What does cybercrime have in common with your business? More than you might expect. VP of Global Cyber Threat Analysis, Terry McGraw, offers fascinating insight into the rise of ransomware as a service – and the increasing professionalism of the cybercrime “businesses” behind attacks. Learn from his experience across thousands of engagements how best to protect your business – from patch management and MFA to identity management and backups. And hear why practice makes perfect when it comes to preparing for and responding to ransomware attacks.
What We'll Cover
Secureworks Interview with Terry McGraw
Sally: A warm welcome to today's episode all focused on ransomware. And I'm delighted to be joined by Terry McGraw, VP of Global Cyber Threat Analysis at Secureworks. Welcome, Terry!
Terry: Thank you! Appreciate that, Sally.
Sally: Absolute pleasure. Let's get straight into it and look at the evolution of ransomware. So why would you say this is consistently such a hot topic for companies of all sizes today?
Terry: Well, I think because it remains an existential threat to business. I mean, something like 60% of small businesses go out of business within six months after being hit with a ransomware attack, and even large corporations.
Let's assume that you even thwart the ransomware before it becomes disruptive and encrypts your environment. You still have to deal with the breach of your environment and potential data theft. It can become hugely expensive as it impedes your operations particularly. Those operational impediments can often exceed the cost of the ransomware.
So, it truly is an existential threat to the business. It also leaves you open for the potential of litigation exposure later, depending on what kind of data might have been affected in terms of your compliance and regulatory environment around notification.
So, it's an expensive proposition, which is why it remains a hot topic, even though we've seen ransomware trends ebb and flow over the past year.
Sally: I've certainly seen more recently, for example, around some of the name and shame type of attacks. And I think they could be harder to stop and detect – and less costly perhaps for the threat actor as well.
So, there's a constant state of change to deal with as well. Some great points there. Perhaps we can put our headspace or mindset into the mind of the bad actor for a minute, because it's a good way to kind of look into what makes an attack happen and how to negate that risk. When you are looking at this, what are you finding are the first steps that cyber criminals are taking when they're preparing to launch one of these attacks?
Kind of the early warning signs, shall we say?
Terry: Well, actually, I think it's more important for the audience to understand sort of the maturation that's happened, the evolution of cybercrime as a whole, because I think it answers that question more fully. There's been a significant maturation in the underground threat landscape.
It's now a market economy. The cybercrime marketplace now has a supply chain. It has skilled labor specializations. It has franchise models. I mean, if you look back about eight years ago, cybercriminal groups had to do all of this themselves. They had to develop their own tools. They had to target the victims. They had to plan their initial access. They had to exploit the victim, launder any ill-gotten gains. And they all had to do that internally.
Now what we see is market and skill specialization. So initial access brokers will now spend their time identifying and gaining a foothold and then putting that up for sale. The franchise model, or brokers if you will, will come in and buy that access and then conduct the exploitation. And now you have software operators and developers that create all manner of software as a service and infrastructure as a service to be utilized for cybercrime. In fact, right now, the only barrier to becoming a cybercriminal is just the desire to commit crime.
So, when you talk about initial steps, it's actually now a driving economy that is almost a near-peer competitor to you. I mean, it's not just a singular one and done. This is an economy that is actually in that competitive market space, right along with you. And their marketplace is to get your revenue.
Sally: That sophistication, all the bad actors coming together and collaborating to bring about these risks as well...
Terry: Absolutely.
Sally: ...And also things like double and triple extortion. I've seen a lot of rise in that. But also on the flip side, the barrier to entry for this type of crime has dramatically fallen.
I saw some data recently. It was almost like the price of like your cup of coffee every day of the week. Total that up and you get a kit that would be able to launch something like this. So, you’re right. Both ends of the spectrum – sophistication, collaboration, but also cost of entry lowering down as well. So an excellent range of points there.
And in terms of this, when you've been evaluating all your experience around ransomware attacks specifically, are there any particularly unusual or unique examples you've seen, or particularly effective ones, that have caught your eye that would be great to share with the audience for that information?
Terry: Yeah, it's a great question and I thought about it a little bit. A: It's a dynamic environment, so nothing will remain static. But I thought it would be interesting to talk a little bit about attacks against multifactor authentication bypass.
And why do I say that? Firstly, it does highlight the fact that humans are still often the weakest link. And I mean that not in a negative way. But look, when we're in our jobs, we want to be helpful, we want to be proactive, we want to feel like we're being valuable to the organization. And sometimes we're even overwhelmed, right?
We get busy, we have a lot on our plate. And so, these are the things that threat actors use against us and against our employees. In fact, not only just ransomware. I mean this is why business email compromise is still very effective and we've seen a doubling of that over the last year.
So that highlights the human in the loop. The second part about it is that it also shows that you're only going to be as effective as the proper implementation of your solution. And multi-factor is one of those things that really does have to be done everywhere you have external-facing systems. And it has to be done in a way that doesn't lend itself to fatigue, you know, alert fatigue.
Lastly, it does also highlight the prevalence of the tools that can be used to help threat actors do this. I'll give you a great example. So, we've actually seen in the last quarter a few successful engagements with Qakbot being delivered by phishing.
In one case in particular, it was a request – using my air quotes here – request from the payroll department to update a W-4 form. So, it came in as a zip file, which was encrypted, and you needed the user's username and password to be entered to open the document and so they did that. Now, that gave immediate credentials to the threat actor. And then multifactor authentication requests started to come in and the user, just assuming it was part of the document access, went ahead and clicked approve.
Now here's the interesting part of this, and this is why I think this really highlights the end-to-end tradecraft. The threat actor now had just that one box access, that one user credential. But the first thing they did, and by the way Qakbot has this built in, is to harvest credentials. So they harvest credentials on that endpoint. Now this is the interesting part. In admin, a network admin had been using domain-level credentials to do normal administration on endpoints throughout the environment. And so, the very first patient zero gave the threat actor domain-level creds. And so now that means your entire environment is effectively compromised and it led to a whole host of things.
They were actually able to detect and thwart the further elevation. They got it contained, but the important part is they still had a breach. They still had their entire active directory and identity access management that had to be reset and redone. They had critical system access that had to be reset. So, it was still hugely expensive and costly for this corporation. I mean, they were in the financial transactions segment. And so, as a consequence, when you take systems offline, it runs in the tens of millions of dollars an hour.
So again, it also speaks to why these kinds of cybercrimes still gain so much attention from people – because it can be inordinately expensive. It shows that this is measure, countermeasure, measure, countermeasure. And you have to work across people, process, and technology and have visibility across all that in order to do this well.
Sally: Absolutely. It really is very holistic. That visibility point comes up frequently in these kinds of conversations, as a potential gap area. I totally agree with that. And an interesting one I've seen recently as well is again bad actor collaboration, but this was around malware with Emtech, for example.
That can lead, you know, with the payloads etc. down the line, to full-blown ransomware attacks as well. So even things that you think have gone can be reimagined and reworked and can come back. So again, this kind of dynamism in the space is absolutely huge.
Terry: It speaks to the fact that that marketplace is now driving this evolution. And that's what I think is a key takeaway.
Sally: Even the Telco space as well. I've seen old protocols, like, dating back to the seventies.
Terry: Yeah.
Sally: That again being reused for crypto attacks, for example. The list kind of goes on, doesn't it? So again, that depth and breadth of experience, the visibility, and integration are also important. I love the fact also that you highlighted not just the technology. It’s the people, the processes, the change management, and skills for all levels of the organization as well. So really, really great points.
And I'd love to hear a bit more now about Securework’s role here, how you’re working with organizations of all sizes to help mitigate some of these risks, particularly around the ransomware side of things.
Terry: Yeah, we're uniquely positioned to do that. I think first we have a counter threat unit, which is a lot of very, very highly skilled people that we've invested a credible amount into, who do deep threat research and attribution across over 200 threat groups.
We have an incident response team that does between 1,400 and 3,000 instant response engagements a year. And that's first-hand tradecraft. They're seeing it for the first time – threat actors in the environment. And they're taking all that and then feeding it directly to our countermeasures team, who then build analytics to look across our estate and our Taegis platform to provide that level of effectiveness.
We're processing 3 trillion events a week in our Taegis platform. And so that telemetry comes from cloud, perimeter, and endpoint. Every manner of telemetry and sensing architecture gets fed into that Taegis platform and we run analytics across that entire dataset.
What's really cool about that is when we have a new detection that can be immediately applied to all our customers. So, what you see in one area of our customer base now can be effectively used to protect all of our customer base. That provides defense in depth across the kill chain, because if we have visibility across all the security controls, we’re not just waiting for something to manifest as an endpoint. We see it at the network layer, the cloud layer, and detections. We see it across that estate and that's really, really important. And so, I think that's one of our most effective ways that we do that is – our knowledge of the threat and our application across our platform.
Sally: About that knowledge-sharing aspect as well, sharing right across your customers. So again, the ecosystem around protection is just growing all the time. I've been looking at quite a lot of your research in this area as well. It's super, super impressive. So that's absolutely key. Again, with bad actors coming together, we need to do more as a community, don't we? That's been a massive thing. Like the RSA conference, for example, you know, stronger together. It really is the way forward. So, I love that.
And I always like to leave some tangible takeaways for the audience as well. So, if you were going to offer up advice, reflecting on some of the things we've talked about today and just broader experience as well, are there a top two or three things you would like to share on how organizations can better protect themselves from ransomware, whether that's early warning signs or some of the techniques you've talked about as well.
That’s perhaps a great way to end, with some tangible takeaways around protection.
Terry: Actually, there's really a top ten if you will. But I'll cover the three because you asked me to. It summarizes into you still have to be brilliant at the basics, because that’s really what this boils down to. I've been talking about these kinds of things for the last ten years and sadly the same types of things are still prevalent in our data sets, right? I mean, initial access vectors haven't changed incredibly much in that ten-year period of time.
For example, you still have to patch. Why? Because, you know, unpatched servers scale better for the adversary. They can build scanners. They can scan the entire IP address scheme of the internet and look for vulnerability. They've got tools like Shodan. It scales better for the adversary, so exploiting systems that are unpatched is the number one access vector. Usually, it's between one and two.
You need a vulnerability management system. And when I say patching, if you've got a large complex environment, knowing what to patch, what its prioritization is, its potential for criticality, and how hard it is to really exploit. So, for example, with Log4j, it was like handing someone scissors to cut your yard. You can do it. It's just really hard, right? So, it didn't manifest itself in the wild as much as the press would garner. We did see it, but it wasn't a game-changing amount. So, prioritization and understanding that vulnerability management system. Using a solution like our own EDR will help you along with that. There are lots of solutions that do that, but you have to do it programmatically and you have to be aggressive as you can.
The second thing I would say is you absolutely must get a handle on your identity access management. That includes privilege access management and your service accounts, moving toward that zero trust model. But there are a lot of things you can do way before you ever get to zero trust e.g., understanding your active directory, your ACLs (access control lists), how well that's tiered and modeled, and how well that's defended. You want to avoid the situation I illustrated where a network admin is using the same types of creds throughout your environment. Or you have overly broad service accounts, right? We set these things up. We don't always contain and limit them to just the bare minimum. We don't lock down our file management systems within our servers correctly. There's a whole host of things that you can do around identity access management that truly is a key to success.
Even if someone gets in – like I said I used to work at the NSA – and if someone wants in, they'll get in. How do you detect them and limit the damage? So, identity access management is key. It's really the new perimeter. And then how do you detect? You need two things. One: a credible, robust EDR, whether that's our Taegis agent or one of the ones we support. Our Taegis platform does support multiples: CrowdStrike if you will, Sentinel One, and Defender. Those are really the top three beyond ours and we support them in our platform. It goes way beyond AV (antivirus). You really need a robust EDR for that endpoint threat detection. But you also need the ability to sort of correlate that with your other controls – cloud and perimeter, for example.
So, that's the top two, followed quickly by, I think, MFA (multi-factorauthentication). I did highlight how that is not a panacea but by the same token, if you don't have it everywhere you have externally facing systems, you really have it nowhere. So, it's not only implementing it, but implementing it correctly in a way that doesn't lend itself towards fatigue, so users can't inadvertently authorize it. And there are lots of ways to do that and lots of technologies available to help you do that rapidly.
And then I said I was going to follow up with a quick few other things. I just think it's important to note that we're in 2023 and business email compromise is still a thing. Business email compromise is happening in a couple ways – exploitation of your servers and exploitation of your users. And then on the user front, if you don't have a sandbox solution in 2023, folks, you're exercising malfeasance. Even if it's only 80% effective, that's 80% of things you're not having to deal with in your environment. And so to not have a credible solution, whether that be Mimecast or Proofpoint – they're partners of ours but there are other solutions – putting that in and making sure it's configured correctly is key.
I want to touch on backups because we often talk about backups. This is the last point I'll make. I know I've been a little verbose. Backups are only good if, one, they're out of band.If a threat actor compromises your identity access management and you use the same creds to your backup systems asyou do the rest of your environment, they have that.
So, it has to be out of band and be managed out of band. Number two, ensure that your backups are viable by actually exercising your backup. Schedule a change management window and bring critical systems back from backup. This actually happened. We had an instant response engagement where the on-premise solutions were affected by ransomware. The cloud environment was not, but the on-premise took five weeks to completely remediate, clean, and rebuild. When they went to bring the solutions back together, because they were premise, talk-to-the-cloud systems, what they had was a five-week temporal misalignment. So, you had timestamps that were five weeks apart in the data.
The backup system could not marry that big a gap between the timestamps. The backups were essentially worthless at that point. That's not something you want to realize when you’re at that critical juncture. And the only way you'll be able to come to those conclusions is to actually try to exercise it. So again, backups are great. They're not a panacea. They are very, very helpful. They'll keep you out of ransomware negotiations to a point. They're also not going to solve your data exfiltration problem. So, if data is stolen, backups are great to bring you back up quickly, but they're not going to solve the problem for a loss of data.
So you still need to have great data awareness, criticality awareness, and telemetry across your estate. Those are the things I'll leave you with.
Sally: Superb. It was well worth going beyond the three. Terry, honestly, I totally agree with that. I think particularly on the patching side, some research I was involved with over the pandemic was saying so many organizations were delaying that up to five times in a row – and I still think there's a bit of a knock-on effect from that even today.
So, I think that it was really important to mention that alongside everything else as well. Also, the actualization point you were saying about backups, but equally around assimilation of some exercises around this. As well, like from the training point of view. I think so often in organizations there's a lot of talk about what would happen when it happens, but not every role gets the experience of doing that. Like from a comms piece, for example. I've seen a lot around social media hacking of CEO accounts and similar. And again, that’s another route into email compromise. So, with all of these things, you've got to have that practice and hands-on doing as well. So, so important.
Terry: It's absolutely key, Sally, I mean practicing this. Look, you shouldn't be working through how to deal with a ransomware event when you're having a ransomware event. You should know where your board fits in, where your c-suite fits in, what your notification requirements are. What's your liability or exposure to litigation based on the data that may or may not have been stolen?
You need to know what system has what data on it and why it's critical. I mean, there's a whole host of things that you absolutely have to do way, way, way ahead of ever having to deal with this in the real world. We hope you never have to – that's why you hire Secureworks – but in the event, training, training, training, and real-world scenarios are very, very key.
We can also help with that by the way. We have an entire suite of people who will walk you through these worst-case scenarios way, way, way before you ever have to deal with them in person – and we highly encourage you to do so.
Sally: Terry, great point there as well. I think that partnership and facilitation make a big, big difference too, particularly just with the scale and scope of all the changes we're talking about here today.
Terry, I know we're out of time so I'm going to have to bring it to a wrap but thank you so much for joining me today. I think it's been particularly insightful, just the holistic range of things we've brought to light here around ransomware.
Terry: Thank you, Sally. Appreciate you having me.
Sally: And for everyone watching and listening, thanks so much for joining us on the latest episode of Let's Talk SoC. We'll be back very soon.