Is enhanced hardware security the answer to ransomware?
Dave Bittner: Hello everyone and welcome to CyberWire-X. A series of specials where we highlight important security topics affecting organizations worldwide. I am Dave Bittner. Todays episode is titled "Is enhanced hardware security the answer to ransomware?" With the recent onslaught of ransomware of attacks coming across healthcare institutions, critical infrastructure in the public sector it is clear that ransomware is not going anywhere. But given how common ransomware attacks have become, how is it that we have been unable to put a stop to them? Companies often overlook the role that hardware security plays in meeting this challenge. And that oversight has become a bad actors dream. A program note, each CyberWire-X special features two segments. In the first part of the show we will hear from industry experts on the topic at hand. And in the second part we will hear from our shows sponsor for their point of view. And speaking of sponsors here is a word from our sponsor, Intel.
Dave Bittner: To start things off my CyberWire colleague, Rick Howard speaks with Steve Winterfeld, advisory CISO from Akamai. The second part of our program features my conversation with Michael Nordquist, Business Client Planning Director at Intel, about the recent surge in ransomware attacks. And how strong hardware security, combined with software security and personnel security awareness can be the answer to the industry's prayers. Here is Rick Howard.
Rick Howard: I am joined by Steve Winterfeld. He is the Akami Advisory CISO and a regular guest here at the CyberWire's Hash Table. Steve, ransomware has been around for a long time, over a decade. But it seems to be having a moment right now, with big splashy attacks against the colonial pipeline, JBS Foods, I saw the National Basketball Association. And the latest one in the last week or so was the Cassia. And then a bunch more victims that most of us have never heard of. Do you have any thoughts about why we are seeing a surge right now?
Steve Winterfeld: I would say part of this is, it was hard to get people to pay in the past. If they paid through a bank it was traceable. And now because of some of these electronic currencies, Bitcoin and so forth, it is easier to collect payment, which is probably a big part of it. And it is an effective business model. It has just been working. So they have been expanding it.
Rick Howard: I saw an analysis by a couple of New York Times reporters. They were talking about in the old days ransomware was mostly targeting moms and dads, the grandma's, going after a hundred bucks a pop. Then Wannacry and NotPetya happened and all of a sudden the criminals realized there was a bigger, more lucrative victim list, if you went after corporations. And that's when we started seeing the big price tags, $5 million, $10 million to un-encrypt everything.
Steve Winterfeld: The business models continues to evolve because when we say ransomware you are talking about encryption, but they have expanded it to be a double extortion. There was a great report that Sophos did that said says the average time someone has been in a network is 11 days. And that is both to make sure they have got all their encryption done. But where they can to ex-fill data and extort both you giving you the key, as well as extort not putting that out public. If you under a ransomware attack do you treat it like a ransomware attack or should you treat it like a breach? What do you think about that?
Rick Howard: Well I think you are right because I have heard what you said before about the double extortion. I have heard another person say it is a triple extortion opportunity. The original un-encrypted for a fee, that is one revenue stream. But if your data is not encrypted, the victims data is not encrypted and they steal it, then they can see that on the open market. So that is revenue stream number two. And then if they are really crafty they can come back to the victim and say "we are going to release this to the public unless you pay us a different ransomware fee". So three different revenue models there. So when you come back and say "do I think this is a breach?" I absolutely think it is a breach. Ransomware is just a specific technique for criminals to make money. They still have to follow the attack sequence, the intrusion kill chain to be successful.
Steve Winterfeld: I will highlight two things you said. The first is you said it is a technique and ultimately I think it is important for us to remember that ransomware is a payload. And it is a payload with a specific business model. Traditionally that business model was encryption. There are a lot of ways to deliver that payload, which takes us back to your comment on the Cyber Kill Chain. I have always liked that as a way to validate my protections. The old saying that the defender has to get it right every time. The attacker only has to get it right once is not necessarily true.
Rick Howard: Yes it is absolutely not true. It is absolutely not true but go ahead, finish your thought.
Steve Winterfeld: And that goes to there should be multiple times...
Rick Howard: To your point, let me paint that with a bigger brush. What we are saying is if a ransomware group has to complete a hundred steps across the intrusion kill chain, if you have prevention controls in all of those places, even if that ransomware group gets by one of them, they are still going to run right into the next one. So if you do not have to fail you have lots of opportunities to defeat them across the intrusion kill chain. That is what I think it means. Is that what you think it means?
Steve Winterfeld: I would agree. And the difference between that and the traditional defense in depth really is a concept of taking a specific set of an attack vector and mapping your controls to that attack vector. For those who have not seen the Cyber Kill Chain, it came out of those with more of a military background. And you are saying, okay if I were to attack a city, the first thing I would do is send out reconnaissance. Looking for a weakness in those lines. Once I have found some place I thought I could break through those defenses I would build the right forces. It may be rangers in attack helicopters or it may be artillery and tanks. But whatever those forces were I would build the right way to get through, consolidate on the object and establish command and control. I now own control of that town. The same thought process is true when you are attacking a network. You want to do reconnaissance, once you find that vulnerability then delivery your payload. Sometimes that will require command and control, phoning home through DNS or some kind of capability.
Rick Howard: I think the ransomware group needs the command and control in order to coordinate where their stuff is, how they encrypt and decrypt, if they are going to do their process fort. So I do not think that is a step they can skip. Which is my point, that it does not matter what kind of bad guy you are, if you are a criminal or a ransomware person, or an espionage, a spy, or even just a hacktivist. You still have to work your way across the intrusion kill chain in order to be successful. There is no step you can skip, except for what you said. Maybe you do not have to recon if you are just going to blanket out a thousand attacks a day.
Steve Winterfeld: And you might send something out that just has a message, send your Bitcoin to this address and we will send you a key. So you do not need a lot, but I would agree the typical one we are seeing is they are using command and control. There are multiple points that you can disrupt them, absolutely.
Rick Howard: I am personally tracking some 50 ransomware groups and I would not say that is a comprehensive list. These are just groups that I have noticed in the news. So I went looking over at the Mitre Attack Framework because this is my go-to source for all intrusion kill chain information. And I noticed that they are not really tracking ransomware group attack sequences like they do for cyber spies. If you look at the colonial pipeline attacks, Fireeye attributed those attacks to a group called Darkside. But the Mitre Attack League it does not list them. They do not even list Revil either. So that is startling to me that out of the 50 groups that I was tracking they do not have any of them listed. You and I were talking before we started recording, you were thinking maybe that does not matter that much, tell me why that is so?
Steve Winterfeld: I do not know if it is not that it does not matter, it is just where Mitre is putting its emphasis right now. Is trying to keep that dynamic list up or can you map for every different trend? I think if you are going to go back and talk to your red teams and your Pentest teams you absolutely need to arm them with go emulate this specific attack group. And it just gives you better results because it is ensuring your teams are using real world tools, real world techniques. And validating your infrastructure in a way that you can map back to assuring that the three most common or prolific attackers we have mapped to their techniques.
Rick Howard: So we talked about intrusion kill chain prevention is one of the strategies to help reduce the probability of a successful ransomware attack, but there are other ones. If we did follow our zero trust strategy is there something we can do there with segmentation that will help prevent a ransomware attack?
Steve Winterfeld: If we go back to the fact that ultimately ransomware is a payload then what are the different ways to deliver that? I think the most common is probably through email. And if you deliver through email you can either have an attachment or you can send somebody out to a website there they are going to do you the favor of downloading that for you. The next technique you might use is a direct attack. If you have access to their web pages and they have vulnerabilities on something externally facing, then you can do a direct attack. Then the last one we saw recently, the one you talked about is actually through the supply chain, third and fourth parties. There are a number of different ways. Then you go back to what are your most effective controls? And I think that is what your principals try to talk to is what are the most common controls that provide the greatest return on investment?
Rick Howard: Because if you are following a zero trust strategy, you are limiting who has access to the important resources in your organization. So even if the ransomware gang was successful in establishing the beach head like you talked about, doing phishing or some other means, it does not mean they automatically get access to the material information on your network. If you have made sure you zero trust program is robust. What I am advocating for is what you and I talked about in previous episodes, is pretty interesting segmentation plan. And being very careful about who has access to the keys to the city. So we have talked about the intrusion kill chain strategy and the zero trust strategy. There is a third one I like to talk about which is just resilience, your resilience strategy. How do you think about your back up process in order to defeat ransomware? Is there something we can do there?
Steve Winterfeld: I do like that. I always struggle with the different between cyber resiliency and business continuity. And in this case ultimately what we are talking about I think is when is the last time you did a table top exercise on how you would respond to this? And you know I am a process guy, a program guy.
Rick Howard: Yes so am I.
Steve Winterfeld: Have you actually tested your back ups? Installed from your back up operated? Have you made a decision on your cyber crisis team, legal, your regulatory compliance folks, your public relations on whether or not you would pay? And if you are going to pay are you going to use some kind of a broker, a third party to do that interaction?
Rick Howard: But walk me through that because that is a pretty-- I do not want to say this-- five years ago that was a controversial thing to say that clearly we might pay the ransomware. But you see people paying it all the time now so walk me through that thought process. What would be the indicators for you advising the CEO, that you know boss, I think we should pay the ransom. What is the thought process there?
Steve Winterfeld: Well I think some of the factors that need to be considered is what is compliance? Because if you are in a regulated industry, is the regulator going to be okay with you paying? And you are seeing different regulators sending different messages right now. The next thing is talking to the legal team. What are their considerations? Talking to the CFO, what does it cost to be without? And then making sure that everybody is aware that even those people that get the keys, very few of them got a 100% back. Imagine this working with unscrupulous criminals, did not get anything.
Rick Howard: I am shocked. Shocked I say. What? They did not un-encrypt everything? Oh my.
Steve Winterfeld: And even those that did get the keys 50, 80% recovery. And there is a deep complex story behind those numbers. But I think understanding that baseline for everybody is important before you are in crisis mode, having worked through that thought process.
Rick Howard: Basic tactical things come to mind right away when I am thinking about that. What is the probability that they are going to give us the key after we pay? That would be one thing. Is there any evidence that said they have done that in the past? And second like what you are saying, is there any evidence that even if you have the key that there is going to be some reasonable process to un-encrypt everything? In the latest attacks, this last year or so, that is becoming less and less a viable option. I have got to think this is software doing all this stuff. I can guarantee you that the bad guys are not spending a lot of time on the de-cryption process. There is no revenue in that part of it. At this point I am thinking I do not think that would be recommended, unless I am totally wiped out. And none of these other strategies that we have talked about here, intrusion kill chain, zero trust, resiliency, none of those have worked, and we are down to buying the keys back. Are you with me on that thought process or am I wrong?
Steve Winterfeld: It goes back to the thing that we all hate to say, it depends. It depends on the industry, it depends on the business model. And whether or not they are going to pay. That is why you consider using a broker. There are companies that specializes in doing the payment or holding the payment until the key comes in and guaranteeing to pay the money, and knowing the reputations. I know of CISO's that I have talked to that have picked out who that broker would be, that third party would be, have them on speed dial once they have made the decision to pay to let that intermediary handle that. And lastly where you sit geographically determines how legal it is or is not to do all that.
Rick Howard: Because the laws in the US are different than the laws in say some smaller country somewhere. You have to consider all those things, is that what you are saying?
Steve Winterfeld: Yes and within the US it depends, if you think customer information is gone then you have privacy laws. It gets complex very quickly.
Rick Howard: One side question, this is not really about strategies but one of the things that people have talked about in poor defense against ransomware is to turn to the hardware manufacturers, like maybe Intel. Could they build us a chip that would be more resilient to ransomware? Is that possible, is that even been tried somewhere in the past?
Steve Winterfeld: Ultimately the more secure your hardware is, the better. I am just not smart enough to understand how that is a solution.
Rick Howard: Yes, we have been saying that for years about just OT and IOT environments. That if the manufacturers would just get on board. But I do not see that happening any time soon. Like you said I would not put all my eggs in that basket.
Steve Winterfeld: If you have not talked to your leadership including, and quite possibly up to the Board, this is the time to have the discussion, before you are in crisis mode. So please validate your back ups, please go out and do those exercises.
Rick Howard: Good stuff Steve, thank you for coming on and talking about all this.
Dave Bittner: Next up is my conversation with Michael Nordquist, Business Client Planning Director at Intel.
Michael Nordquist: Ransomware is the thing that is plaguing the industry now. It is definitely hot and it is out in the news right now. And it is a complicated thing as we actually get in to it. Typically you have got software that is looking for ransomware and things that are happening. But as the attackers get more sophisticated that is tending not to be enough. They are looking for more signals or more ways to actually detect that this comes in to play. And I think that is one of the cool things that a company like Intel can bring to the party. Where we have additional telemetry or more information now at that platform level, that we can work together with ISV's that are out there, to signal that a ransomware attack might be happening much earlier on and be able to detect that really quick before it becomes a problem.
Dave Bittner: Can help me understand, really let's just dig in to the basics here of the differences between hardware and software when we are talking about these things.
Michael Nordquist: Yes for sure. If you kind of take a look at the system overall, it is a stack up of different things that you have. You start at the foundation with the hardware and you start building up from there. And you have firmware that is built into that system, you have a BIOS that is sitting on top of it. Now in a lot of cases you even have a VMM that sits in there, like a Microsoft VBS, and then you have the OS. Then on top of that you typically have your EDR, XDR solution on top of that, it is sitting on top of that OS. So it has got to go through all those different layers. And one of the things we are able to do, since we are down at that foundation level, is we are able to bring some signal or some telemetry information, patch that through to that ISV that is sitting on top of the OS itself, to help it make more intelligent decisions. Because it would have more information than just sitting on top of the OS by itself.
Dave Bittner: What kind of information does the hardware have access to that is unique?
Michael Nordquist: We have some of these performance counters that are actually sitting in the CPU in itself, that can kind of go look and see what kind of actions are actually happening in the product. Is it starting to do encrypting or some different things happening down below at the file level, down below that file level? To see if there is different things that are happening that might be abnormal. They could be normal in some of the cases but they can give some signal to say hey, these sorts of things are actually happening. And they are looking at patterns to decide is that something that could be malicious in that space?
Dave Bittner: Does this add any level of complexity here for the user? How do they go about implementing something like this?
Michael Nordquist: That is the great part about it is, it does not add any complexity for the end user. So what we do is we actually have the technology that we work on and we bring out in this space. We then work with the ISV's in this space, to call our API's and take a look at what is happening in this area. So from an end user all you are actually doing is do I have the latest security software solution from that company to actually be able to go do it? I just download it, it automatically recognizes that I have that capability on my platform, and it just takes advantage of it. So from an end user perspective I have just got to have the hardware obviously in that case, and then I just have to have up to date software that is enabled for this.
Dave Bittner: What about for the software developers themselves? What goes into enabling these sorts of capabilities for them?
Michael Nordquist: We work directly with those folks and we have a SDK that we actually work with them on, a Software Developer Kit, where they can actually take advantage of this and do the calls that they need to do. We have found in this space it has just been ransomware. So we started way back, a couple of years ago when we were doing some various things around just accelerating, to do memory scanning capabilities. We started working with folks on that. Defender has already got that implemented. There is a 100 million plus systems out there deployed that are already using it. We switched and moved into Cryptomining, because that is another hot area where we can use these counters to do Cryptomining kind of analysis as well. We have got Defender, Cylance and Sentinelone and then we have turned our attention lately into ransomware, and taking similar types of SDK's to just enable that and start taking advantage of that. And we have got an announcement with Cybereason that is out there. But we also have several other ISV's that are going to be bringing out support for it in the coming year.
Dave Bittner: What sort of competitive advantage does this give to the folks who are implementing it?
Michael Nordquist: We think this gives a tremendous competitive advantage in this space, because you are starting to use some of that telemetry and that hardware that is there for more sort of things. If you are doing software alone there is so much that you can get done. It is not just in the ransomware in this space, that is definitely one of the cases. But there is all other kinds of attacks. We see ROP attacks that actually happen. We brought in a technology called Intel Intraflow Enforcement Technology for example and that gives you much better production. Actually prevents clusters of ROP attacks in this space. And so as we see the OSV's that are out there and ISV's start to take advantage of it, it helps them get that kind of next round of attacks and helps them get in front of some of the attackers in this space. And really utilize some of the hardware that is already there.
Dave Bittner: How has this affected you and your colleagues at Intel, in terms of, I am thinking as you are developing the current and next generations of some of this hardware? And the community is faced with these sorts of threats. Does this give you all an opportunity to put some things into those chips that you would not have otherwise considered?
Michael Nordquist: Yes, we have our own security offensive team looking for things that are happening in this space. But really when we kind of pull together and we work with the OSV's and ISV's and their red teams, we start to find different levels of attacks. And we might see different people that are trying to solve problems saying I cannot solve this by myself. One of the things I was involved in was the ROK-CT for example. In this case Microsoft was trying to prevent these classes of attacks and they were unable to do it with just software alone. They really needed some hardware support. So we sat down, jointly wrote a spec with them, develop that and built it into our silicon. We are seeing more of those are we look into the future of how do we combine the hardware and the software to offer better overall protection in this space? Some of it can be just that traditional we accelerate it. In some cases if you look back on some of the security things, people do not turn it on because it has got a performance hitter. It has got a user experience impact for that end user.
Michael Nordquist: What we are able to do is in many cases is just try to accelerate that by putting it into the hardware so you can crank up that security without taking a hit from the performance or user experience perspective.
Dave Bittner: Where does this fit in to the overall defense in depth? The various things that people have in place to help protect themselves, their employees, their organizations?
Michael Nordquist: I think it is holistically as you kind of look through it. There is not one answer in this space. And it is always evolving. You have to holistically look through it and say when I am making a PC purchase decision of the hardware, I am making a security decision. When I am choosing an OS and what version of that OS, and making a security decision. When I am choosing my EDR solution or making a security decision. How I am organizing my infrastructure, you have to holistically look at all these different things and kind of look at how am I protecting myself? How am I staying up to date? How am I making sure I have the most current software, hardware, firmware BIOS in this space to be as protected as I can be.
Dave Bittner: It is a really interesting point. I suppose one of the things here is that we are kind of in a world where when you are making these hardware decisions you have got to look beyond just clock speeds and number of core processors?
Michael Nordquist: Yes, I think one of the exciting things, Google is already on that path where they do updates every six weeks in this space. And they are updating the OS in different components. You have seen Microsoft come in now. It used to be I have got like six years in between an OS version. Now they are really starting to crank along six, nine months in that space where they are updating. And the cool part about that is it is enabling us to build in not just performance features or UI, it is building in security technologies. And so we are starting to see some of the security support come in in that space. People turning things on like visualization based security and bringing that in mid cycle into Windows 10. It is about CT that I just talked about earlier. And then as we kind of look ahead what are some of the other technologies that we can enable? And it could be just through that ISV perspective. I know the hardware is already there, I have got the latest version that I have just downloaded and I updated my security software.
Michael Nordquist: Boom, I have got extra support in this space. So from our perspective how do we make that super easy for the end user to take advantage of and deploy?
Dave Bittner: What are your recommendations here for folks who want to implement this sort of thing? What what are the types of questions they should be asking?
Michael Nordquist: In general start asking some of the security questions in this space. I think one of the challenges is, is it is a confusing area. For us what we have tried to do at Intel in this space is we have got a commercial platform called vPro in this space and it has got a hardware shield. If you are not really sure, I don't know what I need or what I don't need in this space, you know that if you buy that platform that you just get it. So that is how we are trying to make it easy for that end user. But there is also other programs that are out there. Things like Microsoft has Secure Core PC's for example. And all of our vPro PC's are capable of being Secure Core. So those are some of the things you can kind of look at just from a high level to make sure you are up to date. One of the things you have to look for is just kind of security assurance as you go through when you are taking a look at different products. Whether it is from Intel or anyone else. Do you have that methodology where people are designing their products with security first? It cannot be a tack on later on.
Michael Nordquist: You have a security development life cycle that starts way early on. Having bug bounty programs, going out and actually looking for those bugs and finding them. I think a lot of times people will say oh my gosh this person had a bug. They must have bad security. And I guess what I would caution people is in a lot of cases when people find bugs that is because they are looking. They are trying to find those things and then are they being transparent in there? Are they making updates as they find things? So something that could be a vulnerability has not been exploited yet. They have found it before it has been exploited, they have got a fix and they have got you actually working. I think that is one of the things that I am super excited about from an Intel perspective that I think we do really well. And I think as end customers look at that they have to ask those kind of questions of their suppliers and their vendors. What is their kind of security assurance value prop and promise in that space?
Dave Bittner: It seems to me that your hardware is so foundational to your organization and your security, you want to make sure that that is sitting on bedrock and not sandy soil.
Michael Nordquist: Exactly because attackers go where it is easiest in a lot of cases. And I think some of the OSV's have gotten a lot better at locking down some of the capabilities, adding things like visualization in this space. So attackers will go look at things they maybe did not look at before because they did not need to. From a hardware, from a firmware, from a BIOS and that is a lot of work that we have been doing in the past few years, to really beef that up and harden it up, which was not traditionally a point of attack. But we are seeing attacks get more sophisticated and start looking in those different areas.
Dave Bittner: On behalf of my colleague Rick Howard our thanks to Steve Winterfeld from Akamai for sharing his expertize and to Intel's Michael Nordquist for joining us. CyberWire-X is a production of the CyberWire and is proudly produced in Maryland at the Start Up Studios of DataTribe, where they are co-building the next generation of cyber security start ups and technologies. Our senior producer is Jennifer Iban. Our executive editor is Peter Kilpie. I am Dave Bittner. Thank you for listening.