Season 1 Episode 9: Defending against future tech
Bastien: We’ve got so many toys and services out there already that are available to criminals to use to break into organisations. Some great examples we’ve seen recently of organisations where you would think they would be smart enough not to get hit like NASA (they’re literally rocket scientists), but also Instagram, Canva etc. We’re seeing all these organisations that probably do quite a lot on the cybersecurity front, but they’re getting hit anyway. Some of the ways they’re getting hit are due to these clever toys and social engineering.
One in particular that has piqued my interest recently is the O.MG cable. Something like 80,000 units of these things have sold globally, there are multiple vendors and they’re coming out of China and sold locally here in Australia through a company called Hak5. What this cable allows you to do is sell it on the street. Sometimes we’ll do a hack where we pretend to be the Red Cross service for example and we’ll give out red branded Red Cross USB cables in front of the business we’re attacking. These things get taken up and the staff enjoy it, they want a new charger for their iPhone or Android Mobile. Unfortunately as soon as you plug this thing in we then have a shell access to the device.
Other toys we see out there that we’ve spoken about already are the Wifi Pineapple that is doing man-in-the-middle attacks, and EvilUSB’s. Even scarier to date things that are going to influence state and businesses. We’ve actually seen a recent example of this being used: deep fakes. Deep fakes are when someone will create a model saying whatever they want to, a message that is not said by the person, and then they’ll put that person’s face on the model. So you can have a politician saying something they never said, you can have a small business owner promoting a product with a celebrity. In Australia we recently saw the example of a financial planner who was friends with her client on Facebook. Her Facebook got hacked and then the criminal used a video to send a message to a financial planner asking to send $106,000 to their bank account and that they’ll be away on holidays for the next few days so they give authority to do so.
The toolset is growing everyday and the kit that is available is huge. To talk about how we’re going to combat some of that today we’ve got Srini from AT&T Cybersecurity. His organisation actually helps businesses large and small to respond, detect, and protect from these threats. They’ve basically got a pretty good toolkit that’s going to stop a lot of these attacks. If you combine it with education, awareness, process, people, and technology, you’ll get the basics right and stop most attackers.
AT&T Cybersecurity are preventing these style attacks, and how are you guys as a company constantly evolving to know about and protect from these threats?
Srini: At AT&T what we do is we monitor, we detect, and we respond to cyber threats.
Bastien: The service that you provide is software that can go on to all these endpoints and all these ways that a criminal would use to get into an organisation. Then you’ll create an alert and have a company like ours that will monitor those alerts. So how do you actually go about developing the technology to protect from something like an O.MG cable, especially when these attacks are coming out daily and weekly?
Srini: Let me give you an analogy of how the cybersecurity attack really manifests itself. Imagine a home: a home has a sensor for motion detection that gets triggered when somebody moves inside the house for an extended period of time. You can time it for thirty seconds or whatever time you want and the alarm goes off when it detects motion. Those alarms can either be back to base or it can be triggered to go to a security company, or it could ring your phone and alert you about an intruder in your home. Now extend that capability to something with a video surveillance which you will monitor the house from the outside and give you alerts of something that is happening before an intruder gets into your house. That is threat intelligence.
With AT&T Cybersecurity we do the same thing. So we are not only foreseeing what is happening in the periphery of the organisation, we see the surface area and where people are coming from. From a software point of view we see the IP address that the criminals are originating from. Are they doing environmental scans on your organisation? In the home example, if there is a weak link for example a hail storm hit and one of the windows shattered and you’re not aware of it, there is a vulnerability where the host is exposed to. The intruder can now easily penetrate instead of going through the front door.
That’s a classic example of the theme where the organisations are growing into cloud and digitisation. The surface area of an attack has increased and it also gives more chance for the service to be exposed to the criminals. It’s become an industry and what they’re doing here is that it’s no longer a one or two man shop. It’s botnet attacks, it’s machines which look at where the vulnerability is, and they find the weakest link in the organisation to attack.
Bastien: A great example of this is using this technology we were able to use the threat intelligence during the census attack to see that minutes after that Minister said that statement people were starting to talk about it. We saw hacker groups talking on Reddit creating forums saying things like “let’s teach them a lesson.” Using those tools, if they’d had us as a client, we could have warned them that a) it was a bad idea to say that, and b) you are about to face an impending storm.
Let’s play a bit of a game, so I’m going to put my black hat back on. I want to find out how AT&T Cybersecurity is going to stop me. I decide I want to hack into this big Australian company, maybe an ASX listed company. Usually with big companies like that I’ll have some kind of specific goal in mind and I might not have all the resources that I need to attack it. Step one, I’m going to jump on the dark web and I’m going to create a new room and invite a few of my friends to start talking about this company. We want to get some money, data, some IP, and we want to damage their reputation. First thing we want to do is take down their website with a DDoS attack. So I need to get all of my friends involved and let’s say we need 50,000 IP addresses to take down this website. How would you detect that?
Srini: It starts before the actual attack. We monitor about a third of the world’s internet traffic. In terms of physical data you can imagine a stack of CD’s stacked up to the space station – that is the amount of traffic that we see on a day to day basis. For anybody and everybody who is on the internet, there’s a good chance that they are going through the AT&T network, and that is how we collect that information.
Bastien: All this traffic that we’re monitoring, how is that helping to protect us?
Srini: There are good actors and bad actors, so what we do is we look at the bad actors with malicious intent and the leading indicators of compromise based on our threat intelligence in the background. We eliminate the noise (the noise can be good actors) and we are focusing on the bad actors. That could be the WannaCry’s or Sandbar’s of the world, and we are able to monitor because of the feeds that we are getting globally. Not just from one location, it could be prevalent in multiple locations at the same time. All those indicators come to us and we apply machine learning and artificial intelligence with human expertise to figure out what those indicators of compromise actually mean to the systems in place for our customers. Then we come up with correlation directives to protect them.
Bastien: One of the flip sides of the coin, if we throw back to our cartoon days with Transformers the Decepticons knew where the Transformer or the Autobot’s base was. Us as the good guys, everyone has access to this data, everyone has access to the open threat exchange and unfortunately sometimes evil people actually use that data to learn what the latest vulnerabilities and other things are. If a company has a vulnerability like that and they don’t have software to detect it, the evil entity is going to use this threat intelligence system as a learning factor to breach into those organisations that haven’t protected themselves first.
Srini: With pinpoint accuracy we operate in 199 countries across the globe, and we have communities in about 140 countries. So we have a lot of intelligence that goes behind the scenes from who’s doing what. There’s a lot of noise out there, so how do we pinpoint that there is something which is malicious? It’s by using the open threat exchange.
The open threat exchange is an open community of 100,000 people all across the globe who participate in feeding indicators of compromise all over the world.
Bastien: Sort of like spies against hackers all over the world.
Srini: It’s an open community because we believe that cyber criminals need to be addressed at scale. It’s not an organisation that needs to deal with it, it’s a group of like-minded people who need to come as a force to combat this industry as such.
Bastien: This community is great by the way, we’re constantly seeing updates to threats, new articles put out, and the community helping each other. We rely on it heavily and in this particular case you would have detected that there’s a lot of noise about this particular company or customer and there’s a particular threat, and you may even be able to detect the way that I’m going to try and enter the organisation.
Srini: Exactly, so what we do is we analyse the different packets. It’s not specific to a particular company that we’re looking at, we’re looking at it from a broader spectrum of what is the leading indicator of compromise. Typically in a day OTX Alien labs, our research team, get about 19 million threat indicators of compromise everyday, which is A LOT of noise. So what they do to combat this high velocity of threat indicators we use artificial intelligence and machine learning. We have about 8,000 customers globally, and what we have learned from them is that the leading indicators going through the machine learning funnels down to one or two indicators per day. At the end of it applying machine learning and artificial intelligence and the investment of human capital within Alien labs, the data scientists look at those indicators of compromise and build correlation directives to help our customers combat such threats.
Bastien: Going back to our game, so you have detected that I’ve formed some kind of a team and I’m going to send a DoS attack. If they’re a managed security provider like us, we can inform that client to put some protection in place to prevent them from going down from a DDoS attack. Alright, so I’m a stubborn hacker, and that hasn’t worked. It only angered me. I’ve formed my team now and now I’m doing social recon. I’m finding out who works there, the executives, and I’ve found a few weak targets. I think that I’m going to be able to get in by going in on site and planting one of these O.MG USB cables and getting a shell into either a server or a laptop from a high position. How are you going to detect me?
Srini: Threat intelligence is not just limited to an outsider attack, yes we do very well when it comes to the traffic outside, however our threat intelligence team is constantly working on insider attacks as well. So that’s where we’re uniquely placed, one solution can monitor, detect, and analyse attacks both from the outside as well as the inside. For example, in your case where you found the weak link with the people within the organisation, you hand them a USB key, we can easily detect that there was an anomaly that somebody has downloaded malware in the laptop or in the server that was not intended to. Within a couple of minutes an alarm will be raised to manage a security provider to take protective action against that particular event that just happened.
Bastien: So the hacker is inside the building and they’ve hijacked the laptop, an alert has gone to a security operations centre (SOC) somewhere and the security team is coming down to arrest them. What about in the case where we’re seeing now cloud threats? Back in the day the issue was patching and vulnerabilities. I go and find an organisation that has a vulnerability and I have some code written that is going to exploit that vulnerability. That’s not so much the case with cloud computing, they do a pretty good job of patching and security. But we’re now looking at things like identity and access management.
Now I’ve actually stolen the identity of one of the executives, and my goal is to get onto the RP system and also the online banking systems.
Srini: There are multiple ways if your identity is stolen. Identity is not just the username and password, there’s step up authentication that you have to do with multi-factor authentication. Multi-factor can be a phone, say for example the phone is also compromised, then there’s more to the security itself in terms of getting access to the applications that a criminal might want to have. Step up authentication from an identity and access point of view is the first step. However, if that is also compromised for some reason –
Bastien: So I’ve stolen the phone and I’ve got the laptop, I’ve figured out what his password is, and now it’s game on for me.
Srini: Not if you have AT&T Cybersecurity in place. The reason for that is very simple, you can configure rules within the solution to say where the IP address is coming from. Regardless of the fact that you have stolen the laptop, if you’re using the laptop from an area or an IP address or a wifi signal which is outside of the company’s perimeter then we can alert. We can also alert on the fact that they tried a couple of different logins; high risk accounts. The time of the day can also be configured; say for example my laptop and phone get stolen and I have a pattern of logging in from say three o’clock to five o’clock, that’s my high activity. When you login it may be at eleven o’clock when I typically never login. So that’s an indicator and an alarm can be raised, indicating that there might be a breach or a laptop which is stolen. There are multiple ways to figure out whether it’s a legitimate login to the system or something malicious is happening behind the scenes.
Bastien: This is one of the reasons why I’m so passionate and love this industry, it’s this war between good and evil. In our organisations we call the bad team or the team that’s going to attack the red team, and the good team that works with companies like yourselves, the blue team. We see the adoption of user behaviour analytics and there are some partners that collaborate with you to be able to feed some of that data into the AT&T Cybersecurity dashboards. When you couple user behaviour analytics, and that’s how you use your computer and what applications you use and how you type (all these different bits and pieces), we can then get a hacker like myself, go into an organisation unbeknownst to me the way I’m typing has already pinged me off. The way that I’m using a PowerShell script has already pinged me off, and it’s all reporting back to my AlienVault dashboard being monitored by a security operations centre by a company like ours.
It’s really becoming harder and harder, but the fun part of it (and this is bad for organisations) is that the red teams are constantly evolving. The olden day keyloggers, and a keylogger is a way of recording keystrokes, is now easily detectable by antivirus and some of the ML endpoint protection response, even the EDR built into AlienVault will detect a keylogger. The new versions of the keyloggers are just simply HID devices. So yes you can put an alert to say if anyone plugs in a new keyboard that could be a critical alert. But some of the really clever new ones are actually recording keystrokes. So if I need a combination of keys as a hacker and I don’t want to trigger one of these user behaviour analytic threats I can record how a user types. How do you fight against those sorts of things?
Srini: It’s all about behaviour analytics. For example, if I have a keystroke of say a hundred strokes per minute and you’re typing at two hundred per minute, that is an abnormal behaviour of my user. We can set up a rule which will alert that something is going on here. We can also see the pattern on which applications they’re logging in.
Single sign-on is logging into one application which is an identity and access management solution, such as Okta or Microsoft Azure, and once you have that credential with the username and password, depending on the organisation, you can either step up the authentication with SMS, MFA like Okta Verify or Google Authenticator. Or take it a little further with your fingerprint on that device to make sure that you are who you are logging into the system. So these are very good applications where we are consolidating and giving access to make life easier for an employee or for your consumer and increasing the security.
Bastien: What’s fascinating about these new technologies is that they just weren’t possible five years ago, because there’s so much data feeding into this environment and system. It wasn’t possible to actually aggregate, make any sense of that data, and then do something about it. The user behaviour analytics side of it can be detected now, and what really has opened up into my mind in the last few years is that there’s not any excuse for organisations not to deploy these fantastic products anymore.
It makes it so much harder for us as the red team to breach an organisation if they’ve got the basics right. The basics are: can you actually detect us, can you see that we’re planning an attack, or that there’s some kind of vulnerability in the organisation. How far down the road you can see really helps. That threat intelligence piece is key, the actual detection of a live attack is key, protecting your assets is key, having strong leadership and training and gamifying it and creating cyber awareness rather than just sending your staff through to another workshop. It’s just frustrating for us to see so many large organisations that still haven’t done these things – why is that?
Srini: From what I see out there in the market everybody thinks that their house is secure. They have a big firewall, a big steel gate in front of their house where nobody can get in.
Bastien: Just a heads up, the last time we used a firewall to gain entry into an organisation has to be at least thirty six months ago. They’re just too hard to penetrate, and there are a lot of easier ways to get in.
Srini: That’s right, so that’s why there’s a false sense of security that customers think that they have a firewall or antivirus in place and they’re safe. However, going back to my example of the house where there’s a vulnerability with the cracked window, what is our attacker trying to use? They’re going to use the weakest link, and that is an opening in the window to get into the house. Same thing happens in organisations. You don’t know that something has happened until it has happened and it’s too late. It causes a lot of grief with respect to brand reputation, intangible loss of revenue, customers going away from the brand and loyal customers questioning if their personal data has been compromised.
Bastien: We’ve seen so many breaches this year, the one that I keep bringing up which I find kind of funny is that MyHealth Records have had forty two breaches. We were speaking to a fairly prominent government figure the other day, I can’t mention who it is, but he gave us some facts that every forty seconds there’s an attack. Every four minutes on our government networks there’s a successful attack.
Srini: Yesterday I received a text from my bank saying that three of my debit cards are now active. I did not do that. The next line in the text message said that if I didn’t do this I should contact the bank immediately. I called them up and then they did a voice recognition of myself, well there was no question asked on who you are and no identity was really revealed on the phone, because it can be tapped and someone can get my mother’s maiden name.
Bastien: So the banks are using voice recognition technology to authenticate you.
Srini: Yes, so I got authenticated and then they looked up my record to figure out that I had deactivated one account and that triggered in the backend an activation of my card. They quickly went ahead and deactivated my card permanently. Now anybody can mimic somebody else, there are processes and technologies available in the backend which detect who you are. It also detects what context you’re speaking and trying to gain access to a particular record, or gain access to a particular thing which you have based on a lot of other parameters such as the time of the day, the place, the location of where you’re doing a particular activity, the IP address that a person is coming from etc – there is a lot of other intelligence. As this deep fake is evolving there are the technologies surrounding that which leads to that particular deep fake becoming more advanced to combat that particular issue.
Bastien: We already know that there is software out there that can detect a deep video fake online, and I’d urge companies to have a meeting about this. It doesn’t take much thought to come up with a policy that’s going to stop deep fakes in their tracks. We already have things like user behaviour analytics, but we also have behaviour confirmation. Let’s use the merger and acquisition one: the CEO rings up and says transfer some money. All the banks have these systems available to say if a large sum of money is transferred they need two or three sign offs. Make two of the leadership to sign off, they’re going to get an SMS to confirm the transfer of say seven million euros to some bank account, and someone’s going to pick up on that and say no. We talk about the noise as well: you can set a threshold. Something that’s not going to damage your company, so a lower threshold. No company has an excuse for transferring seven million euro without some kind of verification, but it’s happening everyday.
Organisations need to take a three pronged approach: have a meeting about this, get workshops by companies like us that will educate you about what the latest threats are and listen to podcasts like this, and then create policies. Another old one that is along the same lines as a deep fake voice or video, you simply walk into an organisation. The simple fix for that, and we’ve deployed this for many of our customers, is if you don’t know someone in an organisation have a monthly meeting and say the passphrase for the month is “hey how was your weekend” and everyone in the organisation knows that month they have to answer in a specific way. If that person doesn’t answer in a specific way you get the security guards and off they go, they’re busted.
Hackers generally are easily scared off, they don’t want to get caught and go to jail. Apply policies, some thought and education around it, and technologies that are developing to detect these types of behaviour. We can already deploy technology to detect a deep fake online. The deep voice is a little bit harder, and it can thwart some identification processes of banks for example. But the banks have secondary processes that they need to enact. Thirdly, we just need to be a little bit more aware of these types of attacks and do something about it.