Podcast Intro: Cybercrime has evolved from just small-time criminals (who are still active and profiting) to massive organizations with many hackers – becoming big business. Fayyaz Rajpari, our Executive Services Director discusses this evolution with Ron Darnall, our senior direct director of threat intelligence and Ken Dunham, our senior technical director, Cyber Operations.
Fayyaz Rajpari: Hello everyone, and welcome to Optiv's Cyberops podcast. I'm your host, Fayyaz Rajpari. So, I'll be honest, I'm really excited today to talk to everyone and I've got a couple of guests in the room with me. I'm here today to discuss a hot topic in the cybersecurity realm, and that’s really the bad guys. I can say with confidence that I don’t know many industries that have not been affected by some cyber-criminal, from the smallest to the largest organizations. But, have we thought of looking at this from the cyber-criminal perspective? Why their doing this? What their after? And really, how large of an operation do they really have, and can they be as big as a fortune 10?
So, I’m here today with Ken Dunham and Ron Darnell. Before we start, maybe start with Ron. Can you give me a background on yourself and what you do at Optiv?
Ron Darnall: Sure! So, I'm the senior director at Optiv of threat intelligence and threat analysis and prior to coming to Optiv, I was with Booz Allen in their Cyber Fusion Center assessment teams. And prior to that, spent a lot of time in the credit card industry. So, I've been at this, on the security side, probably twenty-five years, and then another ten years before that just in I.T. in general and data center operations.
Fayyaz Rajpari: All right, well Ron, I'm gonna have a lot of questions for you. I'm gonna give it to Ken and then we'll start talking here.
Ken Dunham: Thank you, Fayyaz, and good morning everyone. I have been in the security industry for about thirty years and I've been working really on the edge of innovation and the tip of the spear for most of that. For example, around the turn of the century, we invented what we call “responsible disclosure”, which is the process that Microsoft and other companies now use as a way to secure vulnerabilities from the bad guys, the good guys, and everybody in between. And then to go through a responsible disclosure process to give the defensive people a chance to work on a patch and be able to then deploy that without any problems from an adversarial perspective, compared to how it used to be back in the wild, wild west days. So, a lot of work in incident response and adversarial counterintelligence Dark Web, working in pretty much every country in the world at some point on various threats. Russian Business Network and that sort of thing.
Ken Dunham: I'm excited about the topic we're gonna be talking about today. And in regards to what I do at Optiv, my job is to help out with connecting the people and the process and the technology to be highly effective towards our various services and solutions.
Fayyaz Rajpari: Awesome, thank you Ken. So, quick for the folks that don't know me, I also have a background in security and been doing this for twenty years, similar to Ron and Ken. Background intelligence and also cyber operations, as you call it, but really more around, you know, monitoring what the bad guys are doing and what they've done and how impactful they've been to organizations. So, I'm really excited to be here to have this conversation with you guys.
Fayyaz Rajpari: So, you know, taking a step back, right, if we look at the bigger picture of the victim landscape and really all the organizations are out there, you know, I think of this as two different networks, right? We've got the good guys and we obviously have the bad guys as well. If you look at both teams, is it a fair match? Do we have enough on both sides? What are your thoughts?
Ken Dunham: Well, this is Ken. When I grew up, the threat landscape was a lot different than what it is today. So, I think it's a great question on is it fair what's happening, has it increased? And part of what I'm thinking, from a perspective standpoint, is that the internet and that interconnectivity that came about in the mid-90s is really a game changer. Because now we're not dealing with localized threats, local criminals, the people that you would know in your small town, USA, or your small town in Europe or wherever you live. Now, it's anybody can attack anywhere at any time. For example, when Voice Over IP was being abused for fishing and it came up with the term called vishing, what was happening there is an individual in Romania was attacking using vishing techniques. Different places around the world every day. One time I saw him doing an attack against a place in Idaho, and the next day it was Canada, the next day it was Australia.
Ken Dunham: Then that's a game changer 'cause now we have a small-time criminal who can do a global-scaled attack and get away with it with complete anonymization.
Fayyaz Rajpari: So, yeah and kinda going back to, what you just said, small-time criminal, right? I think of this as being larger as well, right? So, we're not just dealing with the... and I think that was a point in time where we were dealing with the small-time criminals, but at this point, I mean like you said, we are dealing with, you know, thousands and many times they have their own networks. Just like an organization does or any company has their own defending network, they've got their own opposing networks that are after something or someone. Would you agree and can you comment?
Ken Dunham: Yeah, absolutely. And that's a very good point. I think some people are now aware of what is known as the Russian Business Network, or RBN, which is a group that we targeted in St. Petersburg and Moscow and others a long time ago and now it's a little bit more public knowledge. But, everybody talks about Russians generically, like the Russians are doing it or the Chinese because of their power and their maturity. But, the answer is that they were doing large-scale multimillion-dollar fraud attacks that were highly successful, especially against the banking industry at the turn of a century. Much longer and previously before everybody else had public knowledge of this, that's what was happening. Because it takes a while for things that are happening to eventually bubble to the surface for people to know and to believe and then to understand the full scope, not unlike say dwell time in an incident. And then all of a sudden, you realize holy cow! This has been going on for a long time.
Ken Dunham: So, the Russians have been doing this for a long time and they're very successful, as are a large number of other entities out there in the world because this is a place they can cash in and make money and they're very very mature.
Ron Darnall: Yeah, and I think, Ken, in addition to that, you really needed to spell the myth that hackers are twelve-year-olds working out of their parents' basement, right? While that entity may still exist, they're not as organized, they're not as sophisticated as what you've just described.
Ken Dunham: That's actually a really good point. That reminds me of Jeffrey Lee Parsons, who was arrested by the FBI. He was in his parents' basement, and he was arrested because he had hosted a threat related to, I think it was Blaster B or one of the variants there of back in the year of the worm, 2003-2004 time frame. And the FBI really didn't actually think that it was him because it was registered in his name, hosted on his computer, and right there in their parents' basement. But he had just downloaded something off of a Chinese website, I believe it was, and hosted it, and ran it, and then ended up being the poster child for don't do bad things at home. But, you know, now what we have are very sophisticated threats. I've seen literally new Zero Day threats against entities being launched every single day or two that are new and different, each one of them. And that's a very sophisticated, expensive, complex infrastructure. Attacks that took hundreds of thousands of dollars to put into place from an infrastructure perspective, when they're highly focused and targeted against critical assets.
Fayyaz Rajpari: You put some quantification on there, right? You added some numbers. I'm interested in knowing, you know, how many are we dealing with and what is that number from a cyber criminals perspective? Can you quantify that as what that number would look like in your eyes?
Ken Dunham: Well, that's a tough question because you only know what you know and in the world of intelligence, you're only going to have parts of the puzzle. So, imagine putting together a thousand piece puzzle and maybe you only have twenty pieces, or maybe you have 850, right? But I can say that there are reports out there that help to show the scale and the scope of it. I can't think of any off the top of my head, but I can tell you this. In the world of intelligence proper and the work that I had done there, you know, we had specific, regular reporting being done in pretty much every geolocation that mattered on the face of the planet because there was a lot of activity taking place in every single one of those. Everything from the opportunistic to the highly targeted. I mean even in 2003, with the Yaha Lentin and Indian Snakes, Pakistani border conflict, we saw that they were able to go out and perform scans of the entire network of Pakistan and then perform exploited tax and logic bombs against every single computer in that country. And that was in 2003, fifteen years ago plus.
Ron Darnall: Yeah, I think you also need to realize, Fayyaz, that it's simple for them to magnify their efforts, right? Particularly, as we continue to expand the internet of things and there are more and more devices online and more and more devices that can be leveraged, while the team needs to be organized, whether it's two people, twenty people, 200 hundred people, that element doesn't matter. It's how they're able to leverage other devices and magnify their efforts so that they can capture other machines, exploit other machines, and magnify their attack.
Ken Dunham: Yeah, that's an excellent point and another thing to think about is what we call "tools, tactics, and procedures, or TTPs encompassing", as a defender we have thousands of things we have to look at, just download any of the controls and frameworks and take a look at it. And you're gonna be lucky if you even get five or ten of those things really well done in a large global company. And if you've done that, you're already probably doing better than the rest. Nobody gets 100 percent of it right. But how many times does a bad guy have to be successful? Just once. We have hundreds of things to be successful for that are dynamic and constantly changing and it's a nightmare to manage. Bad guys only need to be successful once and they can repeat that millions or thousands of times over, you know, based on whatever their scale and their automation is, and do it globally.
Fayyaz Rajpari: That's so true. You know, you mentioned TTPs, right? So that's becoming a big component of detection capabilities for the bad guys, and how does a good guy really detect? And I, you know, from my perspective I always liked to put it back in Layman’s terms and use the analogy of my own home, right? So, if a bad guy was coming in, I've got my normal detection capabilities of a door, my door locks, my cameras in front, but what if the bad guy just literally comes in from my backyard and through a window in my basement, right? Did I have something there to detect upon that? You know, I think that's a capability that I don't know if many organizations can detect against when you're talking about their tactics and procedures and I don't know if you have any comments on there or if there's something that organizations can do really to help detecting against those types of TTPs. Because I really feel like that is a hard area to conquer properly.
Ron Darnall: Surveillance is done, whether it's done digitally or done physically. So, the bad guys still do surveillance. And maybe they come and what we used to call "rattle the door knob", right? They check to see whether it's through a port scan or some other activity, they check to see what kinds of things are open and available. Then maybe they go away for a week or two so that they're not triggering some other alert and then they come back in and maybe see if they can go a little farther, right? They continue to do that effort because while it looks like they're only there for thirty seconds in your environment, they've got a million targets that they're hitting next, right? So, they can just go through a routine or a cycle, perform that surveillance, continue to gather their own intelligence, right? We talk about it as though we're providing intelligence. They're doing the same thing, gaining intelligence on additional environments and which ones of those would be easier to attack and then also trying to find out where the gold is kept.
Fayyaz Rajpari: Yeah, so let's talk about that for a minute here, right? You know, you mentioned where the gold is kept, right? So that tells me that the attackers are always after, you know, maybe it's monetary or financial. Is that true? Do they have anything else that they'd be interested in taking? When you're talking about attacker motivations, typically, you know, you think of like the Russians that are after monetary gains or financial gains. Would you consider that that's mainly the main target? Are there anything else that an attacker would be after? Why are they after, say organizations that are in a complete different field, say like media or, you know, in manufacturing. What are they going to take?
Ken Dunham: That's a really question and I would have to say very strongly that attacks always follow assets. I'll say that one more time 'cause it's important. Attacks always follow the assets. And so, in my mind there's a few main motivations. One of them is hacktivism where somebody is politically or ideologically motivated, you know? I've handled cases where somebody was concerned about animals and somebody was making fur coats and then they start attacking them or wanting to go to their plant or put a bomb in there or whatever it's going to be. And then doing investigations and responses around that. They're politically and ideologically motivated and they have their own TTPs associated with that behavior or that action. And then you have the digital, or electronic crime, or E crime as we called it back in the day. They want your money.
Ken Dunham: And then there is the nation state. And nation state and/or espionage is not just like cyber warfare but it also can be, and we've seen a lot of this actually, corporations trying to steal IP from a competitor or trying to even do things where they put somebody inside of your environment and have them spread a virus on purpose just so that you get negative press and you lose market share compared to them. So there are a variety of means and motivations for the different actors based on what they're attempting to accomplish. And the internet and this global, interconnected medium that we have, is how they're able to then accomplish that.
Ron Darnall: So Ken, expanding on that, right, the pursuit of intellectual property, the method used to be if I could get someone inside, right, I'd have to send a dozen or so people to apply for a job so that they could get inside and now that capability is done through fishing emails, right? Average first response on a fishing email is ninety seconds. Wouldn't you love to have your emails responded to in ninety seconds? But the bad guy sends a ton of emails, fishing emails, someone clicks on it, and now they have literally the same advantage as having gotten an employee hired in that is part of the bad guy network, right? So, then they can begin to explore and go after that intellectual property and maybe the device they got into doesn't have the access that they need as far as the specific intellectual property. But it gives them a door and the ability to research further as to what they do want to capture.
Ken Dunham: That's a very good point and, you know, on top of that too another advantage that the bad guys have is that there are a variety of tools that are available that make it trivial. For example, Mimi Cat can be downloaded to that machine that was just compromised in that fishing attack and you can run a single statement in a command line mode in Mimi Cats and I can immediately have all the credentials and everything I need to start to form lateral movement, capture the administration passwords, possibly even domain admit, keys to the kingdom.
Fayyaz Rajpari: So, yeah and kind of talking about that, right, you mentioned a specific tool that an attacker can use and it's definitely an interesting era that we're in, right? Being in this industry for twenty years, there's been a massive explosion of tech and start-ups over the past few years. And I think that you guys would both agree and both on the good guy side, right, as well. You know, last conference I went to there's thousands of vendors out there that are selling you a tool to detect against things like this. So, why is it so hard? What's...given all the technology at our disposal, right? Somewhere in the range of I don't know how many security vendors that are out there providing any security you can possibly imagine, protection, detection, security controls, visibility, analytics, orchestration, now there's AI, ML. Why are the biggest defenders and Fortune 100s having trouble keeping these guys out?
Ron Darnall: The network is large. That's my simple answer, right? If you're in a Fortune 100, you could have hundreds of thousands of endpoints, right? And you can have all the processes and procedure and technology in the world and while it may detect when somebody plugs something new in, it's going to take time to either track down that asset, or completely block that asset. And the issue is the good guys still have to play by the rules because they're trying to conduct business. So, if you were trying to present the perfect office environment, not to conduct business but to be really secure, every time somebody plugged in something new, you wouldn't let them have access to anything until they were completely identified through an asset management system, maybe through an HR system, maybe through badge-reading system that they actually badged in to the environment.
Ron Dunham: But the problem is, we've got a ton of remote workers, so they're not badging in, we don't have control of their home network or whatever network they're in, right? Could be a Starbucks, could be anywhere. Business still needs to be conducted, so you're trying to fly at the speed of business, while at the same time maintaining some level of discipline to be able to protect the environment. And that gets multiplied and, even worse, through merger and acquisition activity, where suddenly I have to add in a new entity and I'm going to block them and protect them as much as I can from what I feel are the rest of my crown jewels, but at the same time I still need access and I need them to have access to conduct business. I didn't buy them just to stick them on the side, in most cases, I suppose that does happen. I bought them to integrate them in with the rest of my business. And now I have to know what their security posture is because if they're weak, they create a new weakness in my environment.
Ken Dunham: Well, I think that was really well said, Ron. I appreciated what you said there. Big companies do have big problems for variety of scale challenges and it's very different than, say a small company, who also has big problems for the reasons of being small, right? That guy that has to wear multiple hats is not an expert in any single one of those and doesn't have time to do security proper, etc. Third party risk is another issue, as well, in addition to MNA. And one of the things I've seen, though, that I think is frustrating for me is the security professional that I wish that people would change proactively, is the concept of adoption.
Ken Dunham: For example, Cloud is a really big deal. Everybody's talking about Cloud. If you're not in the Cloud, you probably just don't realize that you're in it. I've actually had people say, "I didn't know I had an Office 365 Cloud account." And they didn't even know, and that's in the context of talking to them about business, email compromise fraud taking place in their network. The reality is that people adopt and go to these new solutions, and they tend to differ risk or shift liability but they still have the same responsibility in the Cloud as they did in their traditional architecture. And most companies, what they're doing, is they hire, and they adopt, they throw their stuff up into the Cloud, or on their phone, or in that virtual machine, or in a Kubernetes.
Ken Dunham: You pick your latest and greatest technology, but what did they do to secure it, right? And that's where the problem is that somebody didn't take the time to make that a priority. Now, I recently worked with an executive in a Fortune 500 company, and he told me that they bought services in the Cloud, and they planned, and they architected, and they designed, and they tested, and they made sure it was solid for two years before they put any production data into the Cloud. Now, that was an amazing feat. To pull that off managerially and to have that kind of funding and that kind of focus on security, that's rare. That's on the tip of amazing. And what I'm asking for and what I really hope that the industry adopts is that when you come into a new technology, and especially if you're a large company, that you take the time to align your different business units, and your people, and your process, and you make sure that security is an essential component right up front, and how you do your design and your integration to be successful.
Fayyaz Rajpari: Wow. That was strong and I liked it. So, you know, a couple of things that I've taken back from what you guys are telling me here, right, technology from my perspective, putting back in Layman’s terms, is really looking at this from the aspect of what is that really to me, right? I think of it maybe as like a weapon, right? It could be a weapon to be used but you’re really going to need to have the eyes or the human expertise or the people that are using that weapon. You can't just have an automatic weapon just firing off or whether it's the attacker using it or just...it's just an automated process. It's just not enough, like same thing goes for the good guys is that you need people driving the technology and understanding what's coming out of it and really having that entire network.
Fayyaz Rajpari: Think of it as the collaborative network, right? You’ve got to have the collaborative capabilities to defend and protect against the bad guys, right? I mean if you have...I go back and think about my days when my prior company where we see a lot of Chinese actors and going back to thinking about, well how are they getting in and what are they doing? And it really came down to, yeah it was a network. You're right. It was basically, you know, they were actually, the Chinese, were clocking in, right, you can see going back to records and forensic data and analysis of actually seeing, you know, where they're starting their normal business, as the attacker, right.
Fayyaz Rajpari: It's just a normal job, they're day job, to go in at eight a.m., you know Chinese time, and start doing their normal business. Whether it's espionage or looking for data and doing the reconnaissance, and then checking out at four or five p.m., and then silence, right, until the next day. So, really it comes down not just to I think the tools, but the operator behind it and what they're doing and are organizations prepared to be able to have those capabilities to be able to detect against these other guys and not just a specific tool? Would you agree there?
Ken Dunham: That's an excellent point. And that's a passionate one for me because now we're starting to talk about Counterintelligence and Dark Web and that sort of thing. And it's interesting because you have the opportunistic and then you have the scaled large set of users with different experience abilities, and then you have the highly focused and targeted type organizations. For example, comment team, A.K.A APT1, an ugly gorilla is what we called him. And then, Wang Dong, and various other...four other core people in total that were called out there in China and recognized by the FBI eventually. When we were working with them, I was doing a Counterintelligence effort against them, and this is before ATP was really invented or understood as a term. So, we were monitoring to see what behaviors were they doing? And it was very clear that Wang Dong had done very sophisticated design on how to do stealth. He had these encoded commands and a website, that looked like a legitimate, normal website, like a picture, but it was actually a Base64 encoded command, concatenated with some of his attack sets. It was very sophisticated. So, he's the brains behind the operation.
Ken Dunham: But then on the box, we get some kid logging in, some kid in the PLC, one of like twenty plus thousand people in the building out there in China, that's performing the attack, and I watch him go into the machine and he thinks he's got full control. But, I'm actually monitoring him the entire time. And he's typing in things, and he's really a horrible typist and he's really, and he makes mistakes in his command lined arguments that are trivial to navigate the system, doesn't really know where he needs to go. He actually comes back to the directory two or three times, even though he's already been there. It's like he doesn't know what he's looking for. And then after about an hour or two, realizes he's in an environment where he's being monitored. And then they start to delete everything and get out.
Ken Dunham: But, that's a low skilled level person, but like you said, there's a scale challenge there. If you just compromised 40,000 machines, how are you going to look at it all? How are you going to put a human behind it and start to figure out where you want to prioritize, what you want to go after, right? And then once you do, you've got the brains behind the business to drive it home. So, they've got a very mature infrastructure with thousands of people and that's a very difficult thing to defend against.
Fayyaz Rajpari: Ken, you just put into terms of basically we're all human, right? If you look at a cyber-criminal, it's just like any other security professional with, say a guy coming into the industry, right, from out of college, you're hiring them, and they're having trouble detecting the bad guys because they've only been in the industry for less than a year and they're learning, right? We're all human so you've got the same scale on both sides, right? I mean, you've got the cyber-criminal with a lot of experience, that's been doing this for years and is very precise in their capabilities and their tactics and procedures, and then you've got the good guys that have also been doing this for a long time and can understand capabilities and understand and know how to use their tools or their guns, whatever tools that they're using, whether it's an EDR tool, or their logs and sim. And then it's the same thing, right? Its experience levels can make a huge difference in how we can go up against these guys.
Ron Darnall: Yes, Fayyaz. It is experience levels, but it's also the ability to adapt, right? What you're successful at this week, isn't going to be good enough a week from now or two weeks from now, right? I used to describe it as, if we put up a ten-foot fence, somebody's going to build a twelve-foot ladder. If we put up a fifteen-foot fence, somebody's going to build a twenty-foot ladder, right? So, the key, in my mind, from a cyber operations and cyber defenses efforts, is you need to have discipline, you need to have tools, you need to understand the scale of your network, and then you need to be able to continually adapt. As soon as you get complacent, you're in trouble.
Fayyaz Rajpari: Yeah, no a really good point, Ron, really good point. Oh, man. Okay, so let's kind of try to wrap this up here and I do want to come off with something here for our audience and I'm going to ask you guys, kind of just put you guys in the spot here, right? When we're up against the adversaries, right, how can we make it hard for them then? What would be the highest cost for the adversary and cause for them to change? So, when you mentioned, Ron, we must be adaptable to their changes. Can we do something, from a network perspective and a team perspective, a collaborative approach, what is it going to be that we can maybe do to instill for them...for it to be hard for them to come into or get into and obtain valuables within a network?
Ron Darnall: Yeah, I think it's two sides, right? When you're trained to protect your world, there's probably two things you need to be doing consistently with discipline. One is patching vulnerabilities, patching applications; solid network configuration, right? Doing those basic things, really do make a difference, right? You can't rely solely on that, but if you take away some of those basic elements, you've now limited the way you can be attacked or if you are attacked, you've limited the scope at to what they can see or get to. So, even though some of those elements may seem trivial or seem like oh, that's what you did ten years ago, that's not today. You need to be covering all of those basics because then you can focus on the more advanced. The second thing you need to be doing is really integrating your teams, and integrating those teams with intelligence. And I'll be interested to hear what Ken adds to that.
Ron Darnall: But, the more you can integrate your teams, the more successful you're going to be. If your teams operate in a silo, where let's say the vulnerability management team doesn't participate with the incident response team or participate with people that are doing threat hunting. Then, everybody's operating on their own, they're uncoordinated, they're perceiving their own threats without being able to collaborate and consolidate some of that research that's being done, you end up all going off in different directions, right? It's kind of the scenario of...there's an old joke about having a piano in the doorway and it seems to be stuck forever. And the guy on one side says, "Boy, I don't think we're ever going to get this out of here." And the guy on the other side, "Get it out? I thought we were trying to get it in."
Ron Darnall: So, you need to make sure you're all working together, pushing in the same direction because it's not going to work very well if you're all operating independently.
Fayyaz Rajpari: Great advice, Ron. Go ahead, Ken.
Ken Dunham: I hadn't heard that joke. I thought that was great. I think, you know, we need to have an orchestra, a conduction, and that makes me put on my hat of orchestration automation, right? Does it sound like music or is it a bunch of clanging symbols that aren't all coordinated? So, integration, you're right about that, Ron, is super important. What would I say? I believe strategy or strategic approach is what I would love to see everybody start to do intentionally. It doesn't just happen on its own. What's natural is for us to be reactive, right? We get this problem or that problem, we jump on it, we take care of it. We're constantly putting out fires.
Ken Dunham: And I got news for you. If you're a manager, and you're reactive 100 percent of the time, you're not a leader. You're just a manager that reacts to stuff. And if you want to be effective in leadership, if you want to be effective for your organization, you have to intentionally carve out time every single day, every single week to be strategic. And if you can be strategic, you can start to do the things like what Ron was talking about where...say you just take the CIS controls, top three controls, and you hammer those out of the park, know your people and authentication, you know your software, you know your hardware. If you just did those three things, you're already ahead of everybody else and you've removed the low-hanging fruit. And then you can start to create an integrated culture of teaming and making change and helping your company to move forward strategically.
Ken Dunham: Once you get to where you start to do strategic work, at least twenty or more percent of the time, you're going to be a lot more effective. But, you have to be strategic. If you're constantly reactive, you're never going to be out in front helping yourself to chip away at moving ahead. You're always just going to be reactive and frustrated.
Fayyaz Rajpari: Good point, Ken. I really appreciate this insight. I think this is really good and I'm looking forward to doing further episodes and shows here from Optiv. Thank you and have a good day.