Transcript
Appreciate everyone's time. My name is Jim Coyle. I'm the U.S. Public Sector CTO here at Lookout. And so today we want to kind of dive into a topic about how attackers are kind of getting into environments, stealing data, and doing it within just a couple of minutes, as opposed to what some folks see hours, days, and weeks. So with that, I'm just going to kind of dive right into it. If you take a look at any of the big incident response vendor reports over the years, it could be Mandiant, now Google, CrowdStrike, Verizon. One thing is kind of common across all of them. Threat actors are still getting in despite technology advancements, investments in people, processes, and data is still being stolen. And it doesn't matter if you're a mom and pop shop selling flowers, you could be a multinational corporation. At the end of the day, data is at the heart of almost every successful business and government agency. And because of that, data is what's being stolen and being bought and sold to the highest bidder. And that also sometimes includes selling back to the original data owner, while attackers try to capitalize on their access through multifaceted extortion schemes, or just really kind of selling to access brokers. Now, due to the complexity of IT infrastructure in today's environments, exploits of vulnerabilities in various pieces of software, phishing in all of its lovely various forms, such as email, social media apps, mobile messaging, it's still kind of the main entry points into corporate environments today. And so while defenders are getting faster to detecting evil once these attackers are inside, attackers are also getting faster at identifying treasure troves of data, exfiltrating it, leaving behind ransomware, and using those multifaceted extortion schemes I was just talking about. So how is all this happening? Well, I'll walk you through how attackers from nation states to cyber crime groups are able to get in and exfiltrate data in under an hour. But I do want to kind of set the stage a little bit here. So this is all happening because the world is having an identity crisis, and this is a bit of a complex topic as it encompasses both software as well as humans, just our human nature. So in the conversations I've had with various C-level executives, most are struggling to determine what data resides in their environment, who has access to the data, what security controls are in place to protect that data. And regulated industry is kind of the one rare exception here where typically controls are stiffer. However, anything outside of regulated data really kind of becomes a question. And even then, there's a lot of improvement processes that can be done in those regulated industries. It's not just the data itself, however. Most organizations are struggling to determine what's connecting to the various services within their organization. So just going to pose some questions here. And when I ask these, think about your environments. When you have a connection that establishes to one of your services, is this a legitimate employee? Is it compromised credentials? Is it a machine performing automated tasks, maybe using API calls? Is it a corporate-owned piece of hardware that's attempting the connection, or is it a non-corporate-owned piece of hardware? Maybe it's a BYOD program or somebody's home computer, or just a computer that may be in a coffee shop in the middle of Europe. The context around the identity that's attempting this connection is important, but we struggle to incorporate that data into security operations. Contacts such as current device posture, MFA geolocation, and device information, coupled with access heuristics and analytics, all of this matters. The identity of a person and the ability to take over that identity while we talk about cyber, not entirely trivial, but it's something that happens every single day. The ability to learn about an individual from social media, past data leaks, hacked information systems, open-source collection methodologies, all of this makes it a far easier task to go after that individual. Now, this even gets a little bit more complicated from a defensive capability when we start looking at AI being able to create deep fakes of voice and video that's now becoming harder and harder to decipher from human-generated versus machine-generated. With the speed of life, innovation, and technology, as well as just kind of trying to scale IT to meet the demand of today's organizations, most companies have adopted some kind of BYOD or bring-your-own-device programs that use mobile devices for MFA tokens, email access, and corporate services such as employee directories, document storage, mobile workload applications. To simply put, the way we work has changed, and the modern workforce can be productive anywhere. So, to meet the demands of the modern workforce, the ATT&CK service has also changed. The ATT&CKers have also followed suit with phishing, extending just beyond just email, right? You've now got SMS messages that can contain phishing capabilities, social media apps, malicious URLs that are shortened, or QR codes, and these are getting harder to decipher on mobile devices. Organization login pages are now being spoofed, mobile applications are getting weaponized, and now, between social engineering and SIM swapping, MFA tokens are now getting captured by the ATT&CKers, and this is now becoming the norm. The individual is now the target. To attack their identity in order to log in to the target organization of ATT&CKer is honestly the lowest hanging fruit from their perspective. But again, the question comes into, think about your environment. How are you defending against this today? Now, the treasure trove of information about an individual and their identity, which resides on mobile devices and various mobile applications, cloud storage services, this has now become the prime target for ATT&CKers because you can find out whatever you want about an information through their mobile device. And security teams are struggling with shrinking budgets, shrinking staff, and they're unable to keep up with the organization's growth as well as to meet the demands of these new attacks, let alone continuing to focus on honestly the best, or I should say the basics, of cyber best practices. So, before I go into how this is all occurring, I do want to talk a little bit about how do we get our data, right? Like, there's a lot of kind of complex topics here. How do we know what we're talking about? Well, we've got about over 230 million devices, which are providing telemetry that we analyze on a regular basis. Over 374 million mobile applications have been analyzed, reverse engineered, you name it, to really kind of gain insight and a better understanding of ATT&CK methodologies that allow us to build better defenses. Now, lastly, there's over 495 million URLs that we have analyzed, categorized, and really just kind of gone down the rabbit hole in order to protect our customers from malicious and phishing sites that are out there. During my career, I've worked with some of the best penetration testers, red teams, and offensive security professionals who could have complete access into organizations and remain hidden for 24 hours or more. And today, attackers are able to accomplish their goals in under an hour. Now, keep in mind dwell time, which is the time that an attacker is present in a compromised environment before they're detected, is still about 10 days on average. And this number is getting shortened by the deployment of ransomware, better technology, a more experienced workforce. But exploitation of vulnerabilities is on the rise as organizations are battling more in highly complex multi-vendor environments, and phishing attacks still remain a strong attack vector. It's important to note, however, that attackers are human and, well, they're going to take the path of least resistance. If social engineering is all that's needed with a little technical help to be successful, why waste money on expensive zero-day exploits or exploitation capabilities that may have to have special development for software kits? Most modern attack kits can be purchased for anywhere ranging from a few hundred dollars to tens of thousands, but this really kind of all depends on how the attacker is trying to get into the environment. Now, when it comes to mobile phishing kits, these are only, you know, a couple hundred bucks, and they can help with everything from phishing messages to handling MFA requests and generating fake login pages. Groups such as Lapsus, Octopus, and Scattered Spider have shown the world how easy it is to utilize this shift in tactics, which we here at Lookout are calling the modern kill chain. Legacy solutions are simply just, it's not enough. We're not prepared to understand the context of identity. These legacy systems typically are lacking innovation over the last five, 10 years, which creates these complex environments where you have to have multiple vendors trying to patch or resolve security issues. Security teams are still attempting to bolt these together, and it's become this burdensome solution, if you will, that requires a lot of care and feeding, and sometimes they're even often forgotten. And what I mean by that is sometimes you find that a configuration that was put in place three years ago hasn't even changed. So, how are attackers are getting in so quickly? So, a lot of work is getting done and being accomplished through the recon phase. However, these days, this is done way faster thanks to data harvesting from companies that are selling data, past security breaches, social media, mobile applications, and of course, mobiles or open source intelligence collection methods. In a matter of minutes, data can be parsed and attackers can identify individuals that they want to target that are working at a particular agency or corporation that they want to get into. They also can figure out how to best target them. Again, kind of think email, SMS, social media, or phone calls. From here, a dossier can be built to target the groups of individuals or even just a specific individual using a low-cost, highly interactive phishing kit. Through utilizing the data that was collected both from an organization as well as the individual target, you're able to create more believable phishing messages that can be developed and even a talk track for a phone call. And this is the hook that attackers need in order to be believable. So, think about the following scenario. What if you received a phone call and the caller announced their name was Brian from your security team at your company? And you do indeed have a Brian who works in security. Now, they've identified suspicious activity of multiple logins and they were proactive in resetting your password. Now, they mentioned that you're going to get two SMS messages. One to confirm the re-enrollment of your multifactor authentication device and another SMS to authenticate in order to complete the enrollment process, which then you can go ahead and just change your password. A couple questions to think about the scenario. Are your current controls able to detect if your organization's single sign-on or Octopage is being spoofed? Are you able to detect phishing sites that are sent over SMS to mobile devices? And lastly, for right now, do you have regular training, which includes mobile phishing? Now, these attacks are designed specifically for those working at the target of the organization. And the attacker is looking to gain access into this campaign that's going to be custom tailored just for this one organization. So, they're going to create a login page that's generated to spoof your organization's single sign-on page or Octopage. And what they're going to end up doing is they're going to send out either a targeted SMS message to that individual or they can also send out mass SMS messages to those individuals, all trying to get them to click on the link and get them to this now spoofed login page. Now, using the same low-cost phishing kit, they can create more targeted SMS messages or even phone calls to go out to specific users who may have clicked but didn't go all the way through, you know, the phishing site, ultimately increasing the chances of success for the attackers. Now, with the groups I mentioned earlier, such as Scattered Spider, Lapsus, and Octopus, they had English speakers making these phone calls, which gave them authority and relevance and far more believable to be a person from the organization, you know, that was supposedly a part of their IT security team. And that is what ultimately made them highly successful. Now, unfortunately, there's also the rise of mob mentality targeting individuals with violence in order to gain access as well. When individuals are faced with violence over a username and password, most will choose to avoid any kind of confrontation. These do escalate, however, and violence as a service has been on the rise with issues like bricking as a service, which is to throw a brick through the target's window, just to let them know that the attackers are not messing around and the attackers are going to get what they want. So, from an organizational risk perspective, the question here is really around, do you have a plan that's in place in the event something like this happens? What does the internal training program look like? Do you have an escalation call list? Do your employees know who to call in the event that this happens? These are really super important questions to have answers to as this type of behavior really starts to increase. Now, as previously mentioned, these low cost modern attack kits are pretty sophisticated in terms of their capabilities. Remember that scenario from earlier, you had a phone call, the caller announced that their name was Brian from your security team. That works at your company, they identified suspicious activity, multiple logins, they wanted to be proactive, they reset your password. Now, if you remember, they told you that you were going to get two SMS messages, one to kind of reconfirm the enrollment of the MFA device, and then another SMS to authenticate in order to complete the process in which you can change your password. If you fell into the trap, when you typed in your username and password into the quote unquote, re-enrollment page, you just provided your active credentials to the attacker. If they didn't already have that before, now you're going to be expecting your MFA to fire off in order to get that authentication token. And this is where the attacker is logging in behind the scenes. These kits can be tailored for simple MFA approve, deny, insert a code, challenge request forms. Ultimately, it's designed to make you think that this is a legitimate company portal. And again, once you provide that token, either through tapping approve, entering your code, responding to the challenge response question, it's ultimately what the attacker is waiting for, which is going to grant them access. Now, they're successfully logged in as you. It's really simple to use existing available tools to search for usernames, passwords, you know, use single sign-on to log into multiple applications, databases. You know, they can now socially engineer your coworkers, obtain greater access, living off the land. But, you know, in the example that you may see on the screen, doing a quick search for username and password in Slack, for example, may return similar results. Back to our scenario. So, by now you're changing your password, giving your new password to the attacker, who's also going to be very helpful, and they're going to change it for you. Now, nobody's the wiser that any of this is going to happen. You worked with your IT security team to reset your password. You got your SMS messages that they told you that you were going to receive. And now, as you log in with your brand new password, you're still able to log in. So, now the attackers established themselves. Maybe even creating some additional backdoors, maybe creating a new account. But ultimately, this is the stage where they're really kind of starting to look and searching for the data to grab and exfiltrate. Now, remember, they're also moving around with a valid identity. And at this point, we're kind of at this critical juncture where response time is critical. So, again, I'm just going to post some questions I want to get you to kind of think about. Are you able to determine if a login is happening from a corporate device versus a non-corporate device? Do you have security controls in place to prevent non-corporate devices from authenticating to your network or your applications? Do you have analytics in place that are updated to make sure that you're getting all the information you need? And if so, how do you make sure that you're getting all the information you need? So, again, I'm just going to post some questions I want to get you to kind of think about. Are you able to determine if a login is happening from a corporate device versus a non-corporate device? Do you have analytics in place that are updated to read user interaction of files, such as read and write requests? It could be file moves, deletions, creations, maybe even the use of compressing techniques. Do you have the security controls in place to force a re-authentication when accessing sensitive data or even regulated data? Do you have security controls in place that understands the difference between sensitive data, confidential data, public information, regulated data, financial, PII, you name it, right? What controls are in place that are going to prevent a user from exfiltrating data out of the environment to private cloud storage apps? FTP, SFTP, USB drives, email. What if they're using obfuscation encryption techniques, such as maybe they embedded the data into an image? ABG29, a Russian-based threat actor, they did this under a campaign called Hammer Toss, and this was all the way back in 2015. Now, most of the teams I talked to fully believe that they have these security controls in place, but upon deeper inspection, either through the use of security validation tools, red teaming, they typically find their controls are either misconfigured, not configured at all, or they actually are lacking these kind of capabilities to make these detections possible. And unfortunately, sometimes it's just that they're stuck on legacy solutions that just simply don't even have these capabilities. So something else to think about. While capabilities such as single sign-on allow the ease of authentication for employees, it's also a goldmine for attackers who can use your single sign-on to log into multiple places. Now, the last step for attackers these days, and have been for several years at this point, is engaging in this multifaceted extortion. They deploy ransomware in the environment, forcing IT teams to deal with locked-up computers and information systems. And in order to control or get access back to your environment, you have to pay the ransom. Then they're going to show you a page or two of some of the data they stole, and a second ransom is going to be paid so that they don't leak your data. Now, I will tell you at this point, you should always consult your legal team and your board. I'll never say whether you should or shouldn't pay, as the security industry has seen all scenarios play out at this point. Some for the benefit of the organization, and others for a lot worse. In one particular case, Alfie, which is the ransomware group who is closely aligned with the major groups we're talking about today, such as Lapsus, Octopus, and Scattered Spider, took note of the organization's status as a publicly traded company and threatened to report them to the SEC for not disclosing the breach that they had initiated. Now, in other cases, attackers have paid close attention to their cybersecurity insurance plans, and they're going to offer a ransom subtly lower or at those policy payout amounts, in hopes that an organization will just go ahead and pay over having the increase of the premiums. Maybe they're going to have regulatory fines, you know, because they were breached, or knowing that their cyber insurance will pay them more than what they're being ransomed for. Now, I typically like to pose questions around data backups, testing of those backups, having a communications plan in the event of a breach, which is super, super important, escalation call lists. I mean, how often are these types of tabletop exercises, you know, are being gone over? Monthly, quarterly, yearly. Having a comprehensive risk strategy and response plan is pretty imperative today. That, in a nutshell, is how attackers are gaining access in exfiltrating data at a record pace. Here at Lookout, we're not recreating the Lockheed Martin kill chain, but we are modernizing it for cloud-first, mobile-first role for today's modern workforce, hence our name, the Modern Kill Chain. Now, we did this because people don't always see the natural connection of mobile or the various aspects of identity as a threat vector to consider in their security strategy. But I do want to leave you with one last thought. If you're not protecting your data, what exactly are you protecting? This requires organizations to take a hard look at their environments, their investments, their risk strategies, and really start to consider if their legacy solutions are still up to the task of not just today's threats, but more importantly, providing them the context and controls needed for defending attacks against their data sets with a zero-trust mindset. The reality today is that while some vendors provide use case overlap, not all of them have innovated at the speed of tomorrow. Those who have kept up with the pace of tomorrow may have feature sets that just have never been configured or not fully optimized. Consolidation efforts, once fully realized, will provide a source of resources to fill new gaps or new projects. But at the end of the day, data's king, both in terms of needing protection, but also in the realm of defense. Understanding context has never been more important. And beyond context around identity, context needs to also be applied to threats, vulnerabilities, risk. Being able to fully operationalize various forms of context will provide you and your teams long-lasting security. Provide you and your teams long-lasting benefits. And ultimately, this is really a step forward for protecting your organization's data and helping put a stop to attackers who are able to get into environments and steal valuable data within an hour. So with that, I'd just like to say thanks for listening, and I appreciate your time. And if you have any questions, please feel free to reach out.