Innovation Lessons We Can Learn From Hackers - overview

In 2022, Cyber Security is no longer about protecting secrets. It is about our way of life that relies on digital technology everywhere: from clouds to smartphones, from medical facilities to stock markets, and everything in between. In the past 2 years, threat actors have innovated faster than ever before, even using “growth hacking” tricks to increase the impact of their criminal enterprises. At the same time, our own connected lifestyle and digital footprint keep changing at breakneck speeds. How can we prepare for what comes next? By learning from hackers! @Keren Elazari — security researcher, TED speaker, and friendly hacker — joins us for a conversation on emerging security threats, new attack vectors and techniques, and innovation lessons we can learn from hackers. Talk breakdown:

  • 0:00 Introduction
  • 1:23 Innovation lessons we can learn from hackers
  • 43:46 Q&A

Learn more:

Key topics on Innovation Lessons We Can Learn From Hackers

  • Hackers can actually help us build a digital immune system for the information age.
  • Ransomware operators target different types of companies, different geographies and different sectors.
  • The classic infection vector is how a lot of ransomware gets its first start: through a phishing email with a Word document, PDF or link, tricking the end-user into clicking on it, which initiates a payload process.
  • Slack has become both an infection vector and an arena for attackers to base themselves in an organization and be one step ahead of the defenders.
  • The fact that we know about more vulnerabilities and bugs doesn't mean the situation is getting worse but just that we're exposing more of the digital world we're living in.

Expanding your knowledge on Innovation Lessons We Can Learn From Hackers

Introduction - Innovation Lessons We Can Learn From Hackers

(The transcript of the session)

Ev: 00:00:02.953 Hello, everyone. And thank you for joining our speaker session today. My name is Ev Kontsevoy. And I'm CEO and co-founder of Teleport. For those of you who don't know Teleport, Teleport is the easiest and most secure way to access computing infrastructure. But teleport is not the reason we're here today. This is the 2022 Security Visionary Speaker Series. And we've got a great one for you this morning. I'm super excited to have Keren Elazari joining us to talk about innovation lessons we can learn from hackers. And you might know Keren from her excellent TED Talk or one of her many other speaking engagements. The thing about Keren is that she's always surprising. And she always has something unexpected and educational to share. So I'm sure you're in for a treat. If you have any questions for Keren, please ask them in the Q&A option. I will be moderating the Q&A at the end of the talk. And now, without any further ado, Keren, thank you for joining us, and take it away.

Keren: 00:01:08.834 Thank you so much, Ev, for that fun and lovely introduction. So happy to be with you all today. Teleport, thanks for having me. This is an invitation for all of you over there, wherever you are in the world, to join me on this fast journey, a journey where we'll learn everything about innovation from hackers. And specifically, we'll see how criminal groups have innovated and have reinvented themselves and their business model in the last two years. As you heard, my name is Keren Elazari. But in the hackers world, I'm also known as k3r3n3 or Kerene. It might seem weird. But it's just hacker slang replacing the letter E with the number three. So if you want to find me online on Twitter or on my website, it's k3r3n3.com. Now today, we're going to take a deep dive into the way hackers, malicious hackers, and criminals activate new types of attacks using every type of innovation possible, from an innovation to the business model to new types of attacks, zero-day vulnerabilities, and even creating new ways to recruit talent and resources into their criminal underground. Now, the reason I'm really fascinated with what criminal hackers do is because I've really been a hacker for more than half my life. So starting very early, right here in sunny Tel Aviv, Israel, where I'm speaking to you all from, I was a very curious little girl. I spent a lot of my time at the school lab and at my computer library in our lab. And I also spent a lot of time learning and searching for facts and for information. And when we first got access to the world wide web, I realized, "Here is access to all of the world's information right at my fingertips." But I had to teach myself how the worldwide web worked. And nobody was there to teach me. We didn't have HTML classes or web development classes in my school. It was the mid-90s.

Early start as a hacker

Keren: 00:03:06.384 So I had to teach myself. And a lot of that was through reverse engineering, seeing how the Internet was built, seeing how web pages and web applications were working, and understanding how internet servers were really making all that content available to me. I didn't really know it at the time, but many of my actions consisted of hacking. I was bypassing the PHP password protections and getting into databases. I was finding servers online that were not supposed to be accessible to everybody. I was really expressing my curiosity and learning about the world of hackers at the same time. Now, I didn't really see myself as a hacker. In fact, I didn't look like this very young, sweet girl. Here's an actual photo from the yearbook of my school. So in case you want to hack me, I saved you the trouble. This is probably my most embarrassing photo. And it's an actual photo of me with my fellow kids. Although, I'm really the one that's standing to the side. So you might not expect it, but this is me. I'm that kid in the corner, the one that's wearing her Sony Walkman to the school photo because I really believed in the power of technology. And it transported me to another world, a world where people who can wizard and master technology are the masters of their own story, the heroes.

Keren: 00:04:26.296 And the reason I believed in that was because I met my first hacker hero when I was about that age. In 1995, I met my first hacker who changed my life forever, her name, Angelina Jolie. She portrayed Acid Burn as a fierce high school hacker in a Hollywood movie simply called Hackers. Maybe some of you have seen it. Please let me know in the chat. I think there's an entire generation of security professionals and techies who chose a career in the world of cybersecurity and technology just because of movies like War Games, Hackers, Sneakers, and The Matrix. For me, it was hackers. And it was this group of high school kids who are really the heroes of their own story. They're the ones who use their hacking capabilities and their understanding of how technology really works to prove to everybody, including the FBI and global corporates, where the real cybercriminal was hiding. Now in case you haven't seen the movie, I think it was really ahead of its time. It came out in 1995. Those hackers actually had to deal with a ransomware-type virus. Which is really interesting, in '95, a virus threatening to capsize an oil tanker unless it's paid a million dollars, really ahead of its time. So the movie really showed me that hackers are not just masters of their own universe, they're also the ones who can find a clever way to use any new technology, especially the technologies that we rely on. So that was part of my pathway into the hackers' world. And this is why today, I'm still fascinated with everything that we can learn from hackers. I really believe they show us what's possible out there in the world.

Learning from malicious innovation

Keren: 00:06:06.877 And so in 2013, I shared the message that hackers can actually help us build a digital immune system for the information age, that hackers are part of our world, and that we need hackers — that malicious hackers force us to evolve. But there's also a role for friendly hackers to act as that immune system to help us identify vulnerabilities, find bugs that we don't know about, and fix them. And today in this session, we'll spend a lot of time with both types of hackers. But we'll start with those malicious hackers because I really think cybercriminals nowadays are the early adopters for a lot of interesting technologies and techniques. And there is so much that we can learn from them. In fact, we can't afford to waste this opportunity to learn from what these criminals are doing because they spent the last two years reinventing the way they do things. Now one of the best ways to learn from criminals is to look at the phenomena of ransomware, which, to me, is just a really fascinating way to explore what I like to call malicious innovation — all of the different ways that criminals have innovated their business models. So ransomware has existed for a couple of years. It's not new. However, the last two years have showed us that ransomware operators really spend a lot of time and attention in crafting their techniques and their attacks. So let's get to know some of these ransomware operators.

Ryuk Ransomware

Keren: 00:07:31.418 First character I want to share with you all today is Ryuk. If you're scared by Ryuk, that's okay. It's a scary character. It's actually named after a character from a Japanese animation series, Death Note. If you don't know the show or the comics behind it, ask a teenager, and they'll know it. Ryuk is the god of death in that show. But in the ransomware universe, it's a very powerful, quite fast piece of ransomware that has their own kind of Death Note. This is what their ransom notice looks like. If you're as unlucky as some organizations, and you get hit by Ryuk, you'll see this notification on the screens of your end-user computer stations. Now with this particular note, Ryuk really uses fear tactics as a distraction or as a mechanism to get people to comply. So Ryuk says, "Do not reset. Do not rename the files. Do not delete anything." Ryuk says, "No system is safe." They deliberately use fear tactics. And Ryuk, just like the god of death, actually went after hospitals. So in the United States, Ryuk decided and the people behind Ryuk decided to launch an attack against at least one network of hospitals called the UHS. Some of you might be familiar with this chain of hospitals across the nation. Clinics, hospitals, people's doctor visits, and even operations were disrupted because of Ryuk. During the height of the pandemic, during one of the COVID waves, Ryuk deliberately went after hospitals because they decided this would be prime time to get paid for their ransom demands.

Ryuk attack on Sopra Steria

Keren: 00:09:08.734 But Ryuk doesn't only focus on US organizations or healthcare. It's actually quite versatile. And many of these ransomware operators target different types of companies, different geographies, and different sectors. So Ryuk also went after an IT company called Sopra Steria. Now, you might have never heard of Sopra Steria. But if you've ever visited France and gone through border control, the machines at the border control and French borders run on Sopra Steria software. If you ever done any kind of business online or physical with a French bank, your transaction probably passed through some Sopra Steria software. They're a multibillion-euro company that develops code and technology products for a lot of French organizations. And they even have their own security department. But they were still hit by Ryuk. And according to their own message, the attack probably cost them between 20 and 30 million euros. And that's just in recovery because they chose not to pay the ransom. But this did get them on the radar. It got Ryuk on the radar for the French security agency, [inaudible].

Keren: 00:10:15.102 And they actually produced this fascinating report. Now, I know that might not be your go-to resource for cybersecurity easy reading. But it's a very valuable report to understand how Ryuk evolved. So throughout 2020 and 2021, Ryuk, just like COVID, had variants. It had an evolution phase where new capabilities were added to the ransomware, capabilities, just like COVID, that enabled it to infect systems faster and to move from one victim to another faster. So amongst other things, Ryuk developed a new wormlike capability that enables it to move almost autonomously from computer to computer without the control or direction of its operators. Furthermore, it used things like scheduled tasks and RPCs or remote procedure calls. If you're unfamiliar with those, they are very normal things that happen and take place on most Windows machines on a lot of desktops. So it's very hard to identify malicious traffic when the malware itself masquerades with normal system processes and normal network traffic. And this is not a coincidence, it's done because Ryuk tries to hide within plain sight.

Keren: 00:11:28.990 Another fascinating thing we learned from the French investigation was that the operators behind Ryuk worked pretty hard to reduce the time from the initial intrusion to the infection and getting paid. So in some cases, it went from — it used to be a couple of weeks maybe when they first got access to a network and then they start infecting machines and encrypting them and then requesting the ransom. And it went down to almost 48 hours in some cases, so moving extremely fast. Now we'll go back to speed later on because this is actually an attribute that ransomware operators compete on. So ransomware creators are competing and continuously trying to improve their product and to improve their speed of encryption. And just like COVID, we have variants, we have strength. And it's not just Ryuk that we have to contend with. There are new types of ransomware operators and capabilities all the time.

Infection vectors

Keren: 00:12:26.440 Now let's talk about some of the infection vectors. How does Ryuk get into an organization in the first place? The classic vector you might have heard about, and this is how a lot of ransomware gets its first start, in fact, how a lot of attacks get their first foothold is through an email, a phishing email with a Word document or a PDF or maybe a link, and the end-user is tricked to clicking on that link, which initiates a payload process. This is a classic vector. However, in the last two years, we saw very interesting, new sophisticated vectors. So the second one would be to use credentials, credentials for somebody that works in the company. It might be a remote desktop connection. It might be a VPN. It might be credentials for some cloud assets or Office 365. And these credentials are either harvested from previously leaked password databases. Or they are traded for money with other criminals who specialize in farming these types of credentials and then selling them out to other criminals. Or in some cases, they are even bought from people that work in the company. And I'll show you a couple of examples for that in a minute. Now the most sophisticated attack vector that we've seen is actually targeting those remote connections directly, so finding an exploit or finding a way to attack the router software or the VPN software or the firewall or any other type of architecture asset that might have an unpatched vulnerability or even a zero-day vulnerability that the attackers can leverage to get their first foothold into the network. And this might be cloud assets. It might be remote connections. But they've definitely done that.

Leaks from behind the scenes

Keren: 00:14:12.477 Now one of the reasons that I get to know so much and that you get to know so much about the way these ransomware criminals operate is because there's actually been leaks, fascinating leaks from behind the scenes. And I spend a lot of my reading time looking through chat logs for these criminals' organizations and how they behave and how they plan their activities. So I want to make sure that I'm clear here: the hackers behind Ryuk and other ransomware operators, they're not just opportunistic teenagers sitting in a basement. They're actually managers and planners. For Trickbot and Conti, which are two of the very successful ransomware operators right now, we know from leaks from behind the scenes that the people that run the operation — they drive very expensive cars. They have office buildings. They even have training seminars for their employees. And according to one report, they invest back into their own infrastructure about $20 million a year. Think about the company you work at. Does your company get to spend $20 million back into R&D and infrastructure? And would your revenue model be like for you to afford that kind of investment? This is part of what the criminals do.

Keren: 00:15:26.635 Now it's also fascinating, and if you like to learn more, the Conti leaks are really a vast, vast pool of information. But it's really fascinating to understand attackers' behaviors. And I want to go into a few more technical details from one of the recent attacks because I think that there's so much we can learn from that. So Conti, which is one of the operators I just mentioned, had a very infamous attack on the Irish healthcare system in the last summer, in the summer of 2021. And unlike a lot of other organizations, the HSE, the healthcare systems in Ireland decided to actually commission an independent report. So there's 150 pages in this report about the Conti cyber attack. And it details the timeline of the incident, how the attackers got in, what they did. It's a fascinating read. And it teaches us as defenders quite a lot.

The Conti cyber attack

Keren: 00:16:22.997 But in case you're bored, and maybe you don't want to read 150 pages, let me give you some incentive. Let me give you a summary. So this researcher tweeted that reading through the entire incident report should be mandatory reading for every defense course. I actually agree. But here's a couple of highlights. One of the things we discovered was that Conti actually spent a lot of time on a network. So this is a more strategic attacker. They're planners. They're not trying to reduce the time from their initial intrusion. But further, they spent a lot of time on the “Patient Zero” device. The first device they got access to — they spent a lot of time learning the applications, normal network traffic, establishing their foothold, waiting for an opportune moment. Second fascinating thing is that some of their enterprise security systems for that organization actually detected the activities of Conti. But they didn't block it. Specifically, they detected usage of tools called MimiKatz and Cobalt Strike. Now please let me know in the chat and the comments whether you know Cobalt Strike or MimiKatz. I'm going to explain about them in a minute. But these are tools that are very popularly used by a lot of attack groups. And I think we need to understand why they're used and why they're so popular and why they were detected but not blocked, which was fascinating.

Keren: 00:17:43.517 The third thing we can learn from the Conti attack was actually that they knew what was happening in the organization. So the attack launched the ransomware, started encrypting files, and demanding ransom one day after an enterprise-wide rollout of a new security feature, an EDR tool, was announced. So they are tracking internal messages, emails, and notifications by the IT department that said, "We're going to roll out this new security tool, this EDR endpoint, detection, and response tool." And that's when they chose to strike. They might have been waiting for a more opportune moment. But that's what kind of triggered them. So they knew a security upgrade was going to happen. And they decided to make that moment their mark.

MimiKatz and Cobalt Strike

Keren: 00:18:26.546 Now I mentioned Cobalt Strike and MimiKatz. Hopefully, some of you know Cobalt Strike. But for those who don't, there you go. Here's an introduction. Cobalt Strike is a tool used very popularly and originally by penetration testers and ethical hackers. I used it probably more than 10 years ago when I was consulting and doing ethical hacking. And now today, it's used by criminals to find ways to privilege escalate within a network. So it includes exploits and different types of attacks that they can launch against known vulnerabilities within a network environment. And one of the reasons that they use it is because they know it's also legitimately used by security testers. So not all security systems block Cobalt Strike, which is what actually happened at the Conti attack. Another tool that they like using, and a lot of the attackers love it, is MimiKatz. Now MimiKatz is one of my favorites. It's an open-source tool. It was actually created by a friendly security researcher, a French guy, called Gentil Kiwi who developed it to show how you can easily harvest credentials, passwords within Microsoft Windows environments. Now with MimiKatz, attackers can launch easily an attack that will harvest passwords and allow them to identify admin passwords or maybe active directory admin passwords, and basically build their way, privilege escalate their way from one maybe workstation to an active directory to somewhere else. And MimiKatz is easily available online. Anybody can use it. And there's no excuse for us as defenders not to look for MimiKatz on the network.

Slack as another hacker favorite

Keren: 00:20:04.033 Now I want to move on from Cobalt Strike and MimiKatz to another tool attackers love using. This one — I'm sure you're all familiar with. It's called Slack. Everybody uses Slack. There's very few organizations around the world that don't use Slack. And especially as we all went to lockdown and remote work, Slack became even more popular. So of course, for hackers, Slack became both an infection vector and an arena to base themselves in an organization, know what's going on, get even into intimate response chats, understand the response to their intrusion, and be one step ahead of the defenders. Now one of the first cases that kind of publicly or famously we learned of Slack being used by attackers was actually the great Twitter hack of the summer of 2020. If you remember, this is when a lot of verified, well-known profiles on Twitter, including Elon Musk and Bill Gates, were actually participating in a very weird Bitcoin pyramid scheme. Now one of the reasons this was made possible — and of course, I'm simplifying the attack chain a little bit. But one of the reasons this was made possible is because the hackers got access to a Twitter Slack server. And they actually convinced a Twitter employee via a Slack conversation to reset a admin password for one of the internal Twitter systems. So it was not a hack of these individual Twitter accounts. It wasn't Bill Gates' account that was hacked individually or Elon Musk's account, but rather an internal Twitter system. And this is what gave those young hackers, allegedly teenagers, access to so many of these verified accounts.

Keren: 00:21:49.152 Now of course, the ludicrous Bitcoin pyramid scheme they tried to launch was so weird that it got on a lot of people's radars. And thankfully, it didn't lead to a very significant damage. But this vector of using Slack has become extremely popular. Now just a few months after this happened in 2021, Slack was also the vector used to hack another company that you might have heard of, EA. EA is Electronic Arts. This is the publisher for popular games like FIFA 21 online or a video game for soccer. And when EA was hacked, it was similar technique. It was through Slack server. This time, the attackers actually bought a cookie. They bought a cookie from a previous employee or through some access brokers and other hackers. And that cookie enabled them to log into a Slack server. And then they started speaking to the employees at this company, at EA, and convincing an administrator to reset a specific password. They were also able to find within different channels in that Slack server interesting credentials and locations and details of servers. And this is how, allegedly, they got, eventually, the access to the source code for FIFA 21.

LAPSUS$ attack on Okta

Keren: 00:23:10.354 Now the same group behind the attack on EA is also a group you might have heard of called Lapsus$ or according to Microsoft, DEV-0537, a less popular name. So Lapsus is the group that allegedly attacked Okta just a couple weeks ago. Hopefully, you heard about that. But if not, in this particular attack, allegedly LAPSUS$ this hacking crew, was able to — through a supply chain vulnerability, you could say, or through another supplier, through a third party company called Sitel, they were able to get access into Okta systems, documents, and some information on Okta clients. Now what's really interesting is that within hours, they started leaking screenshots and files and selling them.

Keren: 00:23:56.994 Now this particular group, LAPSUS$ -- I want to spend a moment talking on because I think they're really fascinating. And they are, let's say, one of the more bold and innovative actors out there. So here's an actual screenshot from the LAPSUS$ Telegram group. They had a Telegram group with more than 45,000 followers. And on their group, they actively advertise, they recruit employees and insiders from big technology, software, and development companies. And they actively look for telco operators. Now you might be curious. Why are they looking for people who work within telecommunications companies? Well this is because they actually specialize in a really specific type of identity theft where they activate SIM swapping attacks. So they basically duplicate the phone number of an employee at the company. And when a multi-factor authentication code is sent by text message or a voice call to that number, they can get it instead. And that's one of the elements in the LAPSUS$ arsenal. It's one of the things in their toolkit. Now as they're saying, "We're not looking for data. We're looking for the employee to provide us with a way into the network." So they're really very bold and very clear about their intentions. And of course, you will be paid if you like. Of course, they're not guaranteeing that people will get paid. In some cases, they're hoping that there will be some disgruntled employees out there.

Keren: 00:25:25.945 Now mind you, I know some organizations are now talking about going back to the office. Some people have gone back to the office. I recently read a survey that said 80% of people don't want to go back to the office, and 80% of companies want people to go back to the office. Now if that data has any merit in the real world, there are going to be some disgruntled employees and unhappy people out there. And criminals know this. This is why they've increased their recruitment efforts in the last couple of months. Now particularly with LAPSUS$ we know a lot about their tactics because Microsoft has actually researched them, especially after they went after organizations like Okta, NVIDIA, Samsung, Ubisoft quite recently. These are some of the big names that LAPSUS$ has gone after. So Microsoft has this fantastic report. I really recommend you read it. Again, this is maybe not 150 pages. This is a 17-minute read. If you can spend 17 minutes, maybe with a cup of coffee, you will learn a lot about the way these attackers work. But once again, I'm here to give you the Cliffs Notes, the summary. So they focus on these types of social engineering and identity theft operations with SIM swapping. They find key employees that they can either engineer, recruit, or even take over their accounts so that they can get that first credential, that first password, that first photo into a server, a system, or even a Slack server.

Keren: 00:26:49.018 Now specifically, as we are all really focused on digital collaboration tools, they love looking for credentials and easy ways in, on SharePoint, Confluence, Jira, GitLab, GitHub, Teams, and Slack. And they've also been known to utilize specific vulnerabilities against some of these platforms, so actually hacking some of these platforms to get into a company's servers or into other channels and find their way into credentials that are stored there or even just start a relationship with somebody with a fake profile picture, knowing what they are supposed to say about who they supposedly are, working at that company, so that they can reset a password. That's something they've done a lot. Now once they're in the system and especially once they are in a cloud environment belonging to one of their targets, one of their tactics is to actually create their own virtual machines within that cloud environment. And they use that virtual machine as their base of operations. So now they have an attacker control system within the target cloud environment. And they use that to move laterally. So this is really a fascinating group.

Keren: 00:27:59.900 Now what's more fascinating about them is that they were so bold about their attacks. They recruited people to work with them. And yet for a lot of defenders, they were kind of considered a low-grade attacker or under the radar. So this kind of reminded me of this meme or this image from the Pirates of the Caribbean where the blue team says, "Well these are some of the worst techniques we've ever seen by attackers." Yes, but they did work, just like with Jack Sparrow. Well people have heard about him. Even if he's the worst pirate in the world, people have heard about him. So this group has made such a big name for themselves. And I'm actually happy to tell you that a couple of weeks ago, many of their members, or at least seven of their alleged members, were arrested in the UK, not far from Oxford. So this is not a Russian-based criminal group. And actually, many of the alleged members are under 21 years of age. So quite an innovative and creative group. Will we see more from them after these arrest? It remains to be seen. But I want to highlight the fact that groups just like Ryuk, Conti, and LAPSUS$ have a very wide arsenal of capabilities. So it's not just utilizing vulnerabilities. It's also these social engineering techniques. It's also recruiting employees. It's also going after collaboration platforms.

The Common Vulnerability Enumeration database

Keren: 00:29:17.495 But let's go back to the basics for a moment. This is a list of just some of the vulnerabilities, the CVEs used by criminal groups in the last two years. Now a CVE is part of the Common Vulnerability Enumeration database. If you're unfamiliar with the term, this is a way for security researchers to track a known software vulnerability or a bug. So when something is known, it usually receives a CVE number. The first four numbers are usually the year, like 2022 or 2021. And then the last five digits are the running order of that vulnerability. So as you can see in the last two years, we had dozens of thousands, if not more than 100,000 different vulnerabilities. But specifically, they target a lot of these networking, collaboration, enterprise system tools that every organization on the planet typically uses. Now there is usually a window of time between this vulnerability being reported and this vulnerability being patched. Now that's really fascinating because criminals use that window of time.

Patch Tuesday

Keren: 00:30:26.589 Now speaking of window, who here is running Windows 11? Maybe some of you already have Windows 11. Please do let me know in the chat or the comments if you have Windows 11 on one of your machines. I already have it running in one of my machines. But it's kind of new. And criminals know that it's new. So they actually created an attack that masquerades to be a file created in Windows 11. It's just a regular Word document that includes some malicious payload. But in order to trick people into interact with the content, enable editing, enable content, they claim that it was created in Windows 11. So criminals know that there's new stuff out there. People like using this new stuff. And they're going to trick people.

Keren: 00:31:08.808 Another thing I want to say about Microsoft and Windows, some of you are techies and have been in this industry for a long time, you must know what's the favorite day for any IT manager, favorite day or maybe least favorite day of the month, it's the first Tuesday of the month. And the first Tuesday of each month is what Microsoft likes to call Patch Tuesday. And this is the day where they traditionally issue patches for bugs and vulnerabilities. Now in the past, it used to just be about patches for productivity or glitches or things that didn't go well in their software. But in the last couple of years, Patch Tuesday has become really heavily about security patches, so plugging vulnerabilities that were recently discovered. So while for IT managers, Patch Tuesday is usually a long workday to make sure that they can deploy these patches and plan on how they're going to fix all of those vulnerabilities, for hackers after Patch Tuesday comes exploit Wednesday. So within hours from the release of the Microsoft patch, within hours, there are exploits that are targeted specifically at those vulnerabilities that the Patch Tuesday was just trying to plug. And there's always a window of time, maybe a few hours, maybe a few weeks, maybe a few months from between those vulnerabilities being patched and the patches actually being deployed. And this is the sweet spot. This is the time where a lot of these criminal groups operate.

Apache and Log4j

Keren: 00:32:35.648 Now I don't want to just focus on Microsoft, of course, or Windows. Let's talk about another environment. Let's talk about Apache and Log4j. So as many of you recall, in last December, the Log4Shell vulnerability in the Log4j component was discovered in early December. And by the way, it's a little bit of a tradition in the cybersecurity world, each Christmas, there is a terrible security incident that comes around just to ruin everybody's holiday season. In 2020, it was SolarWinds. '21, it was the Log4j vulnerability. And the Log4j vulnerability, for those who are not familiar with it, was one that actually allowed attackers a remote code execution, RC, what we call in the security business RC, so remote code execution. This is something that you don't want an attacker to have the capability to run code remotely on your servers. That usually leads to an attack chain that ends up with the machine getting completely controlled by the attacker. Now this was announced in early December 10th. Within hours, simply hours, there were attacks utilizing Log4j with an active exploit. So what you're seeing here is a screenshot from a tool called GreyNoise. It's a very powerful tool. It's kind of like a scanning engine for scanning attempts. I'll repeat that. So GreyNoise is kind of like a machine, like kind of like a radar, that looks throughout the internet and sees a lot of scanning attempts by different attack tools and hackers. And GreyNoise identified, within hours from the Log4j and the Log4Shell vulnerability announcement, within hours, there were active exploits trying to run remote code, RC attempts on servers around the world. So attackers are not just fast, they are faster than ever. And they're also bolder than ever.

CD PROJEKT RED

Keren: 00:34:29.652 So I want to move to a few other cool stories about what criminals have been doing because there's really so much that we can learn from them. I want to ask if anyone here is maybe a gamer. You might have heard about a company called CD PROJEKT RED, which is a multinational, fantastic or maybe not fantastic game dev company. They are behind some of very popular games. And last year, they also were attacked by a specific attack group. Now they are the developers of both the Cyberpunk 2077 franchise and a very popular Witcher franchise, which you might know from the Netflix show. But it's a very, very popular video game. It's a pretty good video game. Now when this particular group was attacked, the ransomware note showed us that it was a targeted attack. It wasn't opportunistic. The hackers actually created the note. And they actually spoke specifically to the company, "We have epically pawned you. It's a little gamer's plan. We own you. And we actually got the full copies of the source code from your Perforce servers." For those unfamiliar with Perforce, it's actually a source control system for game devs. So you can think about it like GitHub for game developers. And this is how the particular group got the source code from the unreleased games or the unreleased portions of this company's games. So CD PROJEKT RED got hacked. This time, what is the name of the group? Is it something scary like Ryuk? Is it something mysterious like Conti? No, it's something cute: HelloKitty. So at least some of these criminal groups do have a sense of humor.

Ransomware as a Service — Lockbit

Keren: 00:36:10.488 Now briefly, I want to also tell you about the ransomware as a service model because a lot of these ransomware operators understood they don't have to really work hard. They can develop their own fantastic payload. And then they recruit other people to distribute their attacks. And sometimes, they even recruit those people from their victims. I'm going to repeat that. So here's a picture of the LockBit 2.0 ransom note. This is what shows up on a computer that might have been encrypted by LockBit 2.0. And LockBit 2.0, within their modification, asks people, "Would you like to earn millions of dollars by working with us, collaborating with us?" So they're actively recruiting from their victims. Furthermore, they have endorsements for their product. So they claim they have one of the best-designed lockers on the market with a focus on speed of encryption as well as functionality. Now these criminals are not just boasting. There was actually a speed test recently done for a few ransomware strains. And it's true, LockBit is one of the fastest on the market. So they actually have these claims, and they stand behind them. Now one of the reasons I know a little bit more about LockBit is because they also give interviews. So this is really fascinating. One of the members of LockBit actually interviewed for a Russian language YouTube channel that specializes on interviewing cybercriminals. And they actually answered a lot of questions, including how do they choose their targets, how do they choose their targets. And they said, "The larger the revenue, the better. There are no decisive factors. If there is a goal, then we're going to get there. The location of the target does not matter. We attack anyone that comes to hand." So this is an operator with a global footprint.

Keren: 00:37:59.016 Now let's review just a couple of the things I just shared with you. Let's take a second to think about this. We're talking about hackers and criminals that operate on a hyper-fast development cycle, sometimes going from hours from when there is a vulnerability to launching an active exploit. They are on a constant journey of evolution reinventing their business model, their capabilities, and coming up with people that are going to work for them in different ways. So they have innovative business models. They also have the double extortion model if you noticed. This is when ransomware operators are not just taking away files, they're also threatening to leak the files if you don't pay. This is exactly what happened to CD PROJEKT RED. So this is another innovation, the double extortion threat. They have active branding and PR. They give interviews. They choose popular media and memes and different things from culture, like anime and characters that we might relate with. And they're very active with their digital marketing campaigns. They operate from Telegram groups, not just in the dark net. They have YouTube interviews. And they have a global footprint.

The recent criminal renaissance

Keren: 00:39:07.956 Now you're all based or many of you are based in Silicon Valley, around the world. If I was in Silicon Valley pitching a team of developers, pitching a company that had all of these aspects, this would be called growth hacking. And investors would be lining up with their checkbooks or with their Bitcoin wallets to invest in this kind of business. So this is why we're experiencing what I call a criminal renaissance in the last couple of years. These groups are not just innovative — they're actually enjoying an influx of investment from criminal campaigns. And they're putting back from their ransomware money, from their attacks. They're putting back, in some cases, dozens of millions of dollars each year into their operations. And they're utilizing anything that we like to utilize. So if we're using cloud assets, they are there. If we're using Slack, Zoom, digital collaboration tools, we are there. And we all have more and more and more of these devices because our digital universe is simply expanding, and it's expanding at an exponential rate. So what can we do with this reality? I also want to provide with some hope and some kind of hopeful ideas before we take it to the questions. How can we all be part of building that digital immune system? How can we make better security decisions each day as developers?

Friendly hackers

Keren: 00:40:31.755 I believe it starts by learning from these hackers and taking these fast, innovative cycles to heart. If we keep doing the same things we did as defenders two years ago and five years ago, using the same pace of adopting new security technologies, we're not going to have a leg in this race. And it is a race. But the good thing is friendly hackers can help us. And around the world, there's more than 100,000 friendly hackers all over the planet that are contributing through bug bounty programs. Some of you might be familiar with bug bounty programs. If you've ever reported a vulnerability on a program, or if you have one, please do let me know in the chat. Here are just some of the big-name companies, the big vendors that have bug bounty programs. And they reward hackers actively with money or with swag. In some cases, like Tesla, they give out these challenge points to the top hackers that find vulnerabilities on their platform. And guess what, when Log4j happened, the hackers around the world found ways to use Log4j, and they reported this within a week of the first report of Log4j. Or within two weeks, there were thousands of reports from friendly hackers on where Log4j and that particular vulnerability was active, helping companies uncover it. I believe it would have been an impossible task without the help of these friendly hackers around the world. So I'm actually quite optimistic that today, we have more ways to bring in friendly hackers into our ecosystem and become defenders. Even the Girl Scouts are now teaching cybersecurity skill sets. And I was never excited about the Girl Scouts growing up. But nowadays, I think it makes them more relevant than ever. It's definitely better than making cookies.

Learning from hackers

Keren: 00:42:19.458 So when I participate in conferences like DEF CON, which is the world's largest hacker convention, I don't see criminals — I see talent. I see the people that we need to bring into our industry, the people that we need to learn from, the people that could help us save our future and be the heroes of our future by becoming friendly hackers. This is why I spend about 30% of my own time giving back to the community with organizations like BSidesTLV, which is Israel's largest security research community, and the Leading Cyber Ladies, a network we started here in Israel, but now has chapters all over the world. My goal is to bring as many people into the cybersecurity world so that they can be successful, friendly hackers, bug hunters, and security professionals. I really think we need all the help we can get. Now what about you back there at home? Are you still kind of kicking back, thinking about the way you used to do things a year ago or maybe two years ago? I'm here with a wake-up call this morning. We can't do that. We can't afford to do that. We have to take a page from the hackers' book. Now is not a time to just keep calm and carry on. It's a time to evolve, to innovate, to adapt because this is exactly what the bad guys are doing. And we have to do the same. Thank you so much for your time and for listening to me this morning. I really hope you stay safe wherever you are in the world. And I'm excited and looking forward to your questions and your comments and for an opportunity to hear what's on your mind. If there's something that you want to say to me after the session as well, you can always find me online. It was k3r3n3, K-3-R-3-N-3 on Twitter and on my webpage. Thank you, Ev, and Teleport, for having me.

Q&A

Ev: 00:43:58.273 Thank you, Keren. That was extremely entertaining. So we do have some questions that folks have typed in the Q&A section. And as Keren is answering those, so you're obviously invited to contribute. So the first question, I think, is the obvious one. So you mentioned several times that the practice of selling credentials and passwords online, like there's this marketplace for credentials, is out there on the dark web. But what kind of credentials are currently being sold?

Keren: 00:44:27.156 So I think at the moment, the most popular ones are a remote desktop connection. So that would usually comprise, or maybe the IP address of where the remote server is, the username and the password for that RDP connection. That's one of the most popular ones, a VPN. But in some cases, it's even simple things like cookies and especially not an everyday cookie. Some of you might know that Slack also has the magic link capability where you can have a link sent to you, and then you can just log in using that link into your Slack account. So cookies that would enable somebody to utilize that magic link capability, for example, are very popular. Other types of credentials are for cloud assets. So whether it's AWS, Azure, Office 365, anything that has to do with an enterprise's cloud footprint, it's very, very popular. And it's typically something that's utilized as maybe kind of the first access. And in some cases, they're not just sold or traded. If you take a look on GitHub or other popular platforms, you'll often see — and this is something criminals know to look for very well. You'll see that people just put in credentials in the code. You'll kind of have to look for it a little bit. But it's there. And that's easy pickings for the criminals. So these are just some of the examples for popular credentials that are utilized by hackers.

Ev: 00:45:51.473 Yeah, I hate to sound like a Teleport commercial, but we've always been saying that just presence of secrets anywhere in the organization is just a liability. So the bigger you grow as a company, the more secrets, the more passwords, SSH keys you collect, like you are getting exposed. So think about moving completely to secretless, passwordless environment.

Keren: 00:46:15.152 Absolutely.

Ev: 00:46:15.642 And you also mentioned something earlier when you said that credentials for VPNs are being targeted. And even in your presentation, I noticed you said — like a few times, you said they've gotten into the network, they've gotten into the network. Meanwhile, the movement towards Zero Trust has been around for a lot of years now. I keep hearing —

Keren: 00:46:34.280 That's true.

Ev: 00:46:35.190 Like first time I heard Zero Trust was really a long time ago. Zero Trust basically states that networks don't matter. Like every server on your private network needs to be configured as if it's on a public internet. So do you believe in Zero Trust? Do you think it will ever happen? Because it looks like —

Keren: 00:46:51.200 Yeah.

Ev: 00:46:51.378 —no one is actually doing it. We keep buying Zero Trust products. But people still want to get access to our VPNs.

Keren: 00:46:59.306 So here's the thing, first of all, you're right. Zero Trust as a branding or as a concept, a buzzword, it's been around for a couple of years. I think the first time it was coined Zero Trust networking was probably a Gartner or a Forrester analyst. But even before that, if you all want to learn about the history of this concept or this paradigm, read up on something called Google BeyondCorp, as in beyond corporation. And this was a report, and later an academic paper, written by Google after they experienced a very intimate attack allegedly by Chinese state actors back in 2010, 2011. So we're talking more than a decade ago. And that's when Google realized they have to change their architecture for the internal security. They can't have a crunchy on the outside, everything accessible on the inside approach, which was kind of popular for a lot of kind of a security mindset. They have to start vetting each and every login, transaction, application, service. Everything has to be authenticated and secure internally, externally, really going beyond that concept that there is an internal and external perimeter. So I do believe in the paradigm. I think Google was onto a good idea.

Keren: 00:48:16.359 And if you look at some of the things Google has done internally in the last decade, they have absolutely revamped and changed their internal security architecture. If you'll notice, if you're a user of Google, very rare that Google will ask you to reset a password, for example. This is because they believe that if you already have a good, long, complex password, you can use that. But ideally, they might ask you to log in or to use multi-factor authentication to use. I've got a couple of FOBs, like YubiKeys and physical two-factor authentication tools. And they'll push their more maybe targeted users to use these. But they no longer really rely on passwords to identify people. Google already knows a lot more about their employees and their users. And they use all of these different factors. So I think they're already kind of utilizing a lot of the Zero Trust paradigms internally and externally. So if you're a customer of theirs, that paradigm is already happening. I know quite a few big companies like VMware are doing similar things, similar practices. So I think it will be possible. And it is happening. And as practitioners ourselves, as we build the next-generation architecture for any web app or cloud-native app or a technology tool, we need to think about what are the authentication modalities we are building in. Are we building in something antiquated, like a username and password connection that really belongs in the 20th century? Or are we building in the technology capabilities that would look towards the future and that would enable us to evolve? And I'm a very big proponent for a passwordless future. So —

Ev: 00:49:57.102 Yep, agreed.

Keren: 00:49:58.266 — hopefully, that's something that some people can adopt, and maybe they agree with that mindset.

Ev: 00:50:03.837 Yep. So speaking of Google, we actually also like reading their Project Zero blog, which has been a great place because Google has a fantastic team of their own internal ethical hackers. Actually, just recently, they published a survey where basically, they've done the overview of the recent vulnerabilities. And the trend is not good. So we almost doubled the number of zero-days exploits this year. So it's a fresh report. It's on Google Project Zero. Everyone can go Google it. And we have a related question from the audience. Katerina is asking that since we're seeing more and more attacks because the world is increasingly going digital. And she also states that she's particularly interested in things like Kubernetes and cloud-native technologies. So what are your thoughts on this? Like why is it getting worse? Is there any hope? And there was another question someone asked earlier, before we even started recording, like who's generally gotten kind of better at this arms race, attackers or the defenders?

Keren: 00:51:08.804 So these are two great questions, kind of big philosophical questions. I'm going to start from the end. I am inherently a techno-optimist. And I do think things are getting better. It may not seem like that. And being in the security world every week, every day, there's a new vulnerability, a new problem, a new technique. I like to look at that as an innovation race. It will never be over. It's always about the next thing. For me, it's invigorating, refreshing. And it's one of the reasons I've been in this space for more than 25 years. And I'm never bored. But if you're looking for something that's static, this is not a static field. It's a field that's always evolving. Now why are we seeing more and more reports? Well you could also argue the amount of code, the amount of technology products out there has increased exponentially in really all — if you look at every metric possible, how many cloud assets, how many servers, how many digital devices, how many lines of code, how many different programming languages and APIs are out there, in all of these metrics, we have gone from a world where maybe 10 or 20 years ago, we had a couple of major operating systems, a couple of important programming languages, a couple of important web application protocols and networking protocols, and that was pretty much it, now we are in a vastly wider universe. This is why I talk about a digitally expanding universe. It's continuously growing. So yes, we're going to find more bugs and vulnerabilities and problems because the address space is that much larger or the attack surface, as hackers like to call it, is that much larger.

Keren: 00:52:46.214 And the same thing goes for us as enterprises and as consumers. We used to have one, two, three devices. Now if you look around you, Ev, if I look around me, I've got maybe a dozen devices right here in my household. And most people that are watching us today have a similar amount of devices. So we each have more and more devices. We've got more online accounts. We've got more systems that we use. So yes, we're going to find more vulnerabilities. And there are more people looking for those vulnerabilities. So there are more criminals and more state-sponsored attackers. But there are also more friendly hackers. So don't confuse the fact that we know about more vulnerabilities and bugs with the situation is getting worse. Maybe we just know more about the reality. We're just exposing more of that digital world that we're living in. That doesn't necessarily mean that the overall trend is getting worse. Call me an optimist, I like to think it's getting better.

Ev: 00:53:43.908 That's actually a good point. So maybe more and more of those vulnerabilities are being discovered and reported by good hackers. Also, when you were answering this question, I noticed that you bravely used your own personal environment as an example of over increasing complexity of computing. So would you be willing to share some personal computing habits that you're practicing to keep your data, personal data safe?

Keren: 00:54:08.183 Sure. Okay. Yeah, that's a cool question. I don't get asked that quite often. So it is a little bit boring. I try to use the latest operating system updates on each of my devices, whether it's a iOS device or a Windows device. I don't operate a lot of Android-based devices for a variety of reasons. And the ones that I do have, I keep in a separate network and separate environment mostly for research. So I do tend to find, for example, phones that run Android or IoT devices that run Android, because there are more attacks and more vulnerabilities, more prominent in that space. So I like to keep them on a separate network. Personally, I like to feel kind of like I know what's happening in my router. So I don't just have the router from the ISP that most people — I don't know how it works where you live. But here in Israel, most people just get the router from the ISP. And that's the one that they get, and they rent it out. I actually get another device that I paid for, that I operate. I know what the firmware is on. I make sure that the firmware is updated. I've got the credentials to it. So that's another level where I look at not just the operating system level, but I also look at the networking level. And I can run on that router a couple of very basic security and monitoring tools. So I try to be aware and vigilant about that. Personally, I also sign up and use biometrics and multi-factor authentication and, ideally, not SMS, text-based multi-factor authentication, but authenticator apps or physical FOBs and the YubiKeys or little keychain devices wherever I can, so in every service that provides that to me, as well as using some password managers for some of the things that I use. So those are just some of my personal practices. I hope that provides advice or a personal example. I think these are kind of basic cyber hygiene, basic things that a lot of people practice. And I hope that you do too.

Ev: 00:56:07.664 Well, thank you for getting vulnerable here and speaking publicly about how you personally do it. So one last question because I'm watching time, I have a couple of minutes left.

Keren: 00:56:17.369 Sure.

Evolving from passwords to access

Ev: 00:56:17.581 So at Teleport, we spend a lot of time thinking about defending infrastructure because we, as a company, will provide remote access solution for everything inside of a data center. So for users of cloud computing, if you were to think about the most important piece of advice — well we already said that using passwords and secrets is bad —

Keren: 00:56:41.081 Yeah.

Ev: 00:56:41.449 —maybe other than that. So what would that be, like the last nugget of wisdom from Keren?

Keren: 00:56:47.141 So I want you to think beyond passwords and think about access. Access is the most powerful thing. We used to say as hackers that information is power. But really, it's access to that information. So think about where you have your information, your computing resources, your assets, and who else has access to it. And how do you control that access? How well do you control it? Do you know what's happening and whether you control that access with something kind of simplified and maybe outdated, like a username and password combination or even an SSH key or maybe something that's a little bit more evolved? We are in the year 2022. Stop using the same login details that our grandparents used when I first got access to the internet, which was like a six-digit password maybe. So I don't mean to — I definitely don't want to be mean. I want to be kind. But I really think that as practitioners of technology, as defenders, we have to adapt with the new times. We have to look towards the future. And we have to leave passwords behind us. So focus on access. Who has it? How do you control it? Access is the new power, if you ask me.

Ev: 00:58:03.485 Access is the new power. And on that note, we're going to end this show. Keren, thank you so much. You've been fantastic. And thank you everyone else who joined us. This Security Visionaries series has been sponsored by Teleport, the easiest and most secure way to access computing infrastructure. Those of you who enjoyed this presentation and are craving for more, we've got you covered. Follow us on Twitter, we're goteleport, or subscribe to the updates on our blog. And that's the end of the show. Thank you. Thank you very much.

Join The Community

Try Teleport today

In the cloud, self-hosted, or open source
Get StartedView developer docs