Ransomware, Threat Actors, and the Shifting Enterprise Security Landscape

hi everybody so Kathy hi Kathy totally stole my question about who's been to a bides before but um I will just say that I love love love bides events um and if you don't know they're everywhere they're all over the world um I live in Maryland so the DC Metro area we have bides charm which is Baltimore Mr Man here is one of the organizers we have uh besides Nova Northern Virginia we have besides DC although they haven't done that for a minute yay and uh what else bides Philly and besides Delaware so we're kind of spoiled for bides where I live Harrisburg well that's kind of out of the radius but whatever you're just trying to get me to

go is it oh okay I thought it was farther away apparently my Pennsylvania geography is not fabulous but anyway so I'm super excited to be here I have not been to bides Rochester before this is my first time um and Kathy invited me to come and and talk with you all so I'm very happy to be doing that and one thing I was going to say too is the fact that you're all here is fabulous because one of the most important things about cyber security is the networking piece and I don't mean plugging in the cables although that is also important but um just meeting other people because it's a really small community and uh I can't

even tell you like how many opportunities I've gotten just through like Word of Mouth that kind of thing Kathy I met at uh uh conference not a besides but a different conference and Jeff I met at a conference and you know lots of people met at conferences and it's just a really good thing to to be out here today so give yourselves a little pat on the back and say yay anyway let me get to uh what I'm supposed to be talking about all right so a little bit about me um I am uh principal information security engineer at a company called equinex has anybody heard of equinex before Oh my gosh a few of you have not

Equifax that's something different yeah so we're the world's biggest data center company that you most people have never heard of but I will say that 90% of all internet traffic goes through our servers on any given day so um we're we're out there in the space and uh we have like 260 data centers all around the globe um so I've been there almost two years now and it's been a really interesting space to work in because we have all the normal like sort of corporate Enterprise security concerns but we also have um icot so um operational technology right like all our data centers have building management systems that are running all the equipment so that's like a whole

another dimension of things that you have to protect right um and then of course because of our our widespread geographic region um we also have to deal with like geopolitical issues like what's physically happening around our data centers you know that could be impactful to access or anything else um for example and this is not really physically around the data centers but subc cables like I never gave a lot of thought to subc cables before now I do because we have um a data center um not just one but a few of them in Nigeria and there was a huge outage last week and like several countries in Africa lost all of their internet and it's

still actually being repaired so so things that you know like I said weren't really on my radar but kind of interesting right and that's why I love this field because it's always something new and exciting um oh I did not mention but I'm a career changer so I did something completely different until like uh I don't know 10 11 years ago so uh I'm here to tell you that it can be successfully done so who here is kind of new to cyber few people awesome career Changers yeah are you excited about it so far yes yay um if you want to come and talk to me about the career change thing afterwards I'm always happy I'll

talk to anybody all day long um so anyway uh another thing that uh is kind of important and near and dear to my heart is I'm on the board of directors for an organization called cyber Jitsu has anybody heard of cyber Jitsu oh good a few people so we're a nonprofit uh it's all about getting more diversity in cyber security and we're kind of geared towards gender diversity but really diversity across the board so uh we do a lot of uh cool training and deliver a lot of workshops we do cyber competitions together which leads me to the Cyber competition part so Kathy mentioned meta CF is here who's done a CTF before or Capture the Flag okay

quite a few of you but even more of you have not so I highly recommend it it's a fabulous way to um just discover like new things that maybe you never thought to try or whatever um and I do a whole talk about like CTF for noobs just you know how to get started in it and I'll try not to do like a synopsis of every single talk I've ever done during this one slide but I will say um like I love uh Network traffic analysis as I say here I'm a packet nerd and I saw my first packet capture in a cyber competition and would I have seen one eventually yeah probably but I was doing

a digital forensics Challenge and they um presented me with a peap and said you know analyze this and figure out like it was an intrusion that had happened you have to figure out like everything and I was just like first thing I do is Google what's a peac app so um but it's really a great way to learn um what else I'm blathering on about things well it's a packet capture but yes um so anywh who uh I am at Marcel Lee on pretty much all the things if you're looking for me um I am on Twitter but I really don't go there anymore because it's such an awful dumpster fire and uh I um I'm on LinkedIn you need my

email address to connect with me so that will be like your first challenge is find my email address you can do it it's easy to do actually um I'm on GitHub same thing uh medium I write blogs about cyber things and uh yeah so enough about that slide so a Shameless plug cyber Jitsu is having a conference it's I think our fourth one now a cyber Jitsu con and that will be happening in the DC Metro area as you can see June 21st and 22nd uh if you happen to be in the area love to have you it's also hybrid so it's actually accessible to to anybody um our call for papers is still open so if you

haven't submitted you could do that it would be good um so anyway oh and we just finally pinned down our location that's been like a nightmare um but we are now um locked in at the uh Washington Nationals Stadium baseball stadium so should be kind of a fun venue I don't know I just want to be in the Box seat where they have the cocktails okay anyway so enough about that so let's get to what I'm actually here to talk about today um and I don't do Keynotes all that often I've done a few before I technically I typically do technical talks and workshops and that kind of thing so I was kind of struggling I'm like what should I talk

about but then I was like what's on my mind all the time like as a security professional and what's on my mind is just how the playing field has really been kind of Shifting in the security space um yes there's a lot of the same old but there's a lot of new as well and uh and it's hard for organizations to keep up so who here is in like some kind of blue team role in their job Defenders yes my hat is off to you because that's tough wait what everybody else do it you all red team everybody's a pentester um anyway there's a million different jobs in cyber security of course so um I'm not going to read this

whole list now because I basically have a slide for every one of these um points but um let's just get into that okay the first thing that I wanted to talk about and kind of the title of the whole uh presentation is the whole expanded area of ransomware which basically doesn't even involve ransomware that much anymore right so thread actors are figuring out that encrypt ing a bunch of files is just like an extra step in the process that they don't necessarily need to do right so um these days it's much more common to see what we call sometimes Smash and grab right the thread actors are getting into the environment they're exfiltrating the data and then they're

holding that data hostage and there's nothing new about that but the new part is where they're just not even bothering with the ransomware part and I have another slide where I'm going to talk about dwell times and that all kind of plays into that right so there's other things that these thread actors are doing that are um kind of alarming and one thing that I see as a very disturbing trend is that I feel like back in the olden days some things were sacred some things did not get popped like children's hospitals for example which there's one in Chicago that got hit with ransomware I don't know last month and like who goes after a

children's hospital I don't know it's just awful right so I don't know like thread actors how much ethics do they have it's questionable but I do feel like they're used to be spaces that were a little more you know protected from that kind of activity that is not true at all anymore everybody's fair game so I don't care what company you work for what sector you're in it is very likely that you could get hit with rans andwar um it just doesn't matter anymore anybody who has some money to pay is an eligible candidate for threat actors um so some other things that we're seeing too is um denial of service attacks tied in with ransomware or I keep saying

ransomware but extortion right so it's a a technique that thread actors are using they're like okay if you don't pay we're going to dos the heck out of you right until you do and this is kind of a upand cominging thing um denial of service attack if you're not familiar with it is just where you basically s a lot of traffic to a server and make it fall over because it can't handle all the requests um swatting patient this goes back to the like what the heck are they thinking so in these situations where like a medical facility hospital whatever is um hacked they um will they have all the patient information because they've stolen it and then they

literally will reach out to those patients with doing SWAT attacks so if you are not from with that it's basically where you call the police or whatever I guess call I think I don't know if there's another way to contact the police for these things but call the police and say there's some heinous crime happening at this address and they send out literally like the SWAT team and so these poor unsuspecting patients are are getting swatted and this is just a way to put the pressure on the organizations to pay craziness um fake hack back offers so this is another kind of new thing too um the thread actors have all your data right and uh they

send somebody to your organization pretending to be like a white hat hacker and that person will be like hey I actually have access to your stolen files if you pay me I'll recover them for you but it's just the threat group still so they're just like looking for another angle to get money which is insane um and then exit scams so so black Pat just did this recently but EIC scams are when these uh groups that run like ransomware as a service operations they have a bunch of Affiliates right and the Affiliates are using their platform basically to do their ransomware attacks and then they get like the money and then the main group gets the part of the proceeds or

whatever but um basically if they if the main group does an exit scam then the affiliate group maybe doesn't end up getting any money but I don't really care about that part but I care about where maybe somebody is paid a ransom and they don't get their files back or anything because that group just like said sayora bye-bye and and they're just not in business anymore or they'll be in business but they're going to stand up as some other iteration so yeah surprise surprise sweat actors do really bad criminal type things but uh anyway um and the United healthc Care Group thing that's huge I don't know if you all have been tracking that but like I

had to pay I mean it's not like a terrible story but I had to pay full price for a prescription because I have like a manufacturer discount card and they couldn't process my manufacturer discount card so it was it was like twice as much as I would normally pay and it's a cheap prescription so so it actually hit me personally too but it's really impacting a lot of people okay enough about that so um more sophisticated social engineering um fishing emails and that kind of stuff continue to get more sophisticated and I will say that Ai and I'm going to try not to say AI 10,000 times in this deck but that might be the only one time I

say it we'll see but uh AI is really helping thread actors craft more like in intelligible grammar grammar correct whatever um fishing emails but it's not just fishing there's also fishing voice fishing smishing SMS fishing are you're like no not the fishing they're awful words wait till I say quing that's the of all those it is it is the voice of all those um so quing is QR code fishing um so at equinex I can tell you I do like a a quarterly fishing Roundup um oh I forgot to mention I lead our threat research team so I am in there doing research writing reports and all that kind of stuff um so I do a

quarterly Roundup of all the fishing activity that we see and let me just tell you people love to fish equinex employe um any given quarter we will have received around 100,000 fishing emails so it's great for research because I get to see like pretty much every fishing campaign that's out there um not so great for you know trying to secure your organization thankfully we have excellent controls in that area but um but some of these examples here like literally are are things that we have seen right so um The One login thing credential harvesting it's that is the number one fishing thing that we see um so and if you're not familiar basically you'll get an email and it'll say you

need to l in to view this document or do whatever and you put in your credentials and then they get scooped up by the threat actors for future use or sale and then um yeah and then you don't even have the time know that this has even happened right um they're pretty good and you can see that one there it has the equinex name equinex Logo this could fool people definitely um the smishing one I have there this is all actual stuff from my organization um on whats WhatsApp which is very common in Europe right and people don't use it as much here but everybody uses it in Europe and so this happened to one of our uh European data

centers and the person that they're spoofing is like an executive over there and so basically sending a message over WhatsApp to an employee and you know saying hey I need you to do something really quickly very important you know all the usual cues um thankfully that one got nipped in the bud but it actually went pretty far down the pike whereas and this is a common thing too and these are all excellent things to warn your people about um they're like oh this is super secret we need to have like kind of offline coms so we're just going to talk by WhatsApp and and give me your personal email address so I can send you this file and the unsuspecting

Finance person in this case kind of was going along with it until finally they're like wait a minute this is kind of fishy um but yeah you get to them to use their personal email then now you are bypassing all the like corporate security controls and I'm pretty sure that that was going to lead to a business email compromised Financial kind of thing right um but it got caught thankfully um deep fakes so I've not seen this in our environment yet but I'm sure it's just a matter of time but this was a really interesting thing that happened fairly recently where somebody in finance and I think this was over in Europe also but oh China that's right

Asia not Europe and uh they they were on like a video call with what appeared to be their colleagues and they were all deep fakes so note to the like a note of caution if you have like any video of yourself out there that can be used to generate deep fakes I have lots of video of me out there but I'm also not like an executive so I if I got on a call with some and was like I need you to give me $25 million they'd be like who are you so anyway but particularly for your Executives right your VIP people in your organization um and then the last one quing sorry I have to say it again um I

have to say I don't get the trend of quing because basically somebody gets this email in their work you know email inbox and this was um targeting an Asian employee cuz you can see it's in Chinese and whatnot and we do actually have are you videotaping me right now okay that's right um yeah so uh we do actually have data centers in China which is another interesting dimension of our organization but I will say that that is like completely far walled from the rest of the company so um but anyway in this one the idea is that somebody will get this email with a QR code and it's like you need to scan this QR code to read

whatever I'm like I'm just trying to figure this out so I'm sitting at my desk reading an email and they're like okay I need to wait let me get my phone and scan this and it just like doesn't make any sense to me but it works this is like so popular right now so another thing to warn your users about just don't scan QR codes unfortunately the pandemic made us like really QR code happen and uh need to like break that habit of that anyway I'm going on and on too much okay and C increased use of legitimate services so we all know this right um yes Dropbox is used and no big surprise there but there's some other

trends that I've been seeing just in our environment that are a little different so Cloud flares workers. deev is anybody familiar with that yeah a few people it's I've got a little snippet there of of what it looks like but basically you can set up a server with basically what three lines of code and then you have your own workers. deev site and you can put whatever you want on it so we get hundred hundreds of fishing emails with workers. deev and It's Tricky right because it's a legitimate site you can't just say oh just block everything that's workers. deev um so you have to so in our our environment we would do an assessment of like how much legitimate

you know traffic do we have going to workers. Dev versus malicious and you have to kind of make an educated decision about whether you're going to block it or not but I'm going to tell you blocking domains for like fishing control is it's whack and- moole it's really hard to manage that you really need to have a good system that's going to do a little more deep inspection of um emails so um ipfs this is another one that is very trendy right now um ipfs which I I'm not going to lie I kind of love the interplanetary file system like I don't know who came up with that name but it's fabulous so there's a number of

different like um organizations that run these ipfs networks and it's basically a peer-to-peer sharing kind of network um but these are also used to deliver fishing content so again we see hundreds of these every week so many of them and again it's a legitimate domain that you can't just block and I have done the assessment on that one and we do use it for legitimate P purposes or people are going to those sites for legitimate reasons uh search engines so the little snippet that I have at the bottom there is um something we've been seeing quite a bit of lately where the thread actor embeds their malicious Link in what is basically like a big query in this case

but I've also seen it with Google and whatnot not and you click on this you think it's just search results which why like why would you click on a link that's search results that you didn't search for but but you know people just are trusting and they don't know so yeah so you click on that and it takes you right to the Malicia site and boom you're going to get your malware or whatever um what else here oh the great power less responsibility I had to snip that because that's literally on the Cloud Player workers. page and I was like oh that's kind of perfect that's exactly what we're talking about here um and kendly so this is something that

I just read about for the first time recently who does anybody use kendly yeah I mean I do too for like my students oh I forgot to mention I teach at University of Maryland too but um so with calendly basically it's a service where people can make appointments with you and it's kind of hooked up to your calendar and they you know whatever um but you can have your own like service so like I have my zoom set up with mine but you can also just let the attendee pick the service that they want to use for the meeting so people are using this basically and sending a link to the meeting like it's embedded in the

meeting invitation and it's just a link to a malicious site so like the one example that I was reading about is it downloaded some malware like it was just a direct drop and and then they get like an error message saying they can't join the meeting so they're like what's happening but then that person has ghosted them because they just wanted to infect them and not really actually meet with them as well I think it would be more polite if they still had the meeting at least but that's just me okay stolen credentials oh my gosh so um so many stolen credentials out there who here has checked their email on like have I been pwned or any site like that

okay if you haven't please do that not right this second but after during Jeff's Talk would be fine um um so there are so many credentials out there um your email address I guarantee you is on a list somewhere so thread actors are collecting credentials usernames passwords combinations of both or you know just one or the other and they use them well first of all they collect them by doing the credential harvesting like I was talking about before but also um with infos Stealers so info info Stealers are a kind of malware that do exactly what the name implies they are on your box and they are stealing data and sending it off to the uh C2 server theand and control

server so very very prevalent um and we see so much of this but anyway so that's how they're collecting them for the most part and then they're using them for credential stuffing attacks so basically throwing a bunch of passwords and usernames at site or whatever or server or you know remote access point or something just trying to get in and you know if you have enough credentials chances are you're going to get in at some point right and this is how a lot of intrusions happen um I didn't even get into like initial access vectors in this talk but they're pretty consistent right it's com compromis credentials somehow um exploitation of uh external facing service some vulnerability in it

or for um fishing so yeah those are like your top three over and over again so I guess that's why I didn't talk about them because they haven't changed too much um so a case study of this was the OCTA breach and and in this case the OCTA employee had their credentials out there on you know the marketplace and people buy and sell these all the time like the thing that I have there have I been pwn at 71 million emails from the nasapi uh list that's crazy 71 million emails and Troy hunt from have I been pwned like spot checked them because a lot of time these big lists come out and everybody's like

oh my God 71 million but it turns out it's just like a conglomeration of a bunch of lists that were already out there but these were fresh um new ones so it's huge um so anyway so the OCTA breach this happened with them right somebody got credentials and got in so I have a little snippet there which is going to be super hard to see because it's small but um it's a tool that we use to keep track of um popped equinix dcom emails and uh we know if we identify as uh an employee who's on one of these list it's like instant password reset and you know that's like the best way we can manage that sort of thing but

I just for Grins and Giggles put like OCTA in there as a wild card search and yep lumma stealer there's an OCTA address so it's really a good thing to be mindful of in your environment and even if you're just using have I been boned or something it's better than nothing okay all right shorter timing increases pressure this is um speaking of timing let me just look oh okay um this is like three different things I was originally going to have three slides but I'm like yeah it's all comes down to timing so first of all who's aware of the relatively new uh SEC rules about disclosures okay a few people so for those of you who aren't aware of it how

long well let me just say this first if you have a breach and you're a publicly traded company you are required to report that to the Securities and Exchange Commission how long do you think you have to report that just throw out an answer well that's what is now I was going to have people guess but yes it is four days you're absolutely right right um I was hoping somebody was going to say like a month a year whatever no it's four days four days is an incredibly short no I feel bad no you're all good you're awesome I love that you know that um so um yeah four days is an incredibly short time to

realize that you've had some sort of incident figure out kind of at least what happened in the incident and then report it to the SEC so that's is putting a lot of pressure on companies to have to be able to maneuver really fast um another thing that the timing has really changed on is uh the go to market for vulnerability exploits so I have um a note there from uh Bit Defender a paper that they did and they're talking about like it's like 24-hour turnaround time now so from the time that a vulnerability is announced to the time that somebody has dreamed up an exploit for that vulnerability it's super super fast so what does this mean

to you as a Defender you need to a first of all make sure that if you have exposure to whatever that vulnerability is that you're remediating it taking care of it right away and you know people struggle with this because half the time they don't even know these vulnerabilities exist unless it's something that really hits the news like ivante foret like these are ones that get a lot of press but there's plenty of other ones that don't get that kind of attention um and then the other thing is the dwell times so dwell time is basically how long a threat actor is in your environment um and it used to be like a long time um it's that time has

shortened significantly in some cases according to secure Works who are used to work they do good research um they found like 24-hour turnaround from the time that the threat actor gets in the environment till they do what whatever it is that they're going to do a lot of times ransomware right or some kind of data xfill um that's so hard for people to like detect that and do something about it in that short amount of time so um it's crazy and like I don't know about Bit Defender but secure works I can tell you they have a very robust incident response practice so they're getting all their Intel from incident response engagements that they've worked

on um so okay I hope I'm not like totally depressing everybody it's not all doom and gloom we can win the battle or at least something I don't know okay multiplatform malware so this is another kind of trendy thing I think thread actors are probably like oh we're so cool we're going to write some malware and rust today um but this is a thing so rust is becoming very common go D I didn't even know there was a d until I read about malware written in it but I'm not like a coding kind of person um so I just pulled out a few examples and looked up the hashes in virus total and the detections are just not there like for

just a regular you know executable you're going to see much higher detections and if you're not familiar with virus total it's fabulous it's free um I'm spoiled with an Enterprise version with all the bells and whistles but anybody can use the free version um so yeah so this is another thing and it's makes the malware multiplatform right so that's huge so let me ask a quick question and you can answer it if you want to um Can Max get malware yes they absolutely can of course and uh and Linux of course yes and people are like oh well I'm really my computer is not a Linux computer but guess what probably all your servers in

your environment are Linux so there it's very prevalent so this is something to be mindful of too okay how am I doing on time all right I'm going to speed through this malvertising fake browser updates all the good things SEO poisoning this is also very upand cominging and used a lot by threat actors um thread actors first of all I feel like they used to be like lean and Scrappy but now they're just like making fat stacks and they can afford to pay for um like Google ads or whatever and so we are seeing this right um they are leveraging paid tools to to do their Badness um so fake browser updates are huge sck golish is like

traditionally delivered but like the one I have there delivers uh Lum stealer which is an information stealer and that's totally out of our environment as well right that was a a fishing email that led to that so very realistic looking again this is like an awesome user education point Thank you somebody gave me a time card that's good okay speeding through this one more intense deos attacks um I feel like denial service attacks used to be more like a nuisance thing um now they will definitely make your stuff fall down and uh like 398 million requests per second is the one that happened with like uh Google last October and I don't know that there's

been a bigger one since then but that's huge so you can definitely um employ some defenses around that to to protect your environment um web application firewalls that sort of thing um but just something to be mindful of and I can't even read what this says without my glasses um oh yeah so what you see there is um last year Anonymous Sudan decided they're going to to start popping a lot of companies and I don't know why but they're like the first one we're going to do is equinex and so we're all like okay bring it but um and and the reason we even were aware of that is because we troll um all these

different forums and marketplaces looking for mentions of our organization and that's it's not that hard to do and you can get a lot of bang for your buck that way we want to know when thread actors are talking about us the other snippet is where they're talking about how they're using equinex infrastructure to do bad things so this is like know your customer right are we selling our servers to like thread actors hopefully not but apparently they are looking at us for it um okay anyway supply chain attacks you probably all are pretty familiar with that but this is an increasing area and one of the huge things with this is the software supply chain there are so many

um like malicious packages out there and repos and when people are you know doing their coding things they're just pulling like from libraries and whatever there is malware being put in libraries and packages all the time now so you build your lovely application and it comes with malware built in like a little extra bonus that you didn't expect U so something to be mindful also and there are tools to look for that kind of thing okay so this is the part where I give you some lessons on how you can help yourself which I have like two minutes to do but anyway know your assets if nothing else you have to know what assets you have in your environment

right um if you don't know what your assets are then how how do you protect them it's like uh I don't even know who lives in my house but I feel like I should feed them or something you have to know that that's hands down I think one of the most important things consuming relevant threat intelligence like you you do unfortunately kind of need to stay on top of these things and you know if you have a threat and tell team that works for you that's awesome but many of us do not have that luxury so you kind of have to do it yourself um getting into like uh trust groups getting um like um email

list for like siza things like that are ways that you can kind of increase your your information flow educating your users again hands down this is such an important thing all the things that I've talked about not all of them but a lot of them come down to users and I used to be a user well technically I am still a user but I'm more savvy than I used to be but don't bash your users please they just start trying to do their jobs they don't know they're not like dialed into all this stuff so having an environment that's safe for them to be able to like report things is so important because if they're terrified to like tell you that

they clicked on something that's not good for your environment um lessons learned from other incidents leveraging Frameworks and by that I mean like uh the miter attack framework for example is a really great one for mapping out thread actor tactics techniques and procedures ttps um continuously monitoring attack services so anything that you have that is internet facing you should be looking all the time to see what ports and services are open you can use like showan for free to that um identifying gaps and having an incident response plan so that would leave me with my last slide so Lessons Learned this is a huge thing that we do at equinex um and it's our ciso drives

it right whenever there's like a significant breach like he wants to know about it so we put together these kill chains because I'm now also a pro at canva um but uh we put together graphics for them I know C's great I love it um we put together graphics and the part that you don't see there the bottom half is our controls and where we see potential gaps based on what happened in that incident um the the minor attack mapping already said that but that's really important that comes down to like security controls and and just knowing what kind of stuff is happening more prevalently in your or your environment is huge so um this report that we wrote

my own whole team wrote because it was massive uh we did an analysis of like what we called common attack vectors and which is that laundry list of things there and some of them are more common than others of course but things that we thought were potentially impactful for our environment and we did one of these kill chains and miter attack mapping for every single one of them and you know looked at potential impact so that report now is being used for um to inform our tabletop exercises that we do like basically you're pulling stuff out of that um it's being used by our risk team to um figure out like the materiality thing for like the SEC stuff

so um really useful to if you can take the time to do that kind of analysis in your environment um and that is it so [Applause]

thank you very much for coming if I'll be around all day if you want to come and talk to me feel free ask me questions whatever and I think are they breaking the room in half now okay so I think they have to split the room in two so you probably have a chance to go to the restroom I don't know I know you're next somebody else is also next