Josh has mentioned numerous times, including in congressional panels and so forth. And we've seen this even more recently in studies that have shown that as you start impacting the ability of hospitals to start providing service at a consistent or in expected level whether you're talking about the blast radius item where hospital A in region has an impact resulting in patients being pushed out to other institutions which starts bringing down the quality of care more generally that we start seeing this degradation and care. But the thing is what we often talk about though when it comes to these items are state sponsored disruption. So, Vault Typhoon, which I do a lot of research on

both historically and past jobs and uh currently kind of on my own because I'm a freaking nerd and this is just the kind of stuff that I dig into that we emphasize that this is this horrendous existential threat to the operations of critical infrastructure that in a time straight scenario the lights are going to go off and other bad things are going to happen. or more recently or well concurrently cyber avengers which I like to say is computer network annoyance as opposed to computer network attack that uh you know they're facing hm HMIs and similar sorts of items not in itself concerning but the fact that they're able to access these systems and targeting critical infrastructure

certainly is concerning and what could mean from there the thing is though is that while there's lots of concern over state directed cyber impacts the results and actual impacts have been minimal to non-existent with certain exceptions You know, back in my day in DRAOS and DOE and other areas, as well as working uh as an independent researcher, I've dug into the 2015 and 2016 Ukraine attacks, the 2017 incident in Saudi Arabia involving safety instrumented system malware. There's been some more recent things in Ukraine that we've seen, but you know, look at the panel that I referenced earlier on the 15 years since Stuckset and a lot of the expert commentary around that and we really haven't seen what we expected for

something that took place over a decade and a half ago now in terms of cyber physical operations. So, we're really focusing on the right thing because there's significant policy and political focus on state-directed adversaries holding critical infrastructure at risk for disruption and destruction. But the thing is such impacts are already happening today. Now it's not some esoteric exotic cyberphysical payload that we're talking about which maybe you'll get see something like that pres presented at you know up the road at Defcon or whatever in a couple of days but rather we're seeing fundamental aspects of IT operations that underpin the capabilities of these critical networks to operate being held at risk disrupted or destroyed as a result of

criminal activity. And the thing is if you look at some of the like more impactful elements of cyber offensive operations uh targeting critical infrastructure or economies at any sort of scale you're talking things like npetia which was pseudo ransomware uh operating as a wiper effectively as opposed to an actual ransomware pay payload or other uses of wipers like we've seen in Ukraine that have actually had significantly more impacts than any sort of science project that speaks an OT protocol and can result after doing multiple se sequences of steps to disrupt operations. So a couple years ago I gave a sky talk on like what we would actually need to do to disrupt the grid and it echoes a lot of what Munish

and Emma were talking about uh earlier is that the possibilities exist but the degrees to which that you need to get a number of things and a number of things right in the proper order of operations to make it happen at scale is non-trivial. However, being able to have localized impacts by simply targeting and blowing away the IT or higher level OT operations and eliminating the operations of all Windows systems in the environment, that isn't terribly hard and we're already seeing that reflected in the way that ransomware operators, whether you're talking in Akira, Dragon Force, take your pick of the flavor of the moment, are currently operating, or rather the affiliates that are using these ransomware variants are operating

today. So we have to ask ourselves, okay, if we're talking about allocation of scarce resources, are we really focusing on the right or the correct problem by looking at the notional cyber physical OT attack scenario versus what's going on already in the day-to-day? And we've seen state sponsored actors actually piggyback off of in very impactful operations. So there's an important consideration about this though in terms of how these payloads are actually being delivered. So, the route to ransomware. How do I get to a point of deploying a payload? Who are my pentesters in the room? Yeah, I've got a few. Okay. Who are my offensive cyber actors either currently or in a past life? Don't raise your

hand. Okay. Anyway, um we're talking about a lot of fundamental overlaps in tradecraft right now. So, what are we talking about? Things like credential harvesting and reuse, weak authentication schema, whether you're talking single factor or not very well implement implemented multiffactor. We're talking vulnerable edge devices. So whether you're talking about the small office home office router device or whatever that's sitting in your environment or you know pick your network appliance vendor dour forinet uh sonic wall etc. Adversaries are identifying fundamental weaknesses either in how these devices operate or they have vulnerabilities in them that are either being exploited as true zero days or rapidly weaponized post discovery to enable access leading to living off the land binaries and

scripts. l bin LBA bass activity uh but also seeing a division of labor in terms of ransomware deployment. The funny thing is is that a lot of these same sorts of items are reflected directly if you look at how a Volt Typhoon operates or even how some of the higherend Russian APS are operating in Ukraine. It's not about developing the bespoke esoteric piece of unique beautiful malware or whatever that is unique to my organization, but following a script that looks pretty damn close to what you would see for pentesting 10. Well, maybe not 101, but like 301 or something along those lines in terms of operations. Because we have to ask ourselves, is this unique? And the answer after doing

some research on this subject is that it very much is not that we're seeing adversaries from e- crime to a increasingly rely on similar operational mechanisms. There has been a convergence in tradecraftraft. I was hoping this was going to be available by time for this presentation, but I just gave a presentation at uh the first annual conference in Copenhagen that dug into the data looking at MITER attack mappings, looking at the DBIR, looking at the MTRS report. And we see this reflected in an analysis of intrusions that whether it's due to efficiency, it's just easier to operate this way, general availability, but also defender failures. We're not talking about really rocket science sort of techniques here,

but adversaries are able to leverage these common mechanisms in order to uh operate quite effectively with out looking very different from one another. Now, this presents challenges in terms of attribution if that's something you care about, if you're a CTI weenie and you want to talk about, you know, whatever mythical AP or whatever you're tracking. But it also has potential benefits in terms of defense because as we start looking at converging tradecraftraft, we also talk about converging mechanisms to try to disrupt or uh dissuade its use. And just to give a quick view because I know we don't have a whole lot of time here. You know, if you look at this is just taking the

latest MITER attack release for CTI objects and like okay, show me what are the common techniques that are referenced after removing a couple of things that are just like basic you must haves and we see like adversaries love using PowerShell, adversaries like using spear fishing attachments, etc. Um, and it looking especially at adversaries that have been updated most frequently, we see that that convergence applies even to a greater extent. And similarly in the MT trends report uh looking at what the folks at Google cloud because I'm not going to call them mand anymore because it really bothers them. Um that's maybe not nice but anyway similar not quite as extreme but as you start looking at individual

elements of intrusions and forensic investigations that have been performed uh by those folks we see again lots of commonality in terms of how these intrusions have taken place. Now this results in some conflicting defensive priorities though because from a government military strategic sort of perspective u state sponsored cyber is the primary risk like we can't get around that or whatever if I am national government executive etc like that you know this is simply important to me thinking about the big picture disrupting multiple entities causing whole of economy impacts so I'm talking about voltton salt typhoon I'm talking sandworm I'm talking similar sorts of entities but the thing is is that for most asset owners and stakeholders the

thing I care about is like, okay, the Taiwan Strait scenario is mythical in in as far as I'm concerned. It's notional. It doesn't necessarily impact me in the immediate sense in the sense that I'm just worried about day-to-day operations, continuing to operate, continuing to generate uh continuing to make revenue. So, that means that concerns are generally about more immediate disruptive scenarios that impact operations in that direct fashion. Thinking again ransomware, BEC, etc. like your Akira, your scattered spider, your Dragon Force, etc. But the thing is is that if we could start looking at this as not being a eitheror proposition because whether we're talking about our mythical typhoons or talking about our little kids from the comm or whatever that are doing

stuff in order to impact hospitals and schools if there's a lot of overlap in how these entities are operating it provides for some opportunities. So certainly whole of country and specific asset owners have different perspectives and concerns that goes without saying. The result is that there's a focus on different threat actors in defensive operations. But if we can adopt this perspective of convergence in activity, it opens up pathways for common actions that we can take uh that would help resolve or help address fundamentally different adversaries in terms of intention and in terms of operation, but looking at those single points of failure and adversary operations in order to kill a couple of birds with a single or a handful of

stones. So in looking at this and we talk about things like do the basics, eat your cyber security vegetables and crap like that or shields up. I make fun of those all the time. I blogged about it a couple of weeks ago or whatever and saying that it's a cowardly approach in approaching defense. So justifiably derided in a lot of ways um especially because these are often used in conjunction with abstract for the perspective of most asset owners uh threats that won't hold them at immediate risk. Again, Volta Typhoon, I will say right here, very concerning threat actor that has gotten into a number of environments in some very scary areas, but their actual record of

both OT network access and OT impact is zero to very small, at least based upon information we can talk about right now. Uh, so as far as the threat that it poses to the everyday asset owner, whether we're talking that utility in New England that got hit that made a big splash on a Register uh article from a couple of months ago to the island of Guam, it's like, okay, you know, this is a concern. I need to be worried about this. But at the same time, if I can get ransomed and have my entire IT network blown away tomorrow, what do I focus on? But the thing is is that if immediate value and impact can be communicated

across state sponsored and e-crime adversaries, looking at the ways in which these items overlap with one another quite significantly, the incentives for day-to-day operators to adopt the items they need to defend their network, not just against the Akira affiliate, but also from a typhoon become much stronger. um it becomes a much more easier cell, a much more easier way of justifying allocation of scarce resources where resources even exist in order to try to address these problems. Because the thing is we can start extending defensive guidance in ways that start identifying what are the key pain points for adversaries in operating and having and having had an adversarial perspective on defensive items or whatever. Any of these items

would represent maybe not completely eliminating but definitely crippling things in order to overcome. So starting first off with just authentication mechanisms. Uh you know I multiffactor everything and there's almost no excuse especially for any sort of service that is external facing or accessible in any fashion that that should not exist. It is relatively easy in order to implement at this point in time. And yet we still see single factor off externally exposed or weak multiffactor authentication uh entities leveraged and abused whether we're talking scattered spider or some other entities that can do the social engineering route in order to get around the help desk etc. We can also talk about like okay if I can't do it myself

you know do I migrate to a third party thinking about identity access management single sign on etc little diceier because now we're talking about money that a lot of these organizations may not necessarily have but thinking about a lot of the at least modern suites of software and applications whether we're talking about M365 Google cloud instances or whatever is that we need to start thinking about more options of leveraging what is thankfully being baked into the things that we're using and turning it on effectively getting us to things like access. So, who has an external facing SharePoint uh instance that was hosted internally or whatever uh that was compromised in the last month? Because if you have a

SharePoint instance that is external facing and was also hosted locally, you probably did have it compromised in the last month. Um, but thinking about items like, well, why is that asset even exposed in the first place? And doing things like again cyber hygiene items to try to determine whether it's my own network as I've designed it or what the integration contractor or similar installed at the point in time. Thinking through how are these items been put together and what is it that I'm exposing to adversaries to take advantage of and then applying things like that attack surface management and improved vulnerability management in order to try to get ahead of some of these problems as well. Finally, from a

movement perspective, again, while we're talking about entities that don't necessarily have the most robust in terms of IT administrators and shops, if we're talking about a rural hospital or a small school district, at the same time, thinking about what are the key items or whatever that I know that just simply are important and can't be compromised in some way. First off, thinking how can I migrate away from owning that myself if I know that I can't administer it effectively and going to a third party provider. But then also thinking about ways in which I operate the things that are residual and left behind to try to improve the way in which these things are put out there and

uh secured. So the funny thing is is that this is comes from the joint cyber security advisory put out by CISA and a bunch of other partners on Volt Typhoon. Uh bunch of network operating strategies uh lots of really complex items but also some fairly basic things as well. The thing is if you start looking at this defensive guidance, it essentially mirrors the items that are necessary to defeat most ransomware entities at present as well. Again, we were seeing that commonality in tradecraftraft. That if we can start showing that the benefit doesn't just extend into this notional national security issue which may or may not manifest in two years, five years depending if you listen to Josh or

listen to Bryson uh if you were in the morning talks yesterday, but uh something that may manifest but I don't know that it will but also reflects on what's going to impact my day-to-day. So in this sense, reframing a shields up language to compromise immediate tangible security outcomes should I think provide a greater incentive to start adopting some of these principles in order to try to get around the issue and reframe things in a way that would be more justifiable or defensible. So what's the call to action here since we don't have a whole lot of time here? So first off, I really am a big fan that communication is key for a lot of items in terms of

being able to incentivize action or to prompt action by others. And so reframing emphasis when we start talking about the state or even commercial ways of communicating threats and in ceasing uh our glorification of the potential AP uh state sponsored or whatever activity and reframe things into more direct tangible impact scenarios can start changing the conversation in a way that the incentives can start pushing for greater action by critical infrastructure owners even those that are relatively less welloff than others. The result should be improved defensive posture against multiple adversary types that fulfill multiple perspectives that in the course of defending us against a scattered spider event which is very prolific right now or pick a nasty

ransomware actor that likes to pop off or pop uh school districts and so forth that in the process of doing so I'm also defending against much nastier things as well. So translating our messaging to emphasize immediate security and operational benefits can enable improved posture for those strategic defensive items as well to sort of link the two together. However, there are limitations in this approach that I do want to acknowledge. So common defensive actions to address multiple adversaries is very good. But many of the organizations for those who've been paying attention throughout this track this year as well as in past years is that many of the organizations that operate critical national infrastructure remain below that

security poverty line and lack the capacity to even implement these mechanisms. There is a significant disconnect between the resources, talent and motivation between adversaries, whether we're talking a vault typhoon or a ransomware affiliate and the local school district, the rural hospital, etc. And that remains something that is difficult to try to figure out a way to overcome. We can certainly try to incentivize movement that hey, by doing this these actions, you're not just taking care of the five-year threat, you're taking care of the current threat. But if the resources still don't exist to even respond to that, it becomes difficult to try to figure out where we can benefit from this. As a result, residual risk will remain and

must be addressed somehow. There are options for that. We'll talk to a couple items here in a second where doing the basics is certainly going to be necessary, but it may not be sufficient in in and of itself. So, we do have to think about what is left behind as a result of uh these actions and what organizations are still not going to be able to implement this effectively. So, from a future consideration standpoint, heightened defensive posture is only going to get us so far. It's a necessary item, but it's not going to solve it all entirely on its own. Additional investments are going to be needed in terms of building resiliency. And I like

emphasizing things like business continuity planning, disaster recovery planning, things that we do for physical security threats, and other items that have applications for cyber as well. If we're talking about the potential to disrupt or impact the delivery of physical services, it's also interesting to note that higher level entities and authorities may need to pursue something a little different to try to dissuade or disincentivize adversaries elsewhere. So, this is a point where, you know, the cavalry is not coming, but I don't think that we're ever going to be able to resolve this problem effect. we'll be able to perform harm reduction to a certain extent, but if the calvaryary never shows up, it's going to be

difficult to do harm elimination to some extent. So, we need to think about what that may mean. Uh because again, we'll have residual risk left over as a result of even some of the best actions individual organizations can take. The last thing I'll say because I'm running out of time is we've talked about the fact that the cyber ship has maybe sailed already that you know we're already putting ourselves behind adversaries and so we should start thinking about things like defend cyber having moved away from being able to defend uh mitigate and build resilience because we're dealing with installed systems and we talk about things like cyberinformed or engineering in similar ways is approaching this. But

we also have to ask ourselves like what is the possibility of being able to rapidly revamp or reconstitute a physical system in order to build more resiliency if it doesn't exist already. Again, going back to trying to, you know, you're fighting the battle with the tools that you have right now as opposed to the tools that you wish you did. And how do we orient these conversations around things like building in resiliency and uh operational planning to take advantage of what capabilities are already latent to the environment instead of dreaming about what we may be able to implement in the future. So again, just something to think about. So finally concluding slide ransomware is effect is basically

what we're dealing with in terms of social disruption right now. It may reflect upon what we can uh imagine a notional state adversary would do in the future. But the thing is is that e-rime behaviors are mirroring a lot of the concerning AP behaviors that we need to be worried about and that as a result we can get take advantage of this overlap to emphasize immediate security needs to justify the investment and the action on the part of asset owners to basically uh operate against these threat actors and secure organizations against both the immediate threat as well as the longer term. But with the admission that passive security controls will only get us so far. And to to some

degree, we're going to need to figure out something else if we really want to make these problems go away. So that's all that I have. I'm sorry for the technical issues at the start. Thank you, Dave, for being able to pivot very quickly and for me to use your machine. But >> yeah. >> Well, I had a question, but you kind of blunted it. So, how about we all just say fantastic presentation, fantastic recovery. [applause]

>> [applause] >> So the comment offer request to you and anyone else that heard him is yes the kind of things you would do to stop ransomware might also help you with volta typhoon. The problem is most of these target rich cyberpore utilities are doing it for either. So I guess the question challenge is if we get the consequence informed engineering cyber inform engineering resilience settled what's the very first set of crawl walk run cyber advice that should follow should fast follow the physical resilience stuff so rhetorical for now >> y >> but like we don't want to install super expensive brittle cyber that gets them hacked with kevs but we might want to prioritize the tangible win-win for

both. Thank you. >> Yeah, sounds good. Thanks Josh. And again, apologies for the issues at the start. I don't do we have time for questions or Okay, >> if you have a question, come on up. Come here. So, up and we will answer a couple of questions. Come on. >> So, some of the things that we talked about like um volt typhoon and difference between local and strategic interest. pull up my talk from critical effect or from BrewCon last year or whatever if you're interested in that. And then the converging tradecraft presentation should be available in another month from first and the paper on that should be coming out in the next six months if I can figure out who to

who will actually publish a damn thing. Anyway, thank you. >> Hi, thank you for the presentation. Um, so I completely agree that we like communication is key and I have to admit I hate that we're always talking about ransomware because it puts the problem somewhere where it doesn't feel like everybody can be a part of it and I mean to get to ransomware there's so many steps that happen that we can prevent that we can raise awareness about um and that is sort of lost on the way about like just talking about ransomware. So I hope that this is something that we can focus on a lot more. Yeah. >> And um I mean you you said it so so one

thing that I was also curious about is you were at MITER um and they're basically just talking about state sponsored but um how do you see like that transitioning and providing something like Maitra does for everything else around it? Do you think there's a possibility to have that somewhere in the future? >> I think so. Uh I can tell you when I was managing the CTI portion of the attack framework up until May uh when I left MITER uh that was a big point of emphasis for me is getting greater reflection of e- crime and criminal activity within the framework because one it's important but two it's also difficult and we see a some of this

reflected in adversary operations as well where we see a division of labor between initial access infrastructure management and then actual on keyboard operations. uh criminal ecosystems are much more diverse. Whether you're talking about your initial access brokers that sell access onto like someone who's going to then work with a ransomware affiliate to deploy a payload and that affiliate is going to handle negotiations that it becomes not just a unitary threat actor that we're dealing with. And so it's not just one throat to choke uh so to speak, but becomes rather which area of the problem set am I acknowledging and do I even have the knowledge to track these items effectively to know who it is that I'm

dealing with. And it's that diversity in the ecosystem which both on the government side and in the commercial sector has been difficult for folks to wrap their heads around because we like to think about the unitary threat actor as opposed to there being a very diverse division of labor behind operations. >> Yeah. And I mean also the problem that we've run into with um being able to communicate the the challenges and what we need to do and how we can effectively also reduce risks um to like the sea level and and so on. That's that's something that's stopping us on so many levels and um I hope that we will be able to like >> evolve in that

>> to get >> we shall see. >> Okay, so we've got two more questions. Uh each question and answer is 30 seconds and not more. Go >> speedun. >> What's up Joe? Uh so quick question. One of the biggest challenges in CTI is translating that strategic risk, translating that strategic risk in like a briefing report to leadership um into like tangible actionable outcomes and getting them to action it while also like maintaining the balance of like not crying wolf. So, do you have any like sage advice for making your strategic um risk identification maybe maybe even around ransomware land harder? >> Yeah. So, first off, I'm sorry to cut you short, but we got a little bit of

time. Strategic CTI is complete for 95% of the organizations that are out there. No one gives a who the hell is actually responsible for things in the vast majority of cases, unless you're law enforcement or the military. And CTI in general should be focused not on reports, but on detections, hunts, and informing security operations. That is my bias. I'm a very tact I teach this in my CTI training that CTI's focus. If you're not thinking about how the decisions I'm supporting can impact the day-to-day defense of my network, if you can't answer that question effectively, you're doing something wrong. And it's that change in perspective we need to adopt instead of going after the geopolitical like this is what Russia's

intentions may be or whatever in a cyber conflict like ain't no one care about that other than a few people. So, how do I actually ensure that this gets translated to a meaningful security decision? And we can talk more about that offline if you'd love. Yeah. >> Thanks. >> Yep. >> Let's see if I can make this really brief and to the point. Um, so I think maybe as a thought, you know, some some of this might just come from the fact that, okay, you know, from like the the news media reporting on APS and all that is maybe a little sexier than like talking about, you know, >> the all the all the different ransomware

attacks. And of course, the the problem is too, the people who do are victims of the ransomware attack don't want this information out there. >> Um, just one thought I had when talking about this, >> um, because I haven't really seen anything of it. a good like anatomy of like if somebody if if we could get information about like the anatomy of like a full ransomware attack that the whole kill chain. Yep. Like in specific, you know, like a couple specific examples >> might emphasize to the people who might have to defend against this about, you know, what the actual actions instead of like just saying, oh, cyber hygiene shields up kind of stuff because that's

kind of like a what does that mean? >> People need they need details. >> Yeah. And some folks do that. So uh not to chill for anyone but they're not really a vendor in the traditional sense but like DFIR report provides excellent examples of walking through from their case studies of how a lot of these intrusions have taken place that go to that level of detail. But I agree that there needs to be a greater emphasis on the part of reporting entities of providing the actionable details that relate to how these intrusions took place when those details are even possible to to identify because in some cases it's just like well we got ransomed and we have no logs we have no

forensic artifacts to look at or so but where possible providing as much detail as uh possible is what's going to drive that sort of actionable decision-making that I talked about. >> Okay, put your hands together for Mr. Joe Slowwick. Yeah. Woo. Yeah.