How is ransomware getting into your network? Is the path direct, like via email, or does it take a more circuitous route?

Check out this post and this post for the basis for our conversation on this week’s episode which features me, David Spark (@dspark), producer of CISO Series, co-host Steve Zalewski, and our sponsored guest Ryan Kalember (@rkalember), evp, cybersecurity strategy, Proofpoint.

Got feedback? Join the conversation on LinkedIn.

Thanks to our sponsor, Proofpoint

Sixty six percent of CISOs feel their organization is unprepared to handle a cyberattack and 58% consider human error to be their biggest cyber vulnerability. Proofpoint’s 2021 Voice of the CISO report explores key challenges facing CISOs after an unprecedented twelve months. Get the report.

Full transcript

David Spark

How is ransomware getting into your network? Is the path direct, like via email, or does it take a more circuitous route?

Voiceover

You’re listening to Defense in Depth.

David Spark

Welcome to Defense in Depth, my name is David Spark, I am the producer of the CISO Series and joining me for this very episode is the one and only, Steve Zalewski. Steve, could we hear the sound of your voice at this point.

Steve Zalewski

Good morning David.

David Spark

Hopefully you’ll be singing more later in the show. Our sponsor for today’s episode is Proofpoint and Proofpoint has been a phenomenal sponsor of the CISO Series, so thank you so much Proofpoint for sponsoring and not only that, they brought our topic and our guests for today’s episode, that in just a moment, but first let’s talk about the topic. Steve, you asked the community a question about how they thought ransomware was getting into their network and if they had the right defenses to thwart it. Set us up on this conversation.

Steve Zalewski

Sure David. So, ransomware has been in the news a ton.

David Spark

Too much, I will say.

Steve Zalewski

Too much and almost to the point where people are tired of hearing about it, it’s almost like it’s a dead topic because they’re just tired of it. Proofpoint posted some research on the recent ransomware attacks that I thought was worthy of conversation. But I took a step back and I thought, “How are the practitioners as a whole, thinking about ransomware?” “How is it getting in?” And so, the idea for me was to pose a very simple question that said, it continues to come in, how is it coming in? Just to get a pulse on all of my peers to see what’s happening. And so that was the set up for this episode.

David Spark

And what I think was interesting, the comments was how people believed it was getting in and how was it actually getting in, two very, very different things and that’s what’s going to be super enlightening in this conversation. And to help us with that and who has a lot of insight on this topic, is our sponsored guest, Ryan Kalember, who is the EVP of cybersecurity strategy for Proofpoint. Ryan, thank you so much for joining us.

Ryan Kalember

Great to be here, David.

What’s going on?

00:02:19:05

David Spark

Dalton Roth, of IronNet Cybersecurity said, “Proofpoint’s findings suggest that ransomware is rarely distributed via email, but the access received from phishing campaigns is then sold to ransomware affiliates.” And Jonathan Waldrop of Insight Global said, “Phishing might be the easiest way to gain a foothold a into the environment, and then use that identity to pivot. It comes down to semantics and the overall timeline.” So, I kind of like Jonathan’s comment about it coming down to semantics and the overall timeline because it seems, even though these direct phishing, you phish, you click, ransomware, ta da, now you’re nailed, that happens less, but there is a moment of phishing that begins the process usually Steve? Or not? Or what did you see Steven, well I definitely want Ryan’s take on this.

Steve Zalewski

Yes, so this is when I spoke to him, when I set up the question, I was expecting a lot of variability in the response, people to be looking at the Proofpoint analysis, offering perspectives around RDP. And what you heard, I think, was a limited set of responses that were all pretty much the same, which was, “Look, we’re tired of ransomware, we’re tired of talking about it,” and for the most part, ransomware requires detonation on an endpoint, okay. So you’ve either got to have credentials to enable the detonation or you’ve got to come through living off the land and leverage some vulnerability that gets you in to elevated access to then detonate a piece of malicious malware. It comes down to those two things and a lot of the comments get back to generally, it’s not living off the land that’s the majority of the problem still, it’s people are compromising credentials either because they’re weak or of a phishing campaign. And then they’re finding a weak point to do the first detonation and then game on.

David Spark

Ryan, I take it to you, is this an issue of semantics and you defined the line of what a straight phishing hack is versus a non-straight phishing hack. What is the issue regarding semantics and is it a critical issue that we need to address?

Ryan Kalember

I think we should certainly be operating off the same terms. So semantics do matter here and ultimately, you do have a ransomware ecosystem that is largely divided between the initial access, we even have a threat actors that we call initial access brokers now. And what people do after the point at which that access has been gained, to Steve’s point earlier and really there’s three key things that initial access brokers rely on and yes, email phishing is one of them. That doesn’t necessarily mean phishing for credentials, it could mean dropping very modular malware that now largely goes by the name downloader.

In the past, many of the same malware families were in fact called banking trojans because that’s what they used to be and updating the code base is certainly easier than creating malware from scratch for most of these groups. The second and third most common vectors in, Steve, you mentioned remote desktop protocol, some credential that gives you easy access either into the full network like a VPN that doesn’t have multi-factor authentication turned on or remote desktop protocol, which is still how most very small organizations get ransomwared.

That’s operating on easy mode for the attackers. You already have most of the steps taken care of, if you’re already operating with legitimate credentials and you have a remote desktop protocol half into the organization, just from the internet. The third category and this is one that ebbs and flows is, and Steve you mentioned this as well, vulnerabilities, but vulnerabilities in edge devices. It has to be something that faces the internet for it to be a viable channel of initial access. And this bounces around, when we had the VPN vulnerabilities, the exchange vulnerability, you’ll see a spike in that.

But even that taken together, is a minority of attributable ransomware incidents. It is still email that is unfortunately number one, at least as the first step goes. But going back to your point around semantics, David, if you separate the initial access from the actual ransomwaring of the environment, you can make a lot more progress on the attack chain and you can think about defense in depth a lot more productively. Because you do very different things to stop initial access, versus the ransomware actor, once they’re already into the environment.

How did we get here?

00:06:58:24

David Spark

Eric Bärenzung of 0x70 said quote, “The first step in a ransomware attack has shifted from direct email threat to the exploitation of RDP vulnerabilities.” Exactly what you said, Ryan. “The increase of remote working users offers thus an opportunity for even more attacks if RDP infrastructure is not well managed.” So let’s get to that last comment that Eric said, if we’ve got so much remote access happening right now, and as Ryan said, getting legitimate credentials is easy mode for an attacker, what are we failing at then, in terms of protecting ourselves better from ransomware? Steve.

Steve Zalewski

I read this and I just get frustrated. If only Covid didn’t happen, if only we could stay with the infrastructures we had that were tried and true and we didn’t have to redesign much of our remote access as a result of everybody working from home. So if we could have just left well enough alone. That’s why I get frustrated which was a lot of the RDP risks now, are the fact that we had to pivot from what we knew. And go to zero trust and go to like Ryan talked about, our endpoints are everywhere and so therefore RDP access is not just traditional get control of my admin password to be able to remote in, so much as now what I’m having to do is rethink some of the security patterns to be able to allow my remote workforce in. And I’m moving faster than my capabilities to secure allow. And so again, people aren’t doing dumb things, it’s just we’ve had to move much faster than the security.

David Spark

Just to keep business running.

Steve Zalewski

Just to keep business running and so even as I look at this and I talk here, you’re realizing the RDP remote desktop is the old way of admins coming in or your support desk. But more and more companies are having to use RDP as opposed to virtual desktops or VPNs, they’re being creative in the need to meet the business and not using the best security controls.

David Spark

And Ryan, is it as simple as that, it’s just the fact that Covid came along and the amount of remote access has just exploded exponentially and just offered, as you said, more easy modes for the ransomware attackers?

Ryan Kalember

I think to some extent that’s true and it was an acceleration of an existing trend. But when you think about RDP in context, this is not new in terms of its use in ransomware, it’s actually dominated how small and medium sized businesses got ransomwared for years now, with the exception of 2016, which was the great tidal wave of ransomware as a phishing pay load which some of us had the displeasure of living through. But moving on, to where we find ourselves today, it’s an inversion of the classic paradigm, where we normally say, “Oh, phishing or email attacks are the easiest way into most organizations.” if you’re leaving 33/89 open to the outside world and it’s protected by just the password, that’s easier, it really is and the one thing about ransomware that is fascinating is that it is equal opportunity. Every organization has ransomware in their threat model, no matter what you do because everyone can be extorted to some extent and that means that basically RDP and single factor VPN credentials, as well as obviously exploitable edge devices where there’s public exploit code, we know it’s happening in the wild, that’s actually easier than the traditional attacker path of, “I’m going to pick out somebody who I think can enable macros on a spreadsheet,” and drop malware that way, live off the land, escalated privileges and do something that is in fact a more complex attack chain. But yes, Covid accelerated it and it meant that to Steve’s point, some people made changes to how remote access and remote management happened without actually revisiting their security controls, which unfortunately some are paying for right now.

Steve Zalewski

And I will pick on this too, which was and for everybody that allows their users to have administrative access to their endpoint, shame on you, that you still have that policy in place. Because if you didn’t allow admin access, at least all the normal users wouldn’t be held liable to the weak passwords as we’re trying to protect the company.

David Spark

Ryan, the point of one other issue that I want to highlight and it’s talked about in this report is that these stolen credentials are really held by organizations that then sell them to others to do the ransomware attacks. Usually the person and correct me if I’m wrong here, the one actually administering the ransomware is not the organization that did the initial break-in, yes?

Ryan Kalember

I think that’s largely true. There are some, you’d call vertically integrated threat actors that are capable of doing the entire chain. But, one of the things that we actually put out in the recent research is a fairly detailed analysis of ten different groups that all function as those initial access brokers. And I would introduce one nuance, sometimes they are selling just RDP credentials, log in, your administrator and they’re trying to figure out how to monetize that pretty directly. Sometimes they’re not selling credentials. I have a downloader that is on a machine inside this environment, the machine is domain joined, this is the domain. I have gathered some information about what that domain looks like and what the machine is that I have access to. Now I need to turn it over to somebody who has classic red team type skills, who knows how to dump creds, who knows how to escalate privilege, who knows how to get all the way to domain admin where you can actually engage your preferred ransomware as a service operator and ransomware the whole environment. So there is the malware side of this as well and those threat actors, they’re really the same guys that we saw for years dropping banking trojans because they’re not really attached to anything in particular. They have great malware frameworks that have become really modular, they do multiple different things and they can be extremely opportunistic about the infections that they get, the downloaders that they drop and how they then monetize that access, even if it’s not something quite so straightforward as, here’s the RDP password, go crazy.

What aspects haven’t been considered?

00:13:42:17

David Spark

Delonte Wellington of Appgate said, “If your network assets are invisible for ransomware to spread to, and access to that invisible network is based on a dynamic situational understanding of that quote, “user” prior to connectivity being delivered, how does it get into your network?” So, I’m interested what our thoughts are on this building an invisible network that Delonte throws out. And then Emanuel Gutierrez of Fidelis Cybersecurity said quote, “I agree that one key metric has to be dwell time, what used to be months inside the network/environment, has now turned to days. Attackers are being more efficient.” And I think that speaks to your comment, Ryan, about someone saying, “Hey, I have a downloader in the system, well I don’t need to do the recognizance here, it’s been done for me, I just need to do the damage.” So actually I’ll start with you, what’s your take on Delonte’s and Emanuel’s comment about an invisible network and the speed of dwell time now?

Ryan Kalember

So it’s very hard to be invisible if you have activedirectory and I think that is the core point that I would make here and very few organizations have managed to move on from active directory. In my mind, some of the most interesting ransomware incidents lately have actually started with AD Azure account compromises which then get leveraged into access in the on-prem AD, which is where the attacker ultimately wants to go, if you’re going to ransomware as much of an environment as possible. So yes, it would actually be helpful if your network were invisible to the outside world from the perspective of just simply not being on the IPv4 internet, that would save you from some of those edge device vulnerabilities that we’ve seen too much of, especially in things like VPN devices. However, the computers on your network in the traditional sense are not invisible to each other if you have active directory. They are not, there’s just not a way to do that. If you’ve moved past active directory and you’ve moved toward a more beyond crop zero trustee world, congratulations because that would actually help be a meaningful mitigating factor in ransomware, not being able to spread from an initial compromised endpoint or set of credentials, to the broader network, but unfortunately almost everybody has got AD and they can’t rip it out overnight. I would actually add that Emanuel’s point is an interesting one but unfortunately I would say his metrics are off by a decimal point or two. We have seen downloader to cobalt strike in 12 minutes in some cases, when it is on as efficiently interesting compromise device. And so this is not a different attack path or attack chain than we’ve seen for years, we’ve just seen it in the past from red teams and APT actors, and now going from initial downloader, fingerprint the machine, drop a cobalt strike beacon and move on from there, that’s become an extremely quick process if you’re a juicy enough target. And there is certainly some planning that goes on for these initial access brokers that means that invisible networks or dwell time are things that we simply have to recalibrate in light of their tactics.

David Spark

Alright, taking off what Ryan just said, how far are we from quote, “Invisible networks,” Steve and this dwell time situation, it is so quick that we’re dealing with the speed that we can’t comprehend.

Steve Zalewski

Yes, so let me talk to invisible networks. And I would say that’s what network segmentation is: we’re security zoning. And this whole idea of being able to dynamically reconfigure your assets, so that invisibility has more to do with the fact that the assets keep changing their color, their personalities, so that they look invisible, so they fit in and they keep changing. And that’s a lot of what we’re trying to do, but that complexity is difficult to do. And so therefore there’s answers to trying to manage invisible networks, but if it’s wrong, then obscurity is no defense. And so therefore we get hit and that’s why we’re having a hard time with that. It’s the same thing when you go to app-level VPN, that is really the role, which was stop giving coarse-grained, so make the assets more ephemeral. Give them smaller and smaller personalities and visibilities, and change them up, so therefore the bad guys constantly have to work harder to find the same asset as it keeps changing its name. That’s kind of my practical side of here’s what you have to do, to be able to reintroduce invisibility. But not in its old school sense of it can’t exist, it’s got to exist, you’ve got to see it. The second part, the bad guys use automation, they’re not sitting around banging a keyboard, they’re just waiting for us to make a mistake. And it’s seconds, it’s not minutes, 12 minutes from the time it was fouled, to the time it was exploited, that’s all automation. And it’s gone to seconds because that is just literally speeds and feeds. And so the key for me, as long as automation by the bad guys continues to be first and foremost, because they’re not afraid and we continue to be afraid of automation and wanting to put people in the loop to make sure that we don’t cause a business outage, we lost the game.

What are we going to do now?

00:19:21:24

David Spark

On another thread on Twitter, initiated by Robert Graham of Errata Security, many people offered advice about dealing with ransomware and the advice was around backups, isolating backups and preventing them from being deleted. A few of the other comments, one from Jason Schelert, he said quote, “Building out decision trees for executives and gulp, payment options/brokers, should it arise.” Also he mentions segmentation, testing recovery, locking down databases and trying to restructure lock down file systems. And also, Definitepotato, that’s her Twitter handle, said quote, “User files and critical infrastructure are actively pushed to a version controlled endpoint on changes. We retain X number of change versions at any given time. And if we need to break the glass we can roll back to a known good file state.” So, the topic of dealing with ransomware, it’s a whole other show. But I do want to touch upon it on this show as well,my feeling is the focus on the recovery is really kind of the key thing to deal with here and while, yes, you do want to have secure systems, but I don’t think there’s enough focus on recovery is there, Steve?

Steve Zalewski

So, recovery was what I would call the old school conversation if cyber security is about securing the company and its hard walls and then if they get through, trying to recover. Resiliency is the new word, it’s an appreciation that business outages are continuous through attack and that we can be resilient through that and limit the attacks when they happen. So it’s giving up on the solid wall, defense in depth resiliency and knowing how we can use our own speeds to confuse the enemy. And so, when I look at this and think about it and ransomware and what do we do, everybody is tired of it, but it gets back to what are we doing to make it harder for the bad guys to do damage to our companies when it’s inevitable that they will.

David Spark

Ryan, I throw this to you, it’s not recovery, it’s a resiliency, do you agree?

Ryan Kalember

I particularly agree with the last comment that Steve made, it is about making the attacker’s job harder. And right now, we’ve had way too many incidents where the attacker’s job was not very hard. And ultimately, you do look at the numbers here and you do look at prevention as what everybody, including CISA is recommending most organizations focus on. The cyber security halves the one percent can absolutely go down the path of micro-segmentation and zero trust and actually doing very elaborate things with backup that would prevent an attacker, even with a very high level of privilege, from deleting the backups. But that’s not on the table for the vast majority of the organizations like school districts and hospitals that we see getting ransomwared pretty constantly. So with that, I go back to the numbers, how are the attackers actually being successful and which of their tools could you take away to make it hard for them? Well yes, if you took away, statistically emails they’re the number one thing you want to take away from them, in terms of reported ransomware incidents. I was talking to a CISO last week who was in the oil and gas space and he mentioned that even before colonial, which was a VPN credential as we all recall, he had 13 other of his supply chain components, pipeline operators and otherwise, affected by ransomware over the last 12 months. And before colonial, all 13 of them who had actually done the DFIR work, had traced it back to an email. So, certainly want to make the attacker’s job harder there, remote desktop though and VPN and remote access as we discussed, might even be easier than email into certain environments. So, it’s absolutely something to focus on. And while I think the idea that Jason threw out about having a plan, is an incredibly valid one, that also is to me, the more productive conversation around resilience. There’s a lot of stuff that we would all like to do if we had an infinite amount of time and resources, but at the very least, we’ve got to have a plan. Figuring this out in the middle of a ransomware incident when nothing is working and it’s hard enough to communicate, that is suboptimal. And every organization regardless of resource levels, should invest in doing that, but at the end of the day, it really is about what Steve said, make the attacker’s job harder.

Steve Zalewski

That’s right, we need a plan, not a prayer.

Closing

00:24:09:04

David Spark

Make it harder, tabletop exercises, strongly advise on both of those. Excellent points gentlemen, good place to stop and it is also the point where I ask both of you, what was your favorite quote and why and I will begin with you, Mr. Steve Zalewski. What was your favorite comment on this topic and why?

Steve Zalewski

I like Dalton Roth from IronNet Security, I’m going to go with him, “Proofpoint’s findings suggest that ransomware is rarely distributed via email, but the access received from phishing campaigns is then sold to ransomware affiliates.”

David Spark

That’s kind of the theme of the report it seems.

Steve Zalewski

Theme of the report, here’s how I net it out, passwords are still the weakest link. If I get your password, then I can do more attacking and so we’re back to what’s the weakest link in all of this, RDP access, again passwords. So they’re using different ways of realizing that passwords are still the weakest link, so we got to continue to tighten that up.

David Spark

MFA is a good first step. Ryan, your favorite quote and why?

Ryan Kalember

I got to go with Jonathan Waldrop, “Phishing might be the easiest way to gain a foothold into the environment, and then use that identity to pivot. It comes down to semantics,” which we talked about, “And the overall timeline.” Oddly enough though, we are in a world in which phishing though means a couple of different things. So the focus on credential is absolutely spot on and critical, we should MFA all of the things, especially the things that face the internet. But we should also not forget about downloaders. I’ll just give you our own data, we stopped over 15 million malicious downloaders over the last 12 months targeted at our customers, that is a small fraction of the total being sent to organizations around the world. And malware has developed the ability to steal credentials and downloaders are wonderfully modular things, so ultimately making those more challenging to get into the environment per the point that Jonathan makes is a really, really valuable thing to focus on.

David Spark

Excellent point. Now to the final point of our show, I want to thank you very much, Ryan, and I want to thank you Steve, and I want to thank our sponsor, your company Ryan, Proofpoint, for sponsoring this very episode and you have the very last word Ryan, but first Steve, any last thoughts on this topic and our guest?

Steve Zalewski

I would say everybody is sick of talking about this topic.

David Spark

So we brought it up again, is that what you are saying?

Ryan Kalember

And so we brought it up again.

Steve Zalewski

Absolutely, the beatings will continue until morale improves.

David Spark

Anyways, Ryan, please make a plug for Proofpoint, any offers that you have for our audience, we always ask if you’re hiring as well, so let us know.

Ryan Kalember

Absolutely, so when it comes to ransomware, we might be sick of talking about it, but we’re much more sick of dealing with it. So ultimately, I do recommend that everybody just do the basics. If you do email hygiene, get RDP, 3389, go look at that port. The VPN access and edge device vulnerabilities are under control, everything will be better in your world. If you want a free view into what all those downloaders look like targeting your users, we’re obviously always happy to deliver that for any organization of any size. And David, we are hiring, quite a lot actually and there are roles all over the organization from threat research to my own team, which has the residency, so organization for those of you who are CISOs, or recovering CISOs. Proofpoint.com is your one stop shop for all that info.

David Spark

And to get that free skin, contact Proofpoint.com or some other avenue, how do you that?

Ryan Kalember

Yes, there’s a free trial form right there on the website.

David Spark

Ah, perfect, excellent. Alright, well thank you very much Ryan, thank you very much Steve, thank you again to Proofpoint, we greatly appreciate it and thank you to our audience as well, as I always say, thank you so much for contributing and listening to Defense In Depth.

Voiceover

We’ve reached the end of Defense in Depth. Make sure to subscribe so you don’t miss yet another hot topic in cybersecurity. This show thrives on your contributions. Please write a review, leave a comment on LinkedIn or on our site: CISOSeries.com where you’ll also see plenty of ways to participate, including recording a question or a comment for the show. If you’re interested in sponsoring the podcast, contact David Spark directly at David@Cisoseries.com. Thank you for listening to Defense in Depth.