Keynote Speech - John Shier

right it looks like it's all working good stuff so good morning Cardiff um welcome to besides comri and as Craig said I had the uh the honor and the pleasure to open the very first one and so I've got the honor and pleasure to be here again as a keynote speaker um and before I begin I do want to also share my thanks to the Craig and Tom and the team for having me back uh obviously the sponsor for helping put on this event because without them we can't do this and really thanks to all of you guys for being here today because obviously we do this for you but obviously if you're not here I've got nobody to speak

to I'm just going to stay in my hotel room and talk to the wall so um while I was ruminating on what I wanted to talk about I had all these sort of creative crises going I always want to do like this like real cool hacksery demo kind of thing and um and I was like well I should probably leave that to The Experts the people that are going to be giving all the talks and the great talks today and then in all the tracks and I started thinking about what a keynote is and and really it's a speech that kind of sets the tone in the theme for a conference and since there isn't really an official theme for

this conference I thought I'd just I'll propose one and the theme I want to or at least the tone and the theme I want to go with is something about adaptation and readiness so in biology adaptation it refers to a few related things so it's the you know the evolutionary process of natural selection that fits an organism to this in its environment and it's the state reached by that population uh during that process and then it encompasses things like the functional traits that are maintained by and continue to evolve through natural selection and one of the most famous examples of that of adaptation is that of Darwin's finches which he used when he presented to the Zoological Society of London in

1837. now cyber criminals have been adapting and evolving in response to our activities since day one and it's uh it's that adaptation that's fueled this like game of cat and mouse that many of us are so unfortunately uh very familiar with and so you know the infosec gray beards myself included that are all in this room uh know all too well what I'm talking about and those of you who are just starting out security just don't worry you'll get your turn you'll see what I'm talking about um now where the analogy breaks down is obviously adaptation in in natural selection happens over Millennia right it's it's a that's a slow process but with cyber criminals it operates on much

tighter and much smaller time scales and the adaptation that does occur is not always uniform sometimes it's practical and sometimes it's technical and in the world of spam and fishing alone there's plenty of examples that um point to cyber criminal adaptation many of which are indeed practical so we've known for a long time that uh crime groups will repurpose their infrastructure to reflect whatever's happening in the world early on in the pandemic we started seeing all sorts of uh spam coming from cyber criminals using all different types of lures and what's interesting about this one is this is if you look at the plain text versus the HTML version this is just a bog standard delivery spam that we see

all the time but for the pandemic they decided they were going to change the HTML to be covid related covid themes themed whereas they just didn't bother to change the text template that was Underneath It All and we we continue to see things like this and unfortunately true to form less than 24 hours after the devastating earthquake that struck turkey and Syria we started seeing spam impersonating legitimate relief organizations and in this case they're impersonating a relief organization called Global giving but if you actually go they click on the Donate Now button the link goes to a scam site give2turkey.org as opposed to The globalgiving.org Domain and that that scam domain was registered on the

seventh so a day after the earthquake hit it got registered on namecheap and we know the we know it's fake because the real ones hosted on AWS this one is not and of course it's protected by cloudflare now trigger warning I'm going to get to the obligatory chat GPT portion of the talk it's 2023 right you got to do it this is a real sample from our spam traps and it you look at it's kind of clumsy right it's not really that great um but we thought well it'd be interesting to see you know what what would chat GPT do with something like this so we asked it to write a version of something like this for us and this

is what it came up with right so it's pretty good if you ask me and we asked it to do a couple different things like changing our bank or direct deposit info of our bank in in a letter to HR but there are two factors that make this dangerous the first is that up until now it really wasn't practical to get computers to craft these lures in a convincing way and the technology is not not only available to do this but it's really easily accessible and the second is that the primary way that that we've sort of trained and instructed our users to not fall for things like this is to look for things like spelling and grammar

mistakes well that's gone now right and so the user training needs to shift so we need to adapt to a new world where you don't you can't watch for spelling mistakes anymore they just won't be there the grammar will be correct the language will be colloquial and it will be very convincing so we need to switch our messaging to a more risk-based approach to verification about who it is that you're communicating with so are you you know are you being asked to do something with financial data or with a password or with sensitive data well if you are then maybe you need to pick up the phone and confirm whom it is you're communicating with

and I know that you know there's been a lot of news about Chachi PT and how it's wrong most of the time or at least a lot of the time and I don't think that's really productive because I don't want to overstate the harm of things like chat GPT and all these other large language models and we're seeing it in other aspects as well like audio and video but also let's not underestimate its utility to cyber criminals in the way they're going to adapt and use these tools for nefarious means now we look at some of the technical changes that uh that the Cyber criminals have orchestrated over the years one really Salient example for me is is over

last year we saw some interesting things so when Mark of the web started being adopted more widely and you know when we started stopped running macros by default on Windows in in office documents cyber criminals were trying to figure out okay well how can we still get our payloads in there right so there's all sorts of things that were tried there were some Mark of the web bypasses that came out and then they got patched and so it was back to this cat and mouse thing right um and and this was just a way to try to still run macros on these platforms and the one really interesting thing that we we noticed was this shift towards uh

lesser known types of extensions and you started getting this sort of like nesting doll approach to smuggling in payloads as a security bypass onto operating systems and so that you'd have this Powershell script that was wrapped you know that was inside an lnk file that was inside a zip file that was inside an ISO right and so that was really just to try to get those payloads on there and the the response to that in November of of this past year Microsoft did actually start propagating some of these artifacts these Mark of the web artifacts into disk images and so the cycle starts all all over again but you can see that even in response to things

that were fairly new the Cyber criminals adapted and responded fairly quickly one topic alone like ransomware we can see that there is a uh a shift over the years so in the beginning we had well let's start let's let's uh forget about the you know the original 1989 AIDS Trojan which kind of was the progenitor of ransomware of all kinds but if we look at the sort of modern landscape we had fake AV and this is generally you would have a pop-up on your machine that would say you are infected with a trojan horse and all of these legitimate engines didn't detect it but we did and so if you you know if you want to clean

your computer then just click this button and in fact if you wanted to clean your computer there was nothing on there it was just programmatic they said you were infected but you had to pay them 79.99 or whatever local currency and amount was displayed to you and you could actually use Visa and American Express and MasterCard to pay for this this transaction and so the security industry responded to this by talking to the payment processors and saying like we know these are scams like there's nothing behind this stuff you need to stop processing these payments and that's what happened is the payment processors eventually stopped doing it visa was the last one to get on board

but eventually they all did it and the Cyber criminals had to respond and adapt and the next thing they did was the police viruses or the police lockers and what these were again was a pop-up I would sometimes it would just lock up your session and say that you'd done something illegal and it was usually around like you had pornography on your laptop or on your machine or you had downloaded illegal videos and movies and songs and honestly who hasn't done that in this room right um but if because that was the case and and because they always branded it with local police agencies so depending on the country you were in would depend on what Banner you got at

the very top so in this case there's the UK Metropolitan Police and there's some for every Police Service around the world they say you would have to pay a fine and it ranged and interestingly it ranged in sort of the three to five hundred dollar range which was kind of like where we got to with ransomware as well but you'd pay in this case with uh prepaid cards right so you cash uh Green Dot money pack and all sorts of other cards and again as a security industry we're like we need to respond to this we need to figure out how to stop this stuff because it's you know it's costing a lot of money to to

victims and so we worked with these prepaid card merchants and said let's let's start shutting this stuff down as much as possible to the point where they even started printing out like a warning on the back of the when you go to Tesco's and you buy one of these it's usually like a cardboard sleeve and then the back of it it said Beware of these types of scams if you're buying this because you've been instructed to buy it online you might want to think twice about that and so we we cut off the revenue stream again but there was this so this was around I would say like 2012 2011 2012. and there was a little thing called

Bitcoin that had just recently kind of been invented and um the criminal thought hmm that could be useful and so the modern you know the modern uh grandfather if you will or father of crypto ransomware was born in the form of crypto Locker as a matter of fact this September will Mark the 10th anniversary of when this came out in September of 20 2013. and even within like I said within ransomware itself we see a constant adaptation and response to and a Readiness to be able to like to shift with the changing landscape so ransomware in this style was generally a sort of like a very closed off uh operation where you'd have maybe one or

a group of people that were doing everything and then we switched to you know fast forward to today we've got this ransomware as a service model and then ransomware is a service when it started and ransomware itself when it started was very much all about the encryption but then as we shift through uh you know through time we see that we get things like double encryption right they steal the data and they leak it as well and you get DDOS attacks it gets all sorts of little goodies that are bundled in with the extortion and it's not just the encryption anymore because part of it is we've gotten better at stopping this encryption with a lot of

the tools that we have today and then this sort of automatic programmatic kind of uh attack on victims switched to a more Hands-On approach and those of you who are in the trenches fighting this kind of stuff you know what I'm talking about these guys will actually be in your networks touching all of your servers and doing all that havoc and also this the switch from like physical machines to Virtual machines has prompted a lot of the more prominent groups today and I'm seeing this with a lot of them advertising we you know we go after Windows Linux and esxi right so a lot of them now are crafting specific payloads to go after esxi servers because that's where all

our data is now it's all in Virtual machines in these Big Data Centers and you know esxi arcs that that vulnerability that that popped last weekend I think it was right has really shown that they will use any and every opportunity they can to uh to get into our Networks and then on on you know a less technical side we've got things like authentication right so in the beginning it was all about just stealing your password you got the password and you went and then we started adding things like two-factor authentication with you know maybe some sms's and maybe some talk piece top P tokens and so they got clever they figured out how can we steal

those as well in in addition to the passwords and then use those to to log into the services so then we went to like a a stronger multi-factor authentication with things like pushed authentic push-based authentication but then they were like okay well we know how to beat this we'll just send you a hundred of these at three o'clock in the morning and see how you respond and most of the people will just go fine you just want it to stop right and and we've seen lapsis was one of the groups that used this to great effect to break into a bunch of companies to breach a bunch of companies in the last couple years and

so now we've evolved and adapted and switched to verified push right which is seemingly at this point a a very strong way of doing authentication but the Cyber criminals are constantly looking for those little ways that they can adapt their methods to circumvent our defenses so every year I do an analysis of all the incident response investigations uh that we we do throw out a calendar year and the goal is to understand what the Cyber criminals are doing so that it can then inform our defense the reality though is that many of the tools and techniques remain the same year on year and yet year on year organizations are still falling victim to the same old tricks now some say like

there's so many tools and techniques what am I supposed to do about it as a matter of fact in my my last report it was over 300 tools that were used by cyber criminals and over 200 techniques so it's a big number but there are some things you can do that will have outsized effects on your security posture right like blocking applications or tightening up your outbound firewall rules monitoring everything and and looking at the logs and then just hardening identity to the point where you know you're doing things like verified push these four things alone can really dramatically improve the resilience against attack but it also shows an adaptation and a Readiness to respond

but don't take my word for it cyber criminals they've been ready to adapt to whatever impediments we've thrown their way and it's it's time we turn the tables and let's see what we can learn from them so black cat is one of these groups that has always been sort of on the podium if you will in the last couple years right they're never usually at the top so lock bit is sort of the de facto leader these days but they've always been sort of second or third sort of like hiding in in the mess of of what is ransomware today and if you look at some of the uh the ways that they go about their

business right some of the tools that they use some of the techniques that they use you see some very familiar things and it's very consistent across a lot of these groups they typically all do the same thing so it should be easy for us to adapt and respond to this yet a lot of people are still falling victim to uh to things like black cat and ransomware in general and so we had one investigation specifically that uh unfortunately the victim their circumstances dictated that they had to pay and because of that they got their decryption key but they also got a pen test report from the affiliate so I'm thinking well let's have a look at

this and see because it describes exactly what it is they did and the steps they took and the tools they used and the techniques and so maybe we can learn something from this because clearly I've been up here for years telling you guys to start patching your stuff and Harden your identity but you're not listening to me so let's listen to them all right so uh and this sort of loosely goes along the miter attack framework of you know attack phases so from an initial initial access all the way out to impact and so you can see it says here you had a critical log for J vulnerability like you were not a Target it's just bulk scanning right so if

there are things that you can learn from this it's that what opportunities do you have to make sure that you don't end up on one of their lists because most targeting is or targeting most victims aren't targeted they are opportunistically uh gathered and then triaged and then some some are but for the most part they aren't and the what I call the earliest ioc here is like the very first sign of attack we saw with these guys was 38 days before the attack even started um and then so after they infiltrated the network it was you know it wasn't hard to find your administrators and then we just put back doors everywhere right so some persistence there Cobalt

strike brutal a Terra rmm Splashtop any desk five different tools they use for this kind of persistence so this is where Ryan said blocking applications right great opportunity to if if you use any desk fine but you don't need to have Splashtop and a Terra on there as well if you're using a tool like any desk for for remote access as far as defensive Asian goes right we went for the backup servers but then uh we also went for some all sorts of other stuff as well right so they they give a little bit of advice throughout the stuff and actually at the bottom of that site there's a whole General recommendation section uh which

we won't go through all that but um but yeah so they went through the back and and for doing that they used a tool called PDQ inventory and it's it's very prominent in its set of tools that that the criminals use uh but you know they were basically going and finding everything they could and using it to their advantage when it comes to credential access you know it's clear that having a database passwords for all your services on the local it's that's a bad idea right ask Uber how they feel about that because they fell victim to this exact same technique but it also speaks a little bit to the fact that you do have time right so it's not all doom

and gloom it's not that this stuff's going to happen in 30 seconds uh or was it Gone in 60 Seconds right um they took a few days to actually verify everything make sure that it's all working make sure that they they're going to accomplish what they need to accomplish and so you do have time and there are these signposts along the way right now I I could have cropped this before but I had to include this so this is literally right below it says we have to say Sophos is a good AV but the real Point here is that no one monitors the logs at least they don't do so on weekends right so it's so important

today that you are constantly on top of it because they will say on the weekend when you're not watching because they're watching you they know your act pattern of activity they will operate on the weekends so that you are not noticing their activities so it's really really important if you don't have the capability to do that yourself that you go and find that capability from somewhere else so once inside you know your horizon VM we dump credentials got some domain admins cracked the hashes and moved laterally so these and RDP is is by far the most used tool for lateral movement as well as things like PS exec and what's really good is actually we we as

you know as as a community we've gotten a lot better at making sure that RDP isn't exposed to the internet I'm not seeing as much out there as there was perhaps at the beginning of the pandemic or even before the pandemic but internally it's used almost 100 of the time and for black cat specifically it's used 100 of the time they love using RDP so if there's a way to monitor your traffic to understand should this host be talking to that host then that's a signal that you can act on and you can adapt your security posture to reflect changes that will prevent that from happening and then finally from index filtration uh point of view

so while the attack plan was being drafted so again a little bit of time and there's always time so the median dwell time for ransomware is uh is 11 days so from when you the attack actually starts to when it gets detected is 11 days at least for this this date this year's data set um but there's also another one that I looked at which was when did they start exfil trading or start dumping uh you know the exfiltration tools onto the network to when did the ransomware launch and that's 1.8 day so even then you still have some time if you can detect one of these tools and 7-Zip WinRAR were very much used in this

attack and are used extensively all these multi-part archives are really easy to do with with those tools and so they can trickle out your data and so if you're not watching the and this is why I mentioned outbound firewall rules if you're not watching the outbound uh traffic then you might miss that big spike of you know terabytes of data that just went out the front door while you were sleeping so it doesn't take much for water to do damage right a small crack will do and cyber criminals are equally opportunistic and they will exploit anything they can now there's an old saying in infosec which is the criminals only need to be right once and the

Defenders need to be right all the time but I I really think that's a bit outdated because when cyber and in reality when cyber security is done right the Cyber criminals have to be right every time and we only need to detect them once and so as we put in these layers as we do this monitoring as we use the tools at our disposal and the the humans that help us do all of this then we can detect them and we can evict them and hopefully limit the damage to an intrusion versus them stealing all your data and just like a good phishing email has a strong call to action I'm going to take a page from the Cyber

criminals and I'm going to propose one for you as well so as you're listening to all the talks today think about what they're trying to tell you and to all the presenters as you're delivering your message if it's relevant to your talk try to convey and help your audience understand why you're telling your story why it's important and perhaps what can be done about this particular problem because adaptation is about change in response to your environment and Readiness is about being open and receptive to that change and not all uh change has to be technical you know it could be a new process there could be a new policy so as you're listening to the talks think

about how you can affect change when you go back to work on Monday morning and if you're a student or you're not currently employed or you're just interested in cyber security and that's why you're here think about things that you can do in your own life that can Institute change and maybe make you less of an opportunistic Target so since the threat landscape is dynamic it takes uh the the defense against the onslaught of cyber criminal activity takes a dynamic approach and so we have to be ready responding to this Dynamic environment means you need to be ready to respond so in closing and in the immortal words of the late great Godfather of soul may

he rest in peace if you stay ready you ain't got to get ready so stay ready and stay secure thank you [Applause] [Music] [Applause] so I was supposed to do 30 minutes and I only did 24 so I wasn't going to take questions but if there are any questions I'd happy to take them

you can shout and then I will repeat the question follow between yep

so the question is you know do we do we look at the dwell time and then try to get make inferences about things like iabs initial access Brokers and and when you know the initial access happened to when they were sold to when the actual attack happened so it's really it's tough to do that um in the data set that I have access to it's sometimes possible and and that is my inference is like when you see a long dwell time in a company that's usually because that inventory sat on the shelf for a while and then eventually they got popped I also looked so you might have seen earliest ioc as well that's that

was something that I kept when I look at all the iocs you know I look massive spreadsheets with lots of lines of logs in them and I'll see okay well we know that that the attack that occurred is related to this incident here but then there's also stuff above that in the spreadsheet and I so the earliest I see for me is going back and looking and seeing what else was on the network before this all mess started right and so there's some correlations there but directly to answer your questions sometimes we can tell because you'll see that okay well there was a log for Javon you know actually more more uh relevant to that data set proxy logon and proxy

shell specifically on August 18th when the POC got released boom victims right away that day right and so that was IAB activity no doubt and then a little bit later on then we saw other activities so we saw a log on to a server right and so that's kind of that Delta and I guess I could add that Delta to the data set but it's not always there so that's why I don't call it out specifically so that's that answer your question okay great I think he had his hand up first no worries

right

because one of the reasons is um they call themselves post-paid pen testers and if you go to the lock bit blog they actually say that in writing right they literally think they're helping people they literally think they're doing a service by by doing that by breaching a company causing all sorts of Havoc stealing their data collecting the money afterwards and then well why not you've already paid us so we might as well give you something for your troubles Beyond just the decryption key but literally for some of them it's just that simple they think they're doing a public service and that's part of their service

uh well so in in my latest data set it was the 47 of the root causes were due to an exploiting of vulnerability and most of them uh in that we we had a bit of a bad year so that data set was for the year when proxy shell proxy login all those things came out in log4j at the end of the year right kind of had a bad year for that so they were just jumping on it um email is and and and exposed remote services are still very very much used but as far as vulnerabilities go it does run the gamut and in non-explosive zero day years we are seeing as with ex E6

irgs right like that's a two-year-old vulnerability right they will use that to their advantage so it is it is kind of like a mixed bag when it comes to that

it can I'm so that with regards to spearfishing attacks as dmarc provide protection so dmarc SPF can do some things to protect your domain but at the end of the day you know these guys will get SPF records They will what's that uh and yeah so they they will the really good cyber criminals and I mean team Coomer can probably speak to this they will set up infrastructure that they've got all the certificate I mean they just go and they they steal sign dryer they steal you know sign signing certificates for drivers for these days like we're seeing this so much more these days the well-resourced teams of which many of these ransomware crews are well

resourced because of the money they're making they set up infrastructure that is pretty bulletproof sometimes and so they will use all the technologies that we kind of try to use for for good they use them for their purposes as well for opsec for all sorts of things but a lot of times yeah they they'll just use the same technology we do so foreign so I think that's my time so again thank you very much uh enjoy the talks unfortunately I've got to go back to Canada today so I'm gonna leave um but it was great seeing you all thank you [Applause]