CyberWire-X 8.14.22
Ep 36 | 8.14.22

Red teamer's perspective on demotivating attackers.


Rick Howard: Hey, everyone. Welcome to CyberWire-X, a series of specials where we highlight important security topics affecting security professionals worldwide. I'm Rick Howard, the chief security officer, chief analyst and senior fellow at the CyberWire. And in today's episode, we are talking about bot mitigation by undermining the attacker's ROI.

Rick Howard: A program note - each CyberWire-X special features two segments. In the first part, we'll hear from an industry expert on the topic at hand. And in the second part, we'll hear from our show sponsor for their point of view. 

Rick Howard: I'm joined by Etay Maor. He's the senior director for security strategy at Cato Networks. Etay, thanks for coming on the show. 

Etay Maor: Thanks for having me. 

Rick Howard: So today we're talking about removing the financial incentives that motivate cybercrime as a strategy to reduce the probability of material impact due to things like ransomware. And just to put some context around that idea, the threat intelligence team in Palo Alto Networks Unit 42, they published research in June of 2022, saying that the average ransomware payment is just short of $1 million. That's million with an M, all right? And that's a lot of dough. So if we're going to try to remove the financial incentives to cybercriminals, that seems like a pretty tall order. So when you hear that as a potential strategy - in other words, that's what we're trying to do - what comes to mind in terms of tactics or the how you would go about it? When you think about this problem, Etay, what are you thinking about there? 

Etay Maor: So when I hear something like this, the first thing that comes to mind is actually a strategy or an approach that I really like that has been suggested by David Bianco years ago - the Pyramid of Pain. And that concept talks about what is it that organizations have to do in order to cause maximum pain, so to speak, to the attacker. 

Rick Howard: To the criminal - yeah, OK. 

Etay Maor: Exactly. And it's like a pyramid. At the bottom, you have things like dealing with hash values and domain names and IPs - not that there are bad things to deal with - right? - like if you want to put them on a deny list or on a watch list and so on. But at the top of the pyramid, you really have their tools and their TTPs, so how they think, how they operate. 

Etay Maor: A concept that I think is kind of missed throughout the Pyramid of Pain when sometimes people look at it and only focus on the top is the holistic approach. So we actually have to touch and acknowledge each and every step that the attacker has. I think to stop an attacker, you really have to look at the attack as a holistic event and not as a set of separate events. 

Rick Howard: Yeah, it's one of my pet peeves in the industry that for the longest time, security practitioners like us, you know, we would focus on the eaches, the technical eaches. Let's prevent this exploit from happening by patching. Let's stop this piece of malware from happening. On and on - this bad IP address - and that doesn't seem to be enough, and to stop the incentive from these ransomware people to make a million dollars on whatever victim they're going after, like you said, it has to be so painful to them that they decide to abandon it altogether and not even go forwards. And what you're saying is it needs to be a much more comprehensive defensive posture designed for, like you said, specific adversaries. Is that what you're getting at? 

Etay Maor: Instead of approaching it as, hey, let's stop the phishing or let's stop the malware that has infected the device or - we need to stop the whole thing and try to approach it and stop each and every step of the way, which, you know, at first may seem, hey, we have a set of problems when you look at a ransomware attack, you know. Especially one of the visualizations that I really like is when you take these attacks and put them on the MITRE ATT&CK framework, and it becomes really obvious that there are multiple stages of all these attacks. And instead of stopping just one of them and say, hey, instead of many problems, we have actually many opportunities. We have many choke points, so to speak, in order to stop this if we can actually look at the attack as one holistic event that in which we can use all the different security tools that we have in order to share context and be able to stop it. 

Rick Howard: Feel like this is known throughout the industry, but hard to implement. I mean, the original whitepaper from Lockheed Martin back in 2010 - the intrusion kill chain paper - they're the first ones that came up with the idea that instead of trying to block the eaches, that we would design our defenses around specific adversary behavior in their entire attack sequence. And if you look at the MITRE ATT&CK framework - probably the most comprehensive open-source collection of that kind of activity - you know, those sequences have anywhere from 30 to 100 steps, right? And like you said, that's an opportunity to prevent prevention controls in each of those steps, so even if the bad guy gets through one of them, they still got to figure out a way through the other 29 or 99, depending on how complicated their sequence is. 

Etay Maor: Yes, the kill chain has been around for a while. But we've been looking at - as a set of solutions, I would call them very siloed solutions. And I get it. You know, I'm a security guy, and I say, hey, you know, just integrate everything and make everything share context and information. It's so easy. Why are you not doing that? 

Rick Howard: So easy. 

Etay Maor: Yeah. 

Rick Howard: Yeah. 

Etay Maor: It's not. 

Rick Howard: If it's such a great idea, how come nobody is doing it, right? That's what you're saying (laughter). 

Etay Maor: ...Try to do as soon as you walk into the SOC and you see security engineers and analysts and, you know, as much as it's nice to take a photo of somebody sitting in front of six screens, for them, it means sitting in front of six or more security products and trying to correlate and connect this information. And actually, what we're seeing is that a lot of these security professionals are becoming integration engineers trying to share the data between, hey, I have my threat intelligence feed and (inaudible) without the false positives and feed them into my firewall or to the endpoint or to the SIEM and take that and feed it to something else. And so it is becoming very, very hard. I'll also mention one of my pet peeves is when... 

Rick Howard: OK. 

Etay Maor: ...I see articles on the internet that say, hey, Company X got hacked due to a phishing email and Company B got ransomed due to a vulnerability in their system. And that also is like - it's like trying to point to a single point of failure when actually, when you have a breach and when you have a ransomware attack, you actually have a systematic collapse of all your security products and procedures because it's never just - the phishing was to get in, but then they had to do lateral movement and collect passwords and do this and that. And there's so many other steps. 

Rick Howard: I totally agree with you there. That's one step out of the 30 or the 99 that the adversary had to do. And you - what you said is correct, the wholesale failure of your entire defensive posture, 'cause they had to do all these other things to be successful. I totally agree. I cringe every time I see that. 

Etay Maor: And when there's $1 million at the end of the day, of course they're going to take the extra steps and do these things. 

Rick Howard: Well, let's go back to what you said before about the complexity. This is 2022. When the Lockheed Martin researchers did their paper, that was 2010. Most of us only had our own data centers and maybe a couple headquarters buildings. The complexity for implementing a defensive posture for intrusion kill chain was hard enough then when we only had that. But today, we're scattered all across all kinds of data islands, multiple cloud providers, SaaS applications. Now people are mobile everywhere. So the complexity of this entire thing has been really difficult. So as a security practitioner, what's your advice to CISOs and CIOs out there to - how do they think about this? 

Etay Maor: And there's even more, right? There's IoT end devices and bring your own devices and... 

Rick Howard: Oh, yeah. 

Etay Maor: ...Cloud application and... 

Rick Howard: (Laughter) That's right. Let's not forget those, yeah. 

Etay Maor: So yeah, it is indeed extremely complex. I was asked a while back, what was the No. 1 threat today to companies? And I said that the No. 1 threat is actually not any of the threat groups that everybody discusses; the No. 1 threat is the complexity of the solutions that we currently have in place. And I'm not trying to be a smartass (laughter) about it. I really believe in it. Having an average of 30, I think, to 50, in the large organizations, security solutions is not easy to manage. That's one element. The other element is - going back to what you said, is we also want to make sure that, with security, we have the policy following the user and not us trying to constantly chase them and try to see if we can apply the same security requirement and policies from, you know, whatever it is - if it's a user, if it's a cloud application, if it's in your data center or if it's somebody working in the office. 

Etay Maor: It has to be some form of consolidation or actually convergence of all these different elements that would allow you to have a central location to create a policy that will follow the user to look into every network flow and every element of - and any connection to your network, regardless of what it is, and apply those - apply context. That's extremely important. We're talking about - actually, if I have to break it down, I would say there are four stages here. First of all, be able to collect everything, all the network connections that are out there, whatever it is, wherever it's coming from. Then add context to it. You know, which user was it from which network? What were they trying to do? Apply the policies that you want to that specific connection. And then, of course, enforce it using the different security capabilities that you have in place. 

Rick Howard: So if we have any hope of putting prevention controls or even just detection controls for all the known adversary groups in the MITRE ATT&CK framework - and last time I looked, there was about 150 different campaigns that those guys keep track of. And that's not a lot, by the way. It seems like when you read the headlines that there's millions of these hacker groups out there. It's not. It's just a small number. And we know 90% of what they do in cyberspace. So it should be an easy thing to put those prevention controls or deploy those prevention controls in the security stack that you're running in your organization. But all this complexity we're talking about is what's causing the problem. 

Rick Howard: And what I think you are outlining is that it's a shift in the security practitioner thinking - say early 2000s, when we all sought out best-of-breed tools. We needed the best antimalware solution. We needed the best firewall. We needed the best intrusion detection system. And so we would go out and buy all these eaches (ph). And like you said, even small organizations have 15 security tools in their security stack. And Fortune 500 companies, I've seen some with well over 300 security tools 'cause they had the money to do that. But managing all that complexity has been difficult. So the shift, then, is away from best-of-breed to tools that are good enough and are automatically orchestrated for you across all those data islands, right? We need one policy that says here is the prevention controls for Panda Bear, and it deploys it to all the data islands that we have - the cloud providers, the mobile devices, the SaaS applications - whatever it is. I'm looking for that kind of a solution. Is that what you're advocating? 

Etay Maor: Exactly. And like you said from the early 2000s about layered security. And I like the approach of layered security, but it doesn't mean that for each layer you have 10 different, so to speak, boxes, and then you have other layers as well. I mean... 

Rick Howard: Or the same kind of box for the cloud, but a different vendor back in your data center, right? That makes it even harder. 

Etay Maor: Exactly. I mean, I don't envy the security person who has three different firewall vendors at 15 different locations, and then they need to update the policy? Like you said, Panda Bear is - we found a new IOC or we found a new signature. Update all of them. What about patching all of them and changing the policies? And there's so many other things. So chasing these boxes globally and also locally is - that's the on-prem kind of thinking. And I think with organizations constantly talking about digital transformation and what we need to do in order to be the best in our business, same thing has to happen with security and networking. We have to get out of this on-prem mindset. 

Rick Howard: So to go back to the original question, then, we're trying to remove the financial incentives for cybercriminals to be successful, I guess. We're trying to prevent them from getting $1 million payout. That means we have to completely simplify our approach to deploying prevention controls for known adversaries, especially ransomware groups. That's kind of where we're falling down here, right? 

Etay Maor: Deploying and managing and - yeah, the whole lifecycle of a security product. Now, not you or I are naive to think that criminals are going to start, you know, selling ice cream tomorrow because we put some new signatures in place or put in some new products. Of course, they're going to have... 

Rick Howard: What? Sure they will. 


Etay Maor: I like the statute. But it is something that we have to start implementing and especially in terms of the ease of management and the ability, also, to, like I said, going back to my initial point of having full visibility to everything. And trust me, it hurts me as a security guy to give the IT guys the criticism it starts with the network. It starts with being able to see everything. Because we've seen this several times and in ransomware attacks, as well, if one path was blocked and, oh, wait, that company has a user who was working from home who brought in his own device - that's my way in. So we have to have full visibility into everything. So it starts with seeing everything on the network and then applying, like you said, not necessarily just by server (ph) but something that we can manage, something that will provide us the context, something that will give us a holistic view and actually turn all these small elements that we've been looking at so far, to actually multiple opportunities to stop the attack. 

Rick Howard: Well, it's all good stuff for you, Etay. But we're going to have to leave it there. That's Etay Maor. He's the senior director for security strategy at Cato Networks. Etay, this was a fantastic conversation. Thanks for coming on the show. 

Rick Howard: Next is Dave Bittner's conversation with Sam Crowther, the founder and CEO of Kasada. 

Dave Bittner: So today, we're talking about a red teamer's perspective to demotivating attackers. I'd love to dig in and just start with some high-level stuff here. Can we sort of establish a ground-level, baseline truth here? I mean, what are the things that motivate cybercriminals? 

Sam Crowther: Look, I think they're cybercriminals because, you know, there's obviously many different types of actors online - money - right? - opportunity to, you know, bring in cash to either support their families, support themselves or a little bit extra on the side, right? I think that's one of the biggest motivators, unfortunately. 

Dave Bittner: And so what does that mean for the defenders? In terms of, you know, having that be the reality. how does that inform how we set up our defenses? 

Sam Crowther: What it helps us, and then I guess forces, you know, defenders to take a good frame of reference on, is how much is there to be made, right? And I think it - that really will inform the investment that's going to be required or at least, like, inform how much, like, effort and deliberate decision-making needs to happen in order to protect it, right? Like a really good example would be, like, if someone's selling, you know, stolen customer accounts - right? - on a website for $2 a pop, that organization basically has to make it cost $1.99 or $2 or more for every valid, stolen account that gets leaked, right? And that sort of just changes, I guess, the - maybe some of the decision-making that's going to happen around the defense. 

Dave Bittner: And how have we seen this play out? I mean, as we've - I'm thinking of things like ransomware that's become more focused over time. And we've gone from regular phishing to spear phishing. It seems as though the loot that these folks are going after, in many cases, has gotten bigger. 

Sam Crowther: It has, right? And that's what's driving the more sophisticated actions. Because, you know, I think a lot of, like, anti-spam technologies for email or whatnot have lifted the bar. And so, you know, while generic phishing can be profitable in some cases, clearly the ROI is not there, right? And so that's why they're moving, I guess, more upmarket in their attacks, so to speak, and moving to spear phishing, you know, moving to more damaging cases of ransomware and hitting organizations, maybe, in places that they weren't previously hit, purely because there was somewhere easy they could still make a profit. 

Dave Bittner: You know, there are some old sayings about this sort of thing. Obviously, we talk about low-hanging fruit. There's the other old chestnut about, you know, if you and I are being chased by a bear, I don't have to outrun the bear, I just have to outrun you. To what degree is that true here, with this sort of thing? I mean, is this a matter of raising that fruit so that there's less for the bad guys to grab? 

Sam Crowther: It definitely is, right? And unfortunately, there is absolutely an aspect of, you don't need to outrun the bear, right? That is an unfortunate truth. And so understanding, you know, where else they're going to go is critical. But that also, you know, forces folk - and I think there's a very good, you know, conscious thought that needs to be had and discussion that needs to be had - can they go elsewhere, right? Because there will absolutely be cases where they can't, where you are the only one that has what they want. And, you know, that's obviously a very different dynamic. But if that's the case, again, it - you - like, it needs to inform the way in which, you know, you think about defending yourself moving forward. 

Dave Bittner: Well, let's explore that. I mean, what are some of the ways that people can make it so expensive for these bad actors that it's not worth their time? 

Sam Crowther: Well, I - this varies a lot - right? - based on the problems that are being faced, right? And I'm obviously very familiar with the space that we operate in, which is really focused on, you know, automated tools being used to abuse, like, websites, mobile apps, like, e-comm platforms and whatnot. So a really good way to increase cost, you know, across the board, especially in the area that we operate in, is actually increase the skill that's required to take out an attack, right? Because it inherently narrows down the number of people that are going to be able to come after you, which means that, you know, internal security folk can, you know, dedicate their resources to the ones who are going to cause the damage, which sort of creates a nice little cycle of, it makes it more expensive for those more sophisticated folk because there's more resources focused on them. 

Dave Bittner: And I suppose for your staff, it means they're not, you know, chasing around - they're not swatting at flies. 

Sam Crowther: Exactly. Right? That's the, you know, the less flies there are to swat at and the more, you know, actual big, juicy targets there are to focus on, the better it is for us as the defenders. 

Dave Bittner: Can you take us through how this works? I mean, what are some of the specific things that organizations like yours puts in place to slow these folks down? 

Sam Crowther: There's two real components to the way we think about this. One is skill, right? Because that's a great way to waste someone's time. If they need to learn totally new things, they're likely to go elsewhere. And the other is actually compute cost, right? You know, in a day and age where you can just spin up a server for, you know, $0.15 an hour and launch some pretty devastating attacks - right? - If we can actually make it cost more at the compute layer - right? - and that is a great way to disincentivize, you know, any sort of malicious behavior, at scale, right? It really undermines that, you know, truly the ROI equation that they do. It's going to cost me X dollars to, you know, to crack an account and I can sell them for Y dollars, right? And if that equation does not make sense, they just will not do it. 

Dave Bittner: Well, help me understand how that works. How do I increase their cost? 

Sam Crowther: Yeah. So what we've done, specifically - and this is actually - this was attempted, in the - I think the early mid-'90s for email is we basically designed this concept of an asymmetric proof of work, right? So think of it as a math problem that's far more difficult to solve than it is for us to verify. And so what that lets us do is have a strong asymmetry in the amount of compute required in order to even attempt to launch attacks than it does for us to defend them. And so, like, thinking like that is like, hey, how can you asymmetrically increase the cost of the compute layer? But proof of works are a very good way to do that. There also can be other ways - right? - like targeting connections. There's a plethora of different mechanisms that can be used. But being very strategic about them is very important, because all of a sudden, you can take someone's infrastructure cost from $20 to launch a significant attack to tens of thousands of dollars if they're not careful. And that is, you know, the ultimate scenario. 

Dave Bittner: And how do you do that while simultaneously not increasing friction for the legitimate users? 

Sam Crowther: Yeah, so making sure that everything is done invisibly and at the compute layer is absolutely key, right? Because the reality is, you know, bots and automated tools, when they're used to attack, are used because they can scale. And so while the impact on an individual may not be, you know, substantial at all - right? - and will often completely go unnoticed, when you scale that up, it becomes very problematic. Because, you know, the attackers are not doing, you know, one log-in every day. They're doing millions of logins an hour, a minute. And so that's when, you know, their cost starts to exponentially go through the roof. 

Dave Bittner: How does someone measure success with this? You know, if I'm reporting back to my board of directors and I say, hey, we put something like this in place, you know, what sort of numbers do I have in my back pocket to show them? 

Sam Crowther: Look. So there's usually - there's a combination of the business metrics - right? - and that could be decrease in fraud, decrease in customer complaints, increase in, like, conversion from new accounts that are created. But then on the flip side, you know, there's usually metrics which could be shown around like, well, how many attacks are these folk attempting, you know, today versus yesterday versus last week? And so if you can actually see a decline in the attack traffic, you know it's having a great job, because that just verifies, you know, not only are they not making the money, the business can see they're not losing the money, but the attackers aren't hitting as hard because it costs them too much. 

Dave Bittner: Is there such a thing as sort of a - I don't know - reputational advantage among these dark web operators? Do they talk? Does word get around and folks say, hey, you know, don't waste your time on this organization? They've got things buttoned up pretty well? 

Sam Crowther: Yeah, absolutely. That's - that is something we find is the folk who are responsible for launching a lot of these attacks or providing the tools will often just not support organizations that have good defenses in place because they know it looks bad on them, right? Like, if they sell something to someone else, you know, in order to maybe help crack accounts on a website, and it doesn't work properly, it reflects poorly on them as the seller, right? Like, they have these unbelievable marketplaces where they're all rated. And so, you know, it's in their best interest to target websites that are going to be easier for other folk. 

Dave Bittner: So what are your recommendations for people who want to explore this, who think something like this might be a good solution for them? Where do they begin and what sort of questions should they be asking? 

Sam Crowther: The first sorts of questions and the first steps are usually to be, how do we figure out if this is a problem and, you know, why would it be a problem? So looking at, you know, interaction points that someone is likely going to go after - right? - you know, simple things, like actually visualizing maybe log-in traffic over the last 14 days, right? Does it follow a beautiful, cyclical pattern - right? - day and night, day and night? Or is it all over the place? What are the sort of rates of chargebacks on purchases? Those sorts of questions are important ones. And, you know, businesses will obviously have their own specific interactions like that. But from there, it's very easy, usually to go, OK, there is a problem here that needs investigating and to look at actually going to solve it. 

Rick Howard: We'd like to thank Etay Maor, senior director of security strategy at Cato Networks, and Sam Crowther, the founder and CEO at Kasada, for providing some clarity to us around the idea of botnet mitigation. And we'd also like to thank Kasada for sponsoring the show. "CyberWire-X" is a production of the CyberWire and is proudly produced in Maryland at the startup studios of DataTribe where they are co-building the next generation of cybersecurity startups and technologies. Our senior producer is Jennifer Eiben. Our executive producer is Peter Kilpe. And on behalf of my colleague, Dave Bittner, this is Rick Howard signing off. Thanks for listening.