What are the things that raise red flags that you’re about to experience an attack? We know phishing is one major indicator, but what other signals set off your Spidey sense that things could go sideways?
Check out this post for the discussion that is the basis of our conversation on this week’s episode co-hosted by me, David Spark (@dspark), the producer of CISO Series, and Steve Zalewski. Joining me is our sponsored guest, Trevor Hilligoss, senior director of security research, SpyCloud.
Got feedback? Join the conversation on LinkedIn.
Huge thanks to our sponsor, SpyCloud
Full Transcript
[David Spark] What are the red flags that indicate the beginnings of a cyber-attack? We know phishing is one major indicator, but what other signals set off your Spidey
sense that things could go sideways?
[Voiceover] You’re listening to Defense in Depth.
[David Spark] Welcome to Defense in Depth. My name is David Spark. I am the producer of the CISO Series. And joining me for this very episode, you’ve known him for quite some time now, his name is Steve Zalewski. Steve, say hello to the very friendly and nice audience.
[Steve Zalewski] Hello, audience.
[David Spark] That is the sound of Steve Zalewski’s voice. Get to know it. You’ll hear more of it today. Our sponsor for today’s episode is SpyCloud. They were one of the very earliest sponsors of the CISO Series. They’re back again. SpyCloud – act on what criminals know about your business.
They’ve got some fascinating knowledge, and it helps you to build a better security program. More about that later in the show. And they’re also responsible for our guest today. More on that in just a moment. But first, I want to get to our topic at hand.
So, a recent report from SpyCloud found that over 30% of North American ransomware victims this year had an info stealer on their system prior to an attack. Now, this appears to be a clear sign that these malicious actors are preparing for a larger attack, but this can’t be the only indicator.
And, Steve, you asked this very question on LinkedIn. Outside of phishing, an obvious indicator, what are the early warning signs that an attack is underway? I want to know, did you learn anything from the responses, Steve?
[Steve Zalewski] I did. And what I would say is what I learned is there’s no magic bullet at this point and that it’s actually… I would say as an industry, phishing still is where we spend most of our time looking at the secondary indicators of attack here tend to be for a minority of our security practitioners.
[David Spark] Right, but it’s still a significant portion. I mean literally a third having info stealers alone, I don’t think you can ignore that, and that is something sitting dormant, ready to go, which is kind of nasty.
[Steve Zalewski] Yes. And that was the reason why we have this conversation, which was, well, there seems to be evidence that it’s a substantial set of secondary types of attacks, and that was why, when we have the conversations. And I think what we’ll do is there’s more and more evidence, but our ability to look at that evidence and be able to respond to it I think is still very much a work in progress for a lot of the security organizations.
[David Spark] Excellent point. And we have the perfect guest to help us with this, somebody from SpyCloud. Very excited about this, because they have a lot of visibility into this very discussion we’re going to have today. Our sponsored guest is Trevor Hilligoss, who is the senior director of security research over at SpyCloud.
Trevor, thank you so much for joining us.
[Trevor Hilligoss] Hey, thanks for having me.
This isn’t just a security issue.
3:08.053
[David Spark] Sean Holshu over at DICK’S Sporting Goods said, “We’ll see a rise in social engineering at the service desk. Now, why wait for credentials to be submitted via a phishing site when you can go directly to the source? Stronger processes around privileged account changes will be needed to defend against this attack pack.” Ah, well, we saw this at MGM, now, didn’t we?
Sue Bergamo, who’s the CISO over at BTE Partners, said, “Customer support reps are always a target, as their jobs are to help clients access their clients. Once they are scammed, access privileges are escalated, and data is exfiltrated.” In their name, it says customer service, so they want to help.
But at the same time, they got to follow procedures which aren’t necessarily all button-up type, are they, Steve?
[Steve Zalewski] No. And it’s interesting, because we talk about phishing as the beginning for this, which is are there other indicators beyond phishing. What you see here is the help desk, on one hand it’s a form of phishing. I think what we’re seeing is it’s targeted now, which is what is our ability to understand a targeted attack against a subset of our people, and I think help desk is a classic case beyond the traditional phishing where our ability to understand the precursors for that are becoming incredibly important.
[Trevor Hilligoss] Yeah. No, I think it’s interesting. I read this comment in the threads, the latter one about the customer support reps being a target. I’ve always thought it’s this interesting dichotomy where we ask people to both be very external to the company, obviously people that are customer support reps.
I’d put salespeople, customer success managers, anybody that primarily deals external to the company… These people are having to communicate with all kinds of different folks as part of their job, and then we ask them to be extremely secure, and pay attention to what they click, and make sure they’re only talking to the right people.
I think things like Lapsus$… We’ve talked about that to death in the security community, but I’ll bring it one more time, kind of show the folly of that. Your frontline people, whether it’s a phishing email or more targeted like a vishing attempt, those people on the frontlines talking to customers are often times also the first people that the attackers can communicate with.
[David Spark] Like we said, going after the source. That’s what you’re trying to do at this point. So, how can you look at this process and see where the holes are, Steve?
[Steve Zalewski] Front a threat intelligence perspective. Again, this is the, “How do I look at this,” is potentially to see if there is an unnatural type of conversation going on, or you see this heightened focus on the help support – desktop support teams being targeted, if I can watch the call volumes, if I can watch the call locations.
For me to be able to simply say, “Okay, there’s something disruptive going on here where I may want to either reduce call volumes at this point, or I may have to do some out of man [Phonetic 00:06:39] training to the help desk to be able to give them a heads up that they’re likely going under attack right now, and we have to up our defensive perimeter, which is harden them to be able to ask more questions or to take some more training.
[Trevor Hilligoss] I would also add to that, it’s probably not happening on its own. There are probably other things that are going on, especially when we’re talking about these very targeted attacks, that you can use as indicators that something is about to happen.
And that might be increased scanning of your perimeter. That might be an increase in failed login attempts. There’s a lot of other kind of telemetry that we can kind of put them in the anomaly category that might also inform that you’re being targeted by something that is a little bit more sophisticated than the norm.
[Steve Zalewski] So, let’s go back to that for a minute, okay? Because my answer when I gave it to you was kind of the standard one, right? I was like, okay… What I said was what everybody does, and that’s not what we’re trying to do here, which is actually to think about your attackers themselves, the script kiddies, social engineering, crime, organized crime.
Which really gets back to understanding what your normal defensive perimeter looks like and the attack types and the attackers, and to use that threat intelligence to realize either there’s an attacker that’s doubling down, which is all of a sudden organized crime is taking more interest in you, or the social attacks like at Levis for the leather patches on the jeans.
That what you’re seeing is a disruption that way.
Where do we begin?
8:16.949
[David Spark] Tony Chryseliou of Sony said, “Higher than average access failures trending in your logs.” Ah, just mentioned. “In order to detect this, you must have already developed a ‘normal’ baseline.” Aw, something that is not always done. “If a user credential is compromised then you might not see access failure, so the next step is detecting unusual user behavior.
If thousands of files suddenly change in less than a few seconds or are being accessed outside of ‘typical’ hours then this could be a red flag.” So, essentially in general any alert that sets off the normal baseline.
Mike Van Orden of Emanate Security said, “Indicators along the attack path can be strung together to trigger that sixth sense. From the outside in… OSINT, Open Source Intelligence and breach data, application anomalies, privilege changes, data exfil, etc.
When you string this all together, the data can tell a great story. Getting to the bottom of why these anomalies are happening is the tough part.” So, actually that’s a really good point is just knowing that a series of anomalies are happening I think is really the important thing you need to answer.
Why they’re happening…I think maybe you can worry about that later. But just seeing it and reacting is what you got to do right now, right, Trevor?
[Trevor Hilligoss] Yeah, absolutely. The ability to observe is so significant here. I think as security professionals, we put this large emphasis on understanding the why. It’s super interesting. I’ll be the first one to admit that I definitely want to read into that subtext.
But you can’t really start doing that until you’ve contained the problem. But I want to key off of what Tony said there, and one of the quotes that I’ve heard… I don’t know who I can attribute this to, so I’ll just shamelessly steal it here. But 100% of fraud happens after authentication.
So, we’re focusing so much on the means by which that credential was siphoned or the help desk person regenerated that token for that supposed employee that’s traveling. But the bottom line is the authentication happened, and that’s what enabled the fraud.
So, if we’re not able to detect those anomalies post authentication, if our only observation is at that time of authentication, then we really, I think, can lose a lot of the context of these attacks.
[David Spark] I’m going to say something that may be insulting to a lot of security professionals, but if we can see how the fraudsters are authenticating, isn’t this a thing…? Like, “Oh, we can see it. They’re doing it this way.” Can’t we just easily plug that hole, Steve?
[Steve Zalewski] The simple answer would be yes. The problem is more and more the fraudsters aren’t attempting to have a human compromised. They’re compromising machine. They’re compromising the other identity types now where our eyes are set on humans being the weakest leak, and identity and access management as we now know has moved way beyond just the human edge.
And so what we have is machine edge, network edge, data edge, all of which have identity types. I think that’s where we’re being challenged.
[Trevor Hilligoss] I would also just say I think that’s a great point. We think about how a user interacts with the website, and typically we kind of consider the splash page where I put my email in, and then I enter my password, and maybe I have a two FA prompt or something like that.
But what about those situations where we have an already authenticated session that’s stored in our browser by way of a cookie? And then what if an attacker is able to steal that cookie? Well, we know this happens. This happened recently in the CircleCI breach very publicly and many others besides where the method of authentication doesn’t really matter.
You could be using MFA, and passkeys, and all these great things. But the bottom line is if you have that active session and you have a criminal that’s able to do some very basic steps to look like your user, the authentication is totally ignored. You basically just bypass that, as well as any protections that might be in that process, too.
[Steve Zalewski] I want to go back to what we’re talking about here, right, or the theme, which is what are the other indicators. And when we think about it that way, I also have this simple saying that says bad guys don’t break in, they login. And so what we’re really trying to drive at with this, which was, all right, if they’re logging in then that means zero days.
That means vulnerabilities in code. That means they’re leveraging other attack types that in conjunction with the compromise of a password are being used to string together the attack sequence. And so what we say here, at least for me, is when I bring up things like the data edge is that…or the network edge, or the backup edge, which is locations and ways that they’re able to introduce that compromise through some other form of vulnerability besides simply compromise of a password.
[Trevor Hilligoss] I think you’re absolutely right, absolutely. And I think this kind of goes to the fallacy of sophistication where we like to think of these elite hackers that are sitting in some government building in Saint Petersburg, and they’re developing these super advanced zero day exploits.
In reality, for the majority of us at least, what we really need to worry about is the script kiddie, as you said earlier, that’s sitting in their basement and running on a 20-year-old Acer desktop and using commodity malware. And often times, that is as large if not larger of a threat to us than that APT actor.
Sponsor – SpyCloud
14:14.457
[David Spark] Before I go on any further, I want to share some really interesting research from our sponsor, SpyCloud, about what we’re missing when it comes to ransomware prevention, what predicts the likelihood of an attack. That’s our discussion for today.
So, here’s what’s cool – the team over at SpyCloud has poured over data from ransomware attacks, and what they found should give you goosebumps. It’s what I said at the beginning of the show, nearly a third of ransomware victim companies this year were infected with info stealer malware beforehand.
Now, you may have heard of Racoon Stealer, or Vidar, or Redline. SpyCloud found that these stealers increase the probability of ransomware even more. So, clearly we all need to pay closer attention to info stealers as an early warning signal for ransomware.
SpyCloud specializes in recapturing the data stolen from info stealer infected stealers and alerts your team to take action before compromised authentication data can be used by criminals to target your business. My favorite thing about their solution is that you get data that’s actually actionable and relevant to your business, and it feeds into your existing security tools for fast remediation.
That I like. They understand that you don’t live on one tool alone. So, it’s pretty crazy what these folks can tell you about your existing info stealer exposures. By the way, I saw this years ago myself. They’ve got a free tool you can use to check your risk at spycloud.com.
That’s their web address. SpyCloud.com/ciso. Be sure to go there, grab their new research, and check your exposure so you can act on it before the criminals do. Remember, go to spycloud.com/ciso.
We’ve seen this one before.
16:09.173
[David Spark] Evgeniy Kharam, who’s the CISO over at Cybeats, said, “The new phishing. Many other messages apps are a more accessible for bad guys to send you a link that you may click and if there is no XYZA (security control) in place to block.” Michael Gregg, who’s the CISO over at the State of North Dakota, said, “From a nontechnical standpoint, I would say vishing, voice phishing.
On the technical realm, I would add in triggers and behavior analytics, repeated failed logins, users accessing resources that are not normally accessed, and escalation/elevation of privilege.” So, sort of touching upon a lot of things we talked about.
So, really the answer here, Trevor, is all the other ways to communicate with you that isn’t the traditional email phishing, yes?
[Trevor Hilligoss] Yeah, it’s D, all of the above. No, I think Evgeniy’s comment there is funny. It’s that time of year where all CEOs will message all of their employees to get them to send them $500 via Cash App.
[David Spark] No, gift cards. I do that with all my employees.
[Trevor Hilligoss] Gift cards, right. Yeah. I have no idea why my CEO always needs funds.
[David Spark] But it’s urgent. Whatever it is, urgently they need gift cards. [Laughs]
[Trevor Hilligoss] Yeah. Yeah, so I really like these comments because I think they key on something really significant, and that is that not all of these attacks need to be good. I mean we’ve all seen the phishing emails with the misspellings and the very obviously some other language to English automated translation, and the WhatsApp messages.
We think to ourselves, “How could anyone conceivably think that this was real?” But it is. It happens, right? And this is a significant industry for these cyber criminals. So, this is something that we still need to work on, we still need to be aware of in conjunction with all of the other things that we need to be aware of.
It’s kind of… Like I said, it’s D, all of the above.
[David Spark] My mom fell for a vishing attack, a phone…one of these classic cases of, “Oh, hey, Trevor. I noticed there was some issues going on in your computers. I need you to go to this site and download X, Y, Z,” and that was the end of it.
[Trevor Hilligoss] Yeah. And, remember, there’s this quote that I love, and I have no idea who I’m stealing this from, but I think…
[David Spark] Take credit for it.
[Trevor Hilligoss] I’ll take credit for it. It’s a mechanic’s quote – what part of a car is responsible for 90% of the collisions on the road, and it’s the part of the car that sits between the driver’s seat and the steering wheel. The same is true of security.
We are as strong as our most tired employee clicking on a link at six o’clock in the morning. But it’s not just that. There other things that we have to be worried about. I think that the trap is being laser focused into any one threat and missing the forest through the trees.
[David Spark] Steve?
[Steve Zalewski] So, I want to talk about trust for a minute, because… The vishing and some of the others in particular, which was it’s one thing to say we’re phishing you where we’re basically trying to find a moment of weakness, but I would say more and more of these attacks are not around vulnerabilities but exploitabilities.
The exploitability here is not that I have a point in time thing that I give you where you’re tired, or you’re whatever. It’s this combination now where I’m able to track who you are, and by doing that on social media determine your emotional state. Then what I get to do is to play on that emotional state in contacting you with so much data that I’m able to build a much higher level of trust.
That level of trust isn’t just between two humans. It’s the level of trust that I’m able to do with whatever control infrastructure that I have – contextual authentication, contextual authorization, the ability to click on the six squares that’s the school bus.
That’s truly where we’re going here is that we’re able to establish higher levels of trust by manipulating an appreciation for who that identity is and the emotional state that we can put them into.
[Trevor Hilligoss] That’s a great point, Steve. And actually kind of bringing this back to info stealers, it’s interesting, the understanding and the kind of aggregation almost of OSINT but not really because we’re talking about malware here. You look at an info stealer log, the data that’s exfiltrated.
We see things like the IP address, the user’s operating system, their keyboard configuration, their local time, their browser preferences. Basically your entirely identity as if your identity were a device. So, you combine that type, that granular level of detail about an individual with all of the other things that we so freely broadcast on LinkedIn and elsewhere, you have something that is a very potent attack chain for any number of attacks.
Be that vishing, using those stolen credentials, passing an authenticated session, what have you.
[David Spark] It’s kind of obvious in the name. Could you just give us a brief explanation of what an info stealer is, Trevor?
[Trevor Hilligoss] Yes, absolutely, David. It’s funny, because I like to say that security people are pretty boring when we come to naming things, and info stealers are no exception to that. But basically when we say info stealer, we’re talking about a specific kind of malware that is generally but not always nonpersistent.
It is generally but not always not targeted. So, these are the kind of things that are going to be dropped maybe by ads, or some hijacked YouTube channel, or some game cheat. Those are the kind of vectors that we see. And basically what they do as malware is siphon off as much information from your device as they possibly can.
So, depending on the info stealer, that’s typically going to include that cookie information from whatever browser profiles you have, any saved passwords that you’ve used like for example, in the Chrome Browser Saved Passwords Manager, as well as that device information.
What’s really scary is a lot of stealers that are coming out now have additional functionality that will go and pull remote desktop software, so like AnyDesk for example. It will pull the configs for those. Many stealers now even exfiltrate files, so user files on their desktop.
So, if they have somebody saving their passwords in an Excel document, that very well could be pulled out and removed to the attacker’s infrastructure. So, they’re constantly changing. But in general, most info stealers are going to kind of fall into that profile.
[David Spark] Well, it’s essentially going from the open source intelligence to essentially the inside intelligence, if you will. We’ll talk more about this in the next segment.
Can this problem get even more complicated?
23:32.997
[David Spark] Russell Spitler, CEO over at Nudge Security, said, “The presence of info stealer infers that we are starting to see a higher percentage of the ransomware attackers buying their way into attractive targets. Most of our past experience to date were broad based attacks with a singular payload.
Rarely was the payload customized for the highest return on a compromised target. This trend means that there is likely an active market for ransomware targets on the dark web with the info stealer actors selling the access to the subsequent ransomware groups.
Specialization of labor increases economic productivity. It also means that any infection is likely an indicator of subsequent issues.” So, have you seen this? Is there a market? Like, “Hey, let us have access so we can get access to others.” Trevor?
[Trevor Hilligoss] Yeah, David, there is a robust and ever evolving market. And that’s a market not only for the data, the proceeds, but one thing I didn’t mention previously is a lot of these info stealers are sold as commodity malware. So, much in the way that you would go and download…purchase a license to use Adobe Photoshop to edit photos, you can go on Telegram or somebody’s forum that they have and buy a license to use an info stealer.
And what that enables is really unsophisticated or not very sophisticated actors gaining access to really sophisticated tooling and highly configurable tooling to launch attacks.
[David Spark] You know what, it’s interesting you mentioned this because I said this a while ago. I go given that all this software is either offered as a service, like this ransomware as a service thing, or the info stealers download… It used to be you used to have to have technical knowledge and be a criminal and have essentially low morals and be a criminal.
But now you don’t have to have the technical knowledge, just the low morals and be a criminal. It’s really lowered the barrier to entry, hasn’t it?
[Trevor Hilligoss] Yeah. You don’t even have to set up command and control infrastructure anymore. A lot of these stealers come… You just plug in a Telegram Bot token, and it’s going to just stream all of the creds that it siphons off to some Telegram channel.
It is really amazing, the advances that these guys are coming out with. Just to touch on real quick Russell’s point, I really, really like the point there about the specialization of labor. We’ve seen this time and time again in these very large… Whether it’s a ransomware group or some other financially motivated threat actor group where they will specialize.
They will have people that are their designated access brokers whose job it is to go out there and acquire this access. They will have customer service representatives. They will have people that call themselves pen testers that are really nothing but attackers in disguise.
So, all of these… It operates very similar to how a legitimate business operates where you have people that do specific…that perform specific roles. It just so happens that it’s part of a criminal organization.
[David Spark] Steve, your thoughts on the info stealer model?
[Steve Zalewski] It’s going to get worse before it gets better. Here’s why I say that – we come into this conversation think about large enterprise and our ability to put a defensive perimeter up, have controls, have teams. But more and more, it’s the nonprofits.
It’s the personal type of websites. It’s the small to medium business that have to have an internet presence now to be able to do business that don’t have the sophistication. And so we’re actually creating this large bubble of new opportunity where they’re just not in a position to realize the minimum they have to have, and so we’re opening up more and more capability for the info stealers and some of these others to just get in and open the door for the other types of attacks.
And so what worries me is not the Fortune 1000. We’re talking about that, and we’re making it harder. It’s the other 10,000 businesses out there, nonprofits, everything else, that are focused on something else that have to have this presence, that are opening the door for these type of attack sequences that are really going to harm us.
Closing
28:16.923
[David Spark] Well, that brings us to the tail end of today’s discussion. Thank you both very much. I think this was pretty eye opening because we have a very closed mind when it comes to phishing. And tagging your comment or the line that we’ve heard many times is attackers don’t attack, they login.
But the login means there is a lot of backstory that happened before that, and that’s essentially this show is what’s the backstory. “What the heck happened here?” Trevor, your favorite quote from today’s discussion, and why.
[Trevor Hilligoss] Yeah, David. I think my favorite quote is that last one that we talked about from Russell. Really it’s that the commodification of the attack surface and how easy it has become for someone to enter into… Like you said, all it really requires now is that you have a lacking of ethics and a desire for money.
I guess I’m paraphrasing your exact quote there.
[David Spark] Good enough.
[Trevor Hilligoss] But you’ve got a couple hundred bucks in Bitcoin and a little bit of know how, at least to follow a guide that’s written for you, and you can very quickly gain a massive amount of credentials that you can then sell, maybe sell to an access broker that goes to a ransomware affiliate.
Maybe just do your own, drain a couple crypto accounts or trade some Netflix accounts. The levels of sophistication here vary, but just the ease of use for the criminal side is really surprising to me. I think it’s something we should all be aware of and rightly concerned about.
[David Spark] Steve, your favorite quote, and why.
[Steve Zalewski] There were a couple here, but I’m going to go with Mike Van Orden from Emanate Security where it says, “Indicators along the attack path can be strung together to trigger that sixth sense.” To go back to kind of where we were closing with Russell, which was the key here is not the Fortune 1000 that we already have pretty good attempt at putting this together.
It’s for everybody else and the fact that these things are landing and moving that our ability to string together the data to tell the story of we’re under attack I think is really where maybe we need some additional innovation for the small to medium, to be able to get that visibility, to be able to raise the bar for those that just don’t have the sophistication.
[David Spark] Excellent point. Well, that brings us to the very end of our show. I want to give a huge thanks to both of you, Steve and to Mr. Trevor Hilligoss, who is the senior director of security research over at SpyCloud, for joining us today. I want to thank your company, Trevor.
SpyCloud, act on what criminals know about your business. In fact everything we’ve been discussing today SpyCloud can help you with. Go to their website, spycloud.com/ciso. And two things you can do there – one they’ve got this really cool research on what’s happening.
Essentially it sounds like a good third of what the heck is going on in terms of pre-ransomware nonsense, they have some insight into. And then on top of it, have a free scan. Find out what number of info stealers are currently sucking up information about your business right now.
Trevor, any last thoughts? Any ways you want people to reach out to you, connect with you over at SpyCloud? Let us know.
[Trevor Hilligoss] Yeah, you can absolutely get in touch with us through SpyCloud. I will foot stomp on that report. Our own principal data scientist, Dr. Wallis Romzek, did a fantastic job. The research is ongoing, too. So, we hope to release some follow up research along the same lines, hopefully some additional context and conclusions along with that.
And that will all be posted on our blog.
[David Spark] Awesome. That is fantastic to hear. Thank you very much, Trevor. Thank you very much, Steve. Thank you so much to SpyCloud as well, and thank you to our audience. We greatly appreciate your contributions and for listening to Defense in Depth.
[Voiceover] We’ve reached the end of Defense in Depth. Make sure to subscribe so you don’t miss yet another hot topic in cyber security. This show thrives on your contributions. Please, write a review. Leave a comment on LinkedIn or on our site, ciso-dev.davidspark.dcgws.com, where you’ll also see plenty of ways to participate including recording a question or a comment for the show.
If you’re interested in sponsoring the podcast, contact David Spark directly at david@ciso-dev.davidspark.dcgws.com. Thank you for listening to Defense in Depth.