John Helt - The Many Faces of Emotet: Annoyance or Threat?

I tried to pick something obscure that he'd have a hard time finding and he found it I'm impressed so all right well welcome thank you I didn't get as much of a turnout as Joe I hope that my topic is at least as interesting as his so but welcome there we go yeah everybody's in the comfortable seats all right a motet is it an annoyance or is it a threat how many of you have experienced tea motet in your environments or have just heard about it or have no idea what it is all right so good it's so good we've got a wide range excellent a little bit about me I'm not an expert right I love to be at conferences like

this where I can be surrounded by people who are way smarter than me so I can just absorb and glean so I'm hoping that I can share something that's of interest to you and and if not there will be other people here that can but you know I'm I may be able to answer your questions I may point you in another direction I have a lot of resources that I depended on for this but yeah what I am is I consider myself an experienced curmudgeon I've been playing around with computers since well my first computer was a TI 99 for a with 16 K of RAM so that may give you a little bit of perspective but again I love to

learn new things to play with things to go from there I did work as an engineer with HP for about 10 years field engineer travelling around East Tennessee Southwest Virginia southeast Kentucky fixing stuff whether it was networks whether it was PCs whether it was HP 9000 HP 3000 s so a lot of experience there did a little bit of pre-sales technical consulting and mission critical systems engineering for them back at the the time of the the.com boom later transitioned to Scripps Networks which is now discovery have been there for about teen years currently managed the global security operations center there lots of fun and I get to teach for University of Phoenix online I also have been doing

some courses for New Horizons on networking and information security so I get to play get to share I'm consider myself an awareness advocate so I love to share the things that I do glean with other people and you know when I have the opportunity to work with schools or churches or other organizations I've got to go down to oh goodness I got to share with one of the the retirement communities on how they could protect themselves and that was really really exciting so I'm an awareness advocate and as part of that I also lead the East Tennessee is c-squared chapter we're chartering right now hopefully within the next month we will be a full-blown chapter so if you see these over on the

table grab one skin the QR code to send us an email if you want to become part of that chapter right now because we're still chartering members need to have need to be is c-squared certified so if you have an is c-squared number include that in the email if not still send us an e-mail if you want to be part of it and we can then add you to the the guest list and as soon as we get our charter completed the attorneys are working right now on getting us all all the stuff we need then you can join as well we're focused on networking with other people in the environment self-improvement learning from each

other and outreach into the community so it's it's an exciting opportunity for folks that want to get involved alright enough about that why did I decide to talk about this particular topic on Imhotep well again I I recently transitioned jobs and I manage our Security Operations Center and when I started doing that in September of 2018 we started to see a lot of this pattern of activity in our environment or at least I started to get visibility into it right in our ETR we'd see you know Outlook opening Word opening a command shell which isn't shown here then opening PowerShell from there and then other bad stuff happening and the more we would research these the

more we would look into them the more we would find connections back to oh that's a motet oh that's a motet I like this this is happening a lot and we're seeing various but it wasn't always the same indicators of compromise it was different indicators of compromised same pattern but I started to dig into it well what is this threat and the more I dug the more interesting it became and so that's why I had thought I would share what I learned from you all and the other thing on it is there's there's two differing opinions on it right and that's kind of why we had the topic talk topic title that we did you know some

people are saying the emo head is like the end of the world it's it's doing damage massive damage and we'll talk about some of the massive damage that it has led to in the last couple years later on in the side but people are treating it as the end of the world you know I saw this tweet just earlier this year if you can dodge a motet you can dodging an advanced persistent threat that that kind of puts it up there in a range that you might want to be aware of and then I I listen to podcasts and I listen to to malware archaeology on several occasions going yeah we saw some Mima Ted again this week you know it was

noisy we saw it was not you know it was nothing interesting so there's this dichotomy of approaches to it some poke saying yeah it's just it's something out there you know it's it's not a big deal other people oh no hair on fire you know so hopefully by the end of this presentation you'll have your own opinions of it and we'll go from there so what is a motet well this is not what it is this is not what it is but I do have a colleague that every time I say it he's like oh yeah that Egyptian thing yet this is not it what it is it started out as a banking Trojan back in 2014 by a group that's

called mealy bug and we don't really know a lot about mealy bug but we've associated them with this this banking Trojan and it started out as a classic mal spam you know that you see the topics here you know invoice emails deliveries financial transactions sending out the email and seeing who can click right started out with primarily links in the emails also links to drive-by downloads so they would have compromised websites that would have a pop-up that would start this or they'd have the links in the messages that would go to compromised sites that would then then lead you from their classic attacks right in this particular case they started out targeting German and Austrian banks or

customers of German and Austrian banks and so it was very limited in scope and from the beginning they had it designed with a modular payload so they could could very easily shift it around and move different things into different places but the payloads that they started out with were scanning your filesystem looking for banking information looking for files that might have account names usernames passwords other things like that they also from the beginning were able to intercept network traffic even if your traffic was SSL and TLS encrypted they weren't it intercepting at the network layer they were intercepting it by compromising your browser itself and gathering that information when you were having your browser sessions so it was a

pretty interesting approach it established persistency through a number of different methods and they operated in 2014 from the summertime when they first manifested to December and then poof they vanished they were gone and so they made an impact at that point relatively small impact but they got a little bit of notice and then just disappeared ok you know another passing fad you know or a threat you know well then in the summer of 2015 like a year from when they first started they came back and they came back with a new version again they were still doing the mal spam typical types of things invoice deliveries financial transactions still had the links to drive-by downloads but

now they started working with attachments as opposed to just having links in the email they started to have attachments in their email primarily word attachments and do PDF files with links that would go out to other places they expanded their target right now not only were they dealing with German and Austrian bank customers but also they were targeting Swiss banks gathering more and more information about people in those company in those countries they switch up the payload a little bit so they could still do recording of your network traffic but now new and improved they could harvest credentials credentials from within the browser itself so when you saved credentials in your browser whether you were using them or not while

you were infected they could begin to grab those it was still in its infancy at that point but it was it was effective they changed their persistence mechanisms so that they were becoming a more persistent threat and again they operated from the summer of 2015 through December and vanished again so it's kind of an interesting model you know five six seven months of operation and then gone 2016 we didn't hear from them they it was like okay is this thing gone what happened we you know they would just there's there's not much about them in 2016 then in April of 2017 they ramped up again now those patterns we thought were interesting and later on we'll talk

about why we think they were interesting but these long breaks and then a new thing and then another long break and a new thing and now in April of 2017 they started a two-week campaign attacking in the UK this time they get the same type of spam campaigns the same type of attack techniques the same loader that was being effective but they switched out the payload again it was modular this is like a lego malware kind of thing they switched out the payload to use the dry decks banking Trojan as the payload itself dry decks had been effective in 2016 while they were taking their break they're like hey if you've worked for them let's switch it out and

put it in here so they worked for two weeks attacking UK customers and then again they stopped but they didn't stop for very long on April 24th they started their campaign against the United States this time it was targeted toward government employees federal state local government employees changed up the features of it again this was a different version now they have something that's that's different they had a centralized commanding control where they could start to get automatic updates so now once you're infected and once they have persistence they can give you a new version and new they can patch their malware better than we patch our stuff right they had enhanced their browser credential harvesting so that they could

now work with different browsers and get more effectively get those passwords and credentials that you've stored within your browsers they now added a email scraping opportunity so now if you're doing web-based email they could start to intercept some of that information and get your who you're sending to who you're sending from contents of email other pieces like that so that they could make their spam tank spam campaigns more effective and at this point they also made a dramatic change in that they added a polymorphic loader so the Imhotep loader itself the loader is what we now refer to as Imhotep they changed it to be polymorphic so it was having different signatures and it was

generating different hashes and antivirus really started to struggle with it in 2017 malwarebytes's talking about you know what what they defined is polymorphic there but um it was just slipping past all of the different antivirus and still to this day that loader portion is very often missed by antivirus so that was when they started attacking America they did that attack in April and then changed it up again right when all else fails mutate they changed it up again and they started to with a new version attack hospitality industries medical facilities they were using the same polymorphic loader they started to change some of their ability to spread so now it was not just infecting the people that click the

link but now from there it was doing some other things to to spread through your network taking advantage of open SMB ports other things with with network shares other vulnerabilities on your local networks as well as sending out through spam so using the information that they captured with email addresses and that to send them back to command and control to allow them to spend send out more spams or even sending spam messages from the infected systems they took out some of their banking payloads so they weren't now so much looking for ways to find that financial information but they were yeah sorry they added the the rig exploit kit instead and it was doing some other things and attacking in

different ways again they just took somebody else's payload and threw it in there and now they started venturing into the the ransomware market that went through December of 2017 and then they took a tiny bit of a break and then they ramped it up again right early 2018 they started something that was once again different they pivoted they changed they changed quickly and this time they were indeed focusing on the United States so you can see the ratios of other regions to the United States in 2017 ramping up at the end of 2017 and then in 2018 going along and there this was just for that quarter I didn't have newer statistics with that but it's been

continuing with there and will we'll talk about that in a minute so what did they do when they changed in 2018 well they had more enhancements this time they could start to move into preferred directories they started to use symbolic links and place those symbolic links in areas that would help them to maintain persistence and to start up over to over reboots and survive reboots they were collecting more and more information about the victim machine and sending those to their command and control servers and hey let's add an API because everybody's doing it right so now your malware has an API - so that was kind of interesting they changed their Appa Gatien methodology though in early

2018 and they took the quake bot worm no quick bot was also very successful in quick bot or quack bot who can pronounce it but it was successful in 2016 it does some things with living off the land using the utilities that are on your system to spread again spreading by SM be using some powershell had some mimi cats in there with the worm to be able to harvest passwords in other ways now and they changed their payloads and the different variants of this may have had one or more of these payloads on there so they brought back the banking module right so they're starting to again go back to looking at network traffic and

browser traffic for stealing your banking details they it was like the origins of where they were they went back to where they were where they had been successful they also added the email client info stealer module so that was what we talked about for browser-based email and they made that enhanced and it was even more effective they had other browser info stealing's so they could start to now gain access to your browser history your saved passwords other pieces there that were information in the browser that might be valuable to the attacker sending that all to the command and control infrastructure and then they also added a PST info stealer and this is the one that kind of made the news last year

more with the ability to go into your Outlook message client and your Outlook message archives extract sender names email addresses from messages contents of messages send those up to the command and control infrastructure so they could have more effective targeted attacks change it up a little bit in the summer of 2018 to more sophisticated emails and here they started actually using that information that they were gathering from all of the emails that they compromised earlier especially with the outlook plugins to be able to impersonate your people within your organization and start to send out the emails with that and this is kind of where I started to get involved in in dealing with the threat so here we have

a sample email right document attachment from somebody in the organization to somebody in the same organization so they were you're making it look like it was an internal email and what did they have well they had you know macro attachments now all of us tell our users you know if it has the buttons don't enable macros don't do that right well they already thought about that they planned for it and now here they they have these easy-to-follow instructions you can't open this we're sorry but we're gonna make it easy for you to open this because it's important so you know here's the instructions for defeating that control that we've put in place to prevent macros from opening

automatically for our users so they were just guiding them through step by step on how to do that with instructions that are easier than what we usually give them so what did they have from there well when you when you look at the macro itself the macro didn't have the commands just spelled out purely within the macro they obfuscated it at the macro loader level at the VBA level in the document and they'd have components of the malware or at least of the next step that were hidden in different parts of the document some of them may have been in metadata about the document some of them may have been in the text boxes that were in different spots of the dark

document and they would put all that together and then when it's arranged it opened up a command shell but your command shell was the commands that were going that were being executed from the command prompt we're also obfuscated I'll zoom in there a little bit so you can see some of the commands line obfuscation that they had with DOS commands that was kind of interesting that was a technique that again this is summer of 2018 but that was a technique that was shared by Daniel Bohannon at blackhat 20 blackhat Asia 2018 earlier in March so within just a couple months they took the techniques that they saw demonstrated here with the invoked ossification and applied them to what

they were doing so you now got to see this type of thing at the command line so that was kind of interesting from there so let's say once that executed the command it would launch a power script and your power shell was base64-encoded okay so once you go through and decode the base64 you end up with powershell obfuscation - so they've got layer after layer after layer of hiding what they're trying to do before they even get to the point of downloading the emote at loader this is just the stuff that's built into the document into the payload but when you finally sort it all out they're going to the websites and downloading the the

next stage which is the emote at loader the version of the emote at loader they were using here is once again new-and-improved it's very different but this particular attack also what they started in the summer of 2018 was an alliance they you know we talked about this lego malware and this this building block modular approach they took there a motet loader and their distribution methods they combine it with trick-trick BOTS and with ryuk so we started to see this this unholy alliance this triad of tools that were working together but the Imhotep loader itself it still established persistence right it could do that through creating a service through scheduled tasks through a couple other methods - to just be on the system and

stay on the system it was still checking in with command and control doing automatic updates again staying better updated than we our systems are staying updated they built in VM protection our VM detection so you know they could tell if it was running on a virtual machine or not and changed the behavior of it if it's being analyzed so if you've got some sandboxing techniques involved it may not necessarily set off any alarms in your sandbox because they detected that and change the behavior still polymorphic they enhanced their poly the ways that they were changing to slip past Devi slipped past some of your other controls and very effective there and now they established a botnet of

infected systems since they had the persistence and since they had the ability to update and change these systems that were infected we now see a botnet of hundreds of thousands of systems infected with emote at and still running and still doing stuff and you know just waiting so they started to leverage that they took the email harvesting module that we had and started to feed that back to their botnet of infected sources to use them to start to send out the spam so remember you know they infected Robins computer and they got robinzine they didn't really infect her out in this computer I just like to pick on Robin but they got all of her contacts and

they got her and they started sending out from the spam bot from a lot of different sources emails that look like they were coming from Robin to other people in her contacts list increase the probability that people are gonna click on it and open the attachment and run the macros and what-have-you and they're uploading all this data to cloud storage because you know hey it's the cloud right it's it's not just for not just for the good guys so then they they had the trick payload that they once the loader was established they would download trick bot was also modular just like he motets and now they've got lego malware inside of lego malware trick bot

this is interesting in November they said it was one of the top business threats at the time it had a data stealer still has a daily data stealer uses web injection attacks still also is if a motet didn't do enough to harvest your emails the trick bots malware is also harvesting emails and doing its own thing running me me me cats it also would search through your system and look for now it's looking for altcoin wallets and bitcoin wallets and grabbing that information and sending that to the attackers so that they can raid your crypto currency accounts trick bot uses some interesting ways to spread it's also spreading through SMB a lot of the classic attacks that we saw with I'm

drawing a blank now the yeah the SMB attacks SMB one SMB be to just spread through your networks using RPC calls other ways of spreading eternal blue that's the term most look at three using a lot of the eternal blue methodologies that you know some people had patched and other people hadn't that was the trick box side of it and then we have the ryuk met ryuk ransomware and that was running concurrently and that that was spreading pretty wild in fact this whole thing shifted to target enterprises and governments during this during this time frame if you remember earlier in 2018 the Allentown Pennsylvania where the whole town was was just hit by ransomware that was ryuk

and that looks like it had initially started through a NEMA tat infection later in 2018 right around Christmas time when the Tribune publishing went down and they were taken offline by ransomware same attack same attack series that took the LA Times and a number of folks there so and the data resolution cloud hosting platform that happened right after Christmas that was also the same thing looking at the numbers in the Bitcoin wallets that were associated with ryuk so for when they said you know pay us the ransom and we'll we'll give you the keys back tracing those wallets we saw that the ransomware associated with this campaign earned about 3.7 million dollars in 2018 so that was kind of interesting and that

ran through January 7th now why did I say January 7th I was very specific on that because it was interesting and it made a lot of news at the beginning of the year this year because it was such a prolific campaign and then it just came to a stop an interesting little tidbit and we don't know if it's valuable at attribution or not but they took a break from January 7th to a little bit later in January and it happens that the break they took coincides with the Orthodox Christian Orthodox Christmas holiday again we don't know if that at all is tied to attribution of who's doing it attribution is kind of a slippery slope

there's some people that say the ryuk ryuk ransomware can be attributed to North Korea because of some of the code that they use there's other folks that say the banking Trojan parts can be attributed to Eastern Europe and and Russia and other places but we don't have any real solid attribution on any of it it's kind kind of mysterious but it was interesting that a lot of their other breaks also included some of those holidays they were much bigger breaks and now they took this shorter break that just covered that holiday so that was interesting the other thing that that's interesting is when they came back they came back with a vengeance they changed it up just

a little bit not too much this time and immediately started attacking large targets beginning of 2019 you see the town of Albany city of Albany province about I don't know Albany New York Capital New York that they took down with the the same attacks Stewart Florida got taken down with the same attacks and it's still happening right we're seeing this still going on now through through the last several months of 2019 this just came up earlier this week in my research a motet is now considered the most prevalent threat in our healthcare systems and you can see that was April of April 30th so it's it's still a threat and it's still happening it's it's quite quite verily

can I pose thank you so let's talk about it a little bit and what they've been doing they've adopted an agile development lifecycle if you go back to the beginning of the attacks they were more consistent with a waterfall style development methodology right they had this big release they do their thing for about six months and then they'd have to take like six months or a year to develop a new version and then do the same thing again and then they took off all of 2016 to develop a new version at least that's that's what we're speculating at but now after that they came back in the boom new version boom new version let's do it a little bit

different so they're adopting the same agile development life cycles that are allowing our IT to be successful to allow their their malware to be successful so you can see if any of you listen to Johan Stahl wreck sands internet storm center storm cast it's a great 10-15 minute podcast every morning to get an idea of what's going on there but over the last several months a motet has been a regular occurrence in podcasts with some of the new things that are coming out there and you can see that they're changing and they're speculating on some of the things that that we can see moving forward one of the things that we anticipate is some increased efficiencies right because

that they're doing that they're doing a lot of R&D and they're investing in it it's paying off and they're using those profits to reinvest in it just like you know a business or a cyber criminal enterprise expect to see some distributed credential stuffing again they have this botnet that's all together there right that's already getting these email addresses and getting credential information credential stuffing is a very successful type of attack that's happening right now and that's a completely different thing but we expect to see them possibly using some of these credentials that they may have just been selling to other people to do credential stuffing to now use their network of infected machines to start to do some of the credential

stuffing attacks so that's just speculation right now one of the other things that we expect to see though is for them to adapt the information they're gathering from email harvesting to transition into some of the B EC business email compromised style attacks I don't know if any of you all saw the report from the FBI just a few weeks ago maybe a month ago business email compromised in 2018 one point eight billion one point eight yeah one point eight billion with a B in 2018 so it's a very successful attack they're looking at possibly you know getting into that business again it's a criminal enterprise saying how can we be successful how can we change how can we

pivot just like our businesses do but this time it's it's the the bad guys that are doing it so conclusions what can we do to to protect ourselves right one of the things that we can do obviously is defense in depth we can go back to our thing here you know do we consider this maybe to be a advanced persistent threat do we consider maybe that the defensive strategies that we're going to apply against our apts might be effective against this I don't know it's up to you to consider but you know we go back to the same things that we always say defense-in-depth what are the different layers that we might want to protect for this

particular threat well we might want to protect your email gateway our points are our web gateways might possibly I don't know maybe use something for authentication other than just a username and password I know it's a wild crazy idea out there but um you know might want to take that away from the attackers so talking about the the email gateway why might that be something we want to do well maybe begin to filter your emails based on what they have in there obviously all of our email systems have filters that are already part of it if you're using Gmail you're getting some pretty good filtering if you're using office 365 SATP you're getting some filtering it's it's not

anywhere near as good as Microsoft says it was again there was a report a few weeks ago about what they're actually getting and what they're not getting from some of the email vendors but you know you might want to look at increasing your filtering maybe filter out the ability to have attachments that have macros enabled in them obviously that's going to have a business impact especially if any of you have accounting folks that are using Excel spreadsheets with macros that are our business part of it but you have to make that business threat versus business decision maybe add some sandboxing to your email gateways so that attachments that come in can be detonated in a sandbox is it

going to be fully effective no again you know they can detect a lot of the the virtual machines and other things for sandboxing and adapt but it's another layer that you probably should have anyways again it's going to have a business impact your sandboxing now adds time to email delivery and it can delay the ability for people to actually open attachments or they may get an email that they can't open the attachment on until the sandboxing is done depending on your technology there but it's another approach to defending against this having a good SPF and Demark system in place for your email you know how were these emails being spread most of them were email impersonation attacks

right they weren't coming from valid senders well if you can stop those unauthenticated emails from coming into your systems you can stop a lot of these attacks but again it's it's a bit of a heavy lift Demark is not easy even using SPF and using it properly is not going to be easy if you're partnering with other organizations to send email on your behalf if you're using you know Constant Contact and all these other different things you know stand up another web service it's gonna send out emails as you now you've got a lot of people that are authorized to send on your behalf but if you don't have the necessary records in place to

say who's legit and who's not and you just start to turn this stuff on you can break stuff from a business standpoint so make sure you approach it and plan accordingly but but definitely get doing this finally government agencies have got their act together with Demark because they were forced to but a lot of our other businesses are falling behind in that so that's one way to protect it the email gateway level how about at your endpoint well again think of policies maybe policies that block macros a little more thoroughly not just the the ability for users to go in and enable them that but block them more rigidly again it's going to be a threat versus

business trade-off you know your accounting departments are gonna scream bloody murder because they're using macros all the time it may be something you can enable for a certain sector of your populace something to consider from a policy standpoint how about blocking PowerShell you know how many users need PowerShell running on their system well from a user standpoint most of your users probably don't from an IT management standpoint an orchestration platform your IT people are probably going to scream bloody murder no we use that for managing and updating in that so again maybe put some controls around that on what it can be initiated from or other things like that but it's not something you can just turn

on it's a little bit more of a heavy lift maybe block execution from the users profile you know these commands that were downloaded when they did actually have files the files were stored in the profiles a lot of these are stored in memory and running from memory but if you can block execution from their profile you can protect from from some things maybe consider privileged access management policies so that your users that are running maybe don't have rights to be able to do some other things on their computer that would allow it to establish persistence and spread because our our users don't always have to be admins despite what they say have a good a V client that that's up to

date and manageable again it slips past AV but you can't take it out of the equation maybe partner to that with a good EDR solution because despite whether it slips past your AV or not if you have an endpoint detection and response solution that shows processes you know this process did this did this did this then you can start to track down when it's happening even if it's obfuscated you may be able to set rules around that to be able to block some things or you may just have to do the whack-a-mole approach and find where it happened and then go shut it down but a goodie be our solution is is going to give you some of that insight log

management collect some logs from your endpoints that would be able to see some of the activities that are around this and some of the things that are being done to establish persistence so that again you can at least detect and respond and good vulnerability and patch management I hate it when the attackers are able to keep their software more up-to-date than we're able to keep our endpoints up-to-date so that's that's another solution that you might want to look into there a lot of the times when these were being spread by those SMB v1 SMB v 2 vulnerabilities the eternal blue type exploits if the endpoints had just been patched they wouldn't have been able to spread

and those patches have been out since 2017 so you know something to consider and again look at it from your your webmail Gateway standpoint so when once a system is there and it's trying to reach out to command and control or when it's trying to reach out to those sites to download the the loader modules and other things like that how many of us have protections in place to restrict our ability for our endpoints to reach out to unknown web sites sites that are not categorized by whatever our web filtering solution is or sites that domains that have been recently stood up those types of controls can can be effective again it's a heavy lift right

you're gonna have people that are you know connecting to new sites and are gonna be mad because they can't get to it on the company computer or you know when they try to reach out to a site that just hasn't been categorized yet you're gonna create more calls for your for your support staff are you gonna have as many calls as you'd get if you have an outbreak of this thing not but you do have to plan it and and react accordingly and again multi-factor authentication you use something so that when those passwords get out not if the path of passwords get out when the passwords get out they're going to be less effective for our attackers because

more and more of the things that we're doing our cloud-based right we're pushing it all up there to make it more efficient for us but if the attacker can get in there with just a username and password if the user can get in there with just a username and password the attackers will - and they're getting those those those pieces of information so that's all I got questions comments 9 remarks yes 42 so that's a good question and we've seen a lot of different pieces there again different payloads and as they change their their their payload model the vex exfiltrated data differently so you can look at some of the ways that the different Trojans that

they then have as their payload did their exfiltration a lot of times we're seeing connections through SSL HTTPS connections just sending data out over HTTP so your your net flow might show connection to this with a large amount of data or a lot of connections to this with small amounts of data in each one but with the SSL inspection that they're doing there unless you're doing SSL inspection or you know anything like that at your network layer you're not gonna be able to see the payloads and and few of us are actually doing SSL inspection there are edges because you know certificate pinning and other things like that we break things right yeah you can see destinations and a lot

of times the the command/ctrl infrastructures for these are very dynamic good question yes what is credential stuffing it's not part of this credential stuffing is an attack that's that's going on right now we're seeing it a lot as a media company because we have a lot of Internet facing things where we're clients are going on but credential stuffing is basically the ability for an attacker with a very very low investment to be able to get hold of a list of email addresses that have been out there you know I mean think of all the different breaches that are out there get hold of those email addresses and get a hold of a set of credentials

that may be associated with these email addresses maybe not maybe just credentials that are you know commonly used and then start to use them so you know we'll take all these people in the room and I've got all of your email addresses and I'm gonna attack some service with those email addresses but I'm not just going to take Robins and say all right I'm gonna try Robins log in here and I'm gonna use this password and I'm gonna use this password now I'm gonna use the next password that's an easy way to get detected and locked out instead we're gonna distribute that to a bunch of different proxies so you have a distributed attack coming from a variety

of different IP addresses and we're going to take your email and we're gonna try it with this password and we're gonna take his email we're gonna try with the same password then we're gonna take the next person's email try it with that password and go through the list there so by the time we go through this list of a hundred thousand passwords we can hundred thousand email addresses to login with we're gonna start again with a different password now you know we're not gonna do an account lockout and it's much less likely for us to get attacked or to get detected and then when we do get a login we just save that and say

okay now I've got something that was successful I know that your email address used this particular password I save that information and I maybe sell it or I try some other things now that I have a valid combination I maybe put that into the next phase of the attack that tries other services and puts some variations on that because nobody would ever take the same password and put maybe an exclamation point or a number or something like that after right I mean we know buddy reuses passwords or changes them so and they're very successful right now anything else yes so there are some tools out there some endpoint security tools that can lock down your computer so that

basically you can't run executables that are stored in the profile they say the computer will run executables that are in these specific directories and if anything tries to execute out of them we're just not gonna let it run so there's I think you can enable that with I think Symantec lets you do some of that I know pelo Alto traps lets you do some of that ESET lets you do some of that several other endpoint solutions will allow you to do that more than just a regular antivirus so you'd need a more expansive endpoint security solution yes the data the value of the data and and probably because they're an easy target if you look at most of our healthcare

organizations I haven't worked in health care for 20 years but most of our healthcare organizations are running on a tight budget right and so they're limited in their ability to put some of these controls in place they may have a lot of outdated equipment that's on the network that has to say they're you know you buy an MRI machine you expect to sit there for 30 years and be effective that's what that's what your your capital investment is based on well you can't do that in IT now it just it doesn't work but they have to then keep other things not quite up to date in order to communicate with those and it's a lot of hurdles but

again that's just guessing Tyler that's a good question and if any of you were in Joe's presentation earlier that really falls into the categories of what he talked about what are your your incident response and forensics approaches what are your policies on that you know do you want do you take the Machine and pull it off line and reimage it do you try to get in there and remove it do you set it aside so you can do forensics on it and find out more about what's happened and if it tried to spread that's really up to your your incident response and what your your particular enterprise is willing to do yes yes so the best detections I've seen

it the delivery phase have been in your EDR solution when they detect that pattern of behavior that somebody had an Outlook client open or an email client opened that then launched a word attachment or an Excel attachment that then tried to do this other thing so that behavior recognition is really the most effective yes

yes from what I've been able to find and again I just started digging into this you know over the past year so some of the older information isn't quite as up-to-date anymore well older information not up-to-date that's redundant what I've been able to find is they mainly looked for certain particular file types and then would either look for things that matched patterns in those file types are they just uploaded and let them be scanned somewhere else so you know document file types excel file types text file types were kind of the main ones all right one more question has anybody got one more question because the the next question is going to get steal this computer 4.0

from no starch publishing there's got to be a good question I forgot to hand it out earlier yes ah hand him the book so the pattern I primarily see on the email side is that email impersonation attack a message coming in from outside of your organization that has a source address that's associated with inside your organization that's the pattern we see most that's where the SPF and and Demark can come into play to to help to protect their or at least even Flags put a flag on there that says this is an external email and then the user well it looks like an internal email address maybe I oughta not open it maybe I ought to call

security or click and see what happens if I click fast it won't break anything I've heard that okay so those were from external senders interesting that's good enough yeah I'd love to send me some of your regex queries I'd love to learn more great all right thank you very much again if you're interested in the East Tennessee is c-squared organization [Applause]