It can be difficult to quantify the impact of good CISO or IT professionals. Protecting the network, infrastructure, and data is a constant effort and they’ve got to get it right 100% of the time. But the criminals breaking in only need to get it right once.
Today’s guest is Raj Samani. Raj is the Chief Scientist for the cyber security firm Rapid7. He has assisted multiple law enforcement agencies in cybercrime cases and is a special advisor to the European Cybercrime Centre in The Hague. Raj has been recognized for his contributions to the computer security industry through numerous awards and has co-authored several books and has been a technical editor in others.
“If you come into this industry, you won’t sleep a lot, you’ll constantly be reading, but you will always be employed.” - Raj Samani Share on XShow Notes:
- [1:01] – Raj explains what he does for the cyber security firm, Rapid7, and how he got into the field.
- [3:40] – In the beginning of his career, cyber security was more of a hobby.
- [6:07] – There is a level of transparency, but Raj explains how things have to be absolutely certain before releasing information.
- [7:32] – Raj introduces the topic of cyber security as a service.
- [9:11] – Without the means to physically interrogate, it is hard to confirm theories about what is happening and who is doing it.
- [12:01] – “The sooner we collectively as an industry start to provide more transparency, I think the better we’ll be.”
- [13:57] – We see CISOs let go when a breach takes place. It is immature as an industry since there are no metrics to measure success.
- [16:54] – Raj shares the experience of the explosion of Covid-19 related scams.
- [20:40] – As security professionals, the job is never done.
- [21:51] – Raj compares educating your children of online safety to wearing a seatbelt in your car.
- [24:10] – The odds are certainly in favor of the cyber criminals.
- [26:48] – Raj explains the estimation of money saved by preventing attacks, but also explains that there’s no true way to measure this.
- [28:20] – If we aren’t reporting incidents, the government isn’t going to do anything because we can’t prove the impact.
- [30:29] – Because it is a global issue, international law enforcement collaboration is crucial.
- [34:17] – Now that cybercrime is so lucrative, they can actually pay for marketing and make their content much more believable than a simple email with a link.
- [36:30] – It is a constant case of cat and mouse.
- [40:32] – Raj does not use the word “hacker” to describe the individuals behind attacks. They are criminals.
- [42:18] – Raj highly recommends the book Cuckoo’s Egg by Clifford Stoll.
Thanks for joining us on Easy Prey. Be sure to subscribe to our podcast on iTunes and leave a nice review.
Links and Resources:
- Podcast Web Page
- Facebook Page
- whatismyipaddress.com
- Easy Prey on Instagram
- Easy Prey on Twitter
- Easy Prey on LinkedIn
- Easy Prey on YouTube
- Easy Prey on Pinterest
- Raj Samani on LinkedIn
- Rapid7 Home Page
Transcript:
Can you give myself and the audience a little bit of background about who you are and what you do?
The job title is Chief Scientist at Rapid7, which sounds cool. Quite frankly, it is pretty cool. I run the Vulnerability Intelligence team. You have heard of some of the things we develop like Metasploit, for example.
We have an analytics division. We analyze and track threat acts across the globe. We effectively develop threat content for our products, and we also work with law enforcement. There are a ton of other things that come within that. But effectively, what I would say is it's usually that sharp tip of the spear.
How did you get into the field? Was this a planned thing, or was it just where your career went as you learned things in your life developed?
I was at McAfee for 12 years. It was McAfee. I think it was then Intel Security, then McAfee Enterprise, and then Trellix. I was there for 12 years. I ran the Advanced Threat Research division. It was very similar, but we didn't have Metasploit there, we didn't have Velociraptor there, and we didn't have all of these incredible technologies, which is part of the reason why I came to Rapid7.
Cool. Was there a specific interest that got you into cybersecurity, an incident in your life, someone else's life, or as just part of your education, this is where you wanted to go?
I think Cliff Stoll has a lot to answer for. I remember reading the book, The Cuckoo's Egg. Anybody that hasn't read it, I urge you to look at that book, because I think it's probably the only book that I know of that really dissected what we do in a way that's really understandable. I remember reading this book and thinking, “Wow, this is incredible. This is where I want my career to go.”
At the time, cybersecurity wasn't a discipline, it was a hobby. My first job was on a help desk. At the time, it was funny because we just rolled out ISDN to some of our home workers. We had people that were at home downloading porn.
I remember this conversation I had with someone. I said, “Hey, should you really be doing this?” He said, “Well, you didn't tell me not to.” I think that really began my working life in this because then, I started to do some research and said, “Oh, there's this thing called an acceptable use policy.” Okay, well, and then I started to introduce governance into things. Then we started to roll out AV into the estate, so I started to take control of that.
We started to look at dial-up attacks. They were really common at the time, so we were […]. I think it began from having that interest in reading the book but actually focusing my efforts on securing the enterprise, and all of a sudden, it turned out that I could actually do this for a living.
It sounds like it's something you're very passionate and excited about.
It's cool. It is fun. It's exhausting. I think I'm speaking to you on the back of three weeks with, I think, maybe hours of sleep because we had the MOVEit file transfer vulnerability, we had the Barracuda issue. We had VMware problems this morning that broke. There was another one as well. There was that firewall yesterday I can't even keep track of. It's exhausting.
From the work that we do, we've got to be on it all the time because when it breaks, you've got to do the analysis. You've got to develop detection. You've got to be public about the detection that we have in place. -Raj Samani Share on XFrom the work that we do, we've got to be on it all the time because when it breaks, you've got to do the analysis. You've got to develop detection. You've got to be public about the detection that we have in place. It doesn't afford you a weekend when you plan for one. But it's exciting because it is constantly changing and adapting. I think that's the cool part of it. It's such an incredibly fluid environment.
No two days are the same.
Yeah. Today was, again, one of those days. I think it was two days ago, we released exploit code for one of these vulnerabilities. It was like, “Wow, OK. We're going to get a lot of calls today.”
You almost alluded to, at least in my mind, a certain amount of transparency that has to happen within the industry in terms of here's what's going on, here's why it happened.
Yes, there is transparency, but there's a lot that we don't publicly disclose. In the introduction, before we hit record, we were talking about attribution, and we talked about theories. I'm not one of these people that will go on Twitter and just go, “I think it was them. I think it was this, or I think it was that,” because people look and read us as a source of information and a source of trust. We've got to be absolute about things. We've got to be as sure as we possibly can.
When it comes to things like attribution, we're really careful about what we say. We won't go out and say, “Oh, it's country X and country Y.” We'll use the diamond model to try to determine methodologies around our confidence rating.
That's important, but again, it's hard because you have to be right all of the time. If you're not, then the 20-plus years you have, your reputation starts to be impacted. Those are some of the challenges, I think, we face.
Is there a small set of threat actor groups which are responsible for a majority of the incidents, the hacks, and the exploits? Or do you believe it's just a very, very wide range of loose affiliations of individuals?
In 2013, I wrote a paper called Cybercrime Exposed. Was it called cybercrime? I don't know, it was a long time, but I wrote this paper. Really, I talked about cybercrime as a service. At the time, it was really highlighting this ecosystem and an economy where individuals will go out and rent, hire, or acquire services or talent in order to carry out specific attacks.
Historically, we used to have this perception that it was a one-to-one ratio between the victim and the developer. I'd say really, over the last decade, we've seen that really change and none more so, I think, within the ransomware space, where you see this affiliate model come into place and subcontractors that use them to carry out certain attacks. I would say, probably, it's incredibly fluid.
For example, threat actors will go to an RDP shop in order to acquire credentials. Or you look at some of the recent vulnerabilities that we've seen. Those are non-trivial vulnerabilities. It's not a brute-force attack by any stretch of the imagination.
You think to yourself, “Well, how on earth can something this non-trivial be in the hands of, for example, a ransomware group who are clumsy at best?” You start to put together this jigsaw puzzle of, actually, if this is state-sponsored, then perhaps what they did was they made this vulnerability accessible. They made the exploit available to […] actors in order to obfuscate what they were really doing. But again, those are theories that you speculate on.
In the absence of physical means to interrogate, we're left with these theories without the ability to back up what we suspect is happening, and that's part of the challenge. It's constantly kicking ideas, discussing with the teams, trying to think about what's actually occurring. But in many ways, you really only have 30%-40% of the answer.
Probably a slight shift. Bounty programs, do you think that they help reduce exploits in the wild? Or is it that companies just can't compete with the price that someone can get on the black market for an exploit?
It sounds like vulnerabilities. Sure, absolutely. I think this is where the nuance comes in. A lot of the development that we're doing today focuses around elements of a specific vulnerability that can be used in order to be able to operationalize security.
For example, most people listening think, “Well, gosh. I get so many alerts, I don't know what to do with it,” or, “I've got so many systems I need to patch, where do I start?” But we look at this from a binary perspective. You can't realistically go to an organization or the IT organization and say, “Hey, by the way, there's another vulnerability. Guess what? We need to put down the infrastructure. Hey, guess what? There's another one.” You can't do that.
I think that's where we've got to start thinking about things like nuance or context, where we say, “Well, OK. This particular vulnerability needs local access in order to be able to execute. Maybe what we do is we put that into next month's patching cycle. This one actually has remote code execution. But hey, guess what? What we know is not being actively exploited. Maybe we don't have to bring the business down and patch this. This particular one, guess what? It's being actively exploited. It's targeting our sector, it's targeting on geo. OK, well, all hands to the pump.”
Because we can't continue down this all-or-nothing approach. The area of investment that we're taking is around incorporating context into alerts. We have this repository called attackerkb.com, for example. It's free to access, by the way. A lot of what we do is just open source.
In Attacker KB, we will analyze the most critical CVEs or tell you how it works, but we'll also tell you it's been exploited in the wild. That type of nuance, I think, is often lost in security operations. I think the sooner organizations or the sooner we collectively, as an industry, can start to provide more transparency, I think the better we'll be.
I think the sooner organizations or the sooner we collectively, as an industry, can start to provide more transparency, I think the better we'll be. -Raj Samani Share on XI had a little stint in IT. Like you said, it was, “OK, I only have so much resources. I only have so much time. I can only take down everybody's work for so long. What do I patch first? What issues do I address first?”
I think that's the problem. It was funny, I had a conversation with a customer this morning. I used to be a CISO myself. When I was a CISO, my manager refused to see me, like outright would not see me. He said, “Every time you come and see me, you bring a problem. Every time I give you investment, all you do is find more problems.”
I remember we did a whole piece of work around user education. What that meant was more people could spot more nefarious things happening, and were reporting more. They said, “Well, if I'd known that you would have created more tasks and more demands for investment, I wouldn't have given it to you in the first place.”
The challenge is that every other part of the business can come to the business and say, “If you give me X amount of investment, there'll be Y amount of value to the business.” We're an industry that can't even measure our success.
I actually asked them, I said, “How does the board know that you're successful, or how do you determine that the investment is well-made?” They said, “Well, we've not had a breach.” I said, “But then what that means is when you do get a breach, you're out?” They went, “Yeah.”
We've seen that. We've seen CISOs being let go when a breach happens. You and I know that, more than likely, those CISOs actually were aware of the risk, had put it on the risk register, and just didn't get the investment in order to be able to mitigate that risk. It's incredibly immature as an industry for us because we just don't have those metrics in order to be able to articulate the value of what we do.
We've seen CISOs being let go when a breach happens. You and I know that, more than likely, those CISOs actually were aware of the risk, had put it on the risk register, and just didn't get the investment in order to be able to… Share on XI think that is absolutely a difficulty. If you can't say, “I stopped this many attacks,” it's hard to define. “How much did I save the company because these attacks didn't get through or were not effective?”
We become insurance salesmen. It's like, “Oh, yeah, guess what? I stopped something that might have happened, that didn't happen. But, therefore, look how great.” No one cares about that. I've seen people use those metrics, like, “I stopped 25 in a million attacks this month. They're a big deal, man. You had a port scan.”
That reminds me of the time when we used to talk about hits to websites. “Let me just put a couple of more images on the page, and now I've tripled my hits.”
My favorite one is impressions on Twitter. “Oh, I had 65,000 impressions on Twitter.” I'm like, “OK, well done, I guess.”
And how many even clicked on your post? Two.
Yeah. This fixation on Twitter just drives me crazy. Honestly, the last couple of weeks, I've been like, “Do I just quit? Do I just leave?” Then we're on Mastodon. I miss Twitter of 2022. 2022 Twitter, I do. Actually, no, pre-2016 Twitter.
Go back a few extra years.
Do you remember what life was like in 2015? The whole Cambridge Analytica stuff kicking off? The world turned on its head, I think, from 2016, and it just went crazy. Then you had the pandemic thrown in, and then you had elections. It's just like, oh. I sound old. I'm wishing for the old days.
Did the pandemic fundamentally change your business model or threat assessment and how people do threat assessment?
That was a funny one because when the pandemic hit, it was 2019. I think it was March when we had the first lockdown. But in February, I ended up rupturing my Achilles, I had a hematoma, and was given an hour to live by the hospital. It was crazy.
For six months, I didn't walk. I'm sitting there watching the news. I remember I got a call from my boss, and I was in the hospital. He said, “Are you seeing any attacks?” I was like, “Well, no. There have been a couple of apps. There’s been a bit of misinformation, but no, nothing at all.”
Around about March, we just saw this explosion of COVID noise from low-end BEC scams to threat groups that we believe to be nation-states attributed to misinformation. It just exploded. I guess people that were doing physical crime just went, “OK, well, if I send a bunch of emails and pretend to sell PPE, I can make a ton of money.” It's like, “Oh, shit. This works. I'll continue to do this.”
On the back of it, we had all of these businesses that were physical and digital, then went entirely digital, but did so. Opening up RDP out to the Internet going, “Well, now, we can access all of our resources. What's the worst that can happen?” OK, yeah, right. Then we saw the growth of ransomware at that time. I think it was a network group we tracked for three months in that period. We're tracking the wallets, and they made $25 million in three months.
For those of us in cybersecurity, and I will try to speak to schools about coming into the industry, if you come into this industry, you won't sleep a lot. You'll constantly be reading, but the likelihood is you will stay employed.
If you come into this industry, you won't sleep a lot. You'll constantly be reading, but the likelihood is you will stay employed. -Raj Samani Share on X
And two days will never be the same.
Exactly. I'm trying to convince my kids to do it, and they're not having it. I'm trying so hard. I'm so disappointed. I feel like I let them down.
But do anyone's kids want to go into the same industry as their parents?
They've had visibility of stuff. I remember we had Tesla, and they've seen that. We've had coffee. They've seen so many cool things, and I'm like, “Why wouldn't you want to do this?”
Other passions.
We'll see. I'm not waving the white flag yet.
What keeps you up at night of, “Oh, gosh. I hope the hackers don't XYZ”?
It's happening now. I don't want to sound like a miserable git, but hospitals, […] turned patients away. That's happening. That happened seven years ago with Monocrow. That happened. It's happening and continues to happen. People's medical records are being stolen, sold, and traded by criminals. This is the world that we live in. People go, “What's the worst thing that can happen?” That happens right now.
I don't want to take us down this path, but if you look at how child trafficking occurs, and if you look at these particular nefarious groups that are trading and sharing images, this is the world that we live in. Crime is being played out digitally in front of us. We, as security professionals, are that thin line, I believe, that does everything we can to educate, to protect, to share indicators, in order to protect what's going on.
Crime is being played out digitally in front of us. We, as security professionals, are that thin line, I believe, that does everything we can to educate, to protect, to share indicators, in order to protect what's going on. -Raj… Share on XI think what we failed to do collectively is articulate the impact that it has. You remember when the meatpacker got popped, or when there was that petroleum company that got hit by ransomware? We saw the real-life impact of that. What we do is we talk about APT28, but not the fact that this particular individual that's on a […] contract was informed that they couldn't go in and do a day's work, and a fear that they had that that would have upon their ability to pay their bills or feed their children.
I think we've removed the human from the story, and subsequently, then we just go, “Oh, OK, this is the latest problem, latest issue.” What we've got to do more of is remind people and say, “Look, it's like when you put a seatbelt on before you get in the car. You do that because if you have an accident, we've seen what happens.”
The same thing here. If you don't spend time with your children and talk to them about not posting images of themselves and sharing that with friends, I've seen the impact it has.
When I was at McAfee, we were a consumer company. We sponsored Bletchley Park, so I would go and speak to schools or speak to kids and parents about, “Well, cybersecurity does impact you, and here's why.” I think what keeps me up at night and what scares me is the stuff that we're dealing with today, but actually the impact of what we deal with today.
Do you envision the future of a more digital international law enforcement agency, so to speak? One of the difficulties from my perspective I see is that burglary is when someone in my neighborhood breaks into my house, takes my stuff, sells them at a pawn shop in my neighborhood, and the local law enforcement can intervene. When it's digital and it's online, it's, “OK, well, my bank account in this country got attacked by this person in that country, and the money went to this other fourth country.” And then all of a sudden, even the small cybercrime becomes a multinational affair.
No, we will never have a single law enforcement agency. I don't think that's ever going to happen. We have international collaboration. Full disclosure, I'm affiliated with Europol (the European Cybercrime Center). They have the Joint Cybercrime Action Task Force with liaison officers from around the world. Incredibly successful, incredibly powerful, absolutely exceptional.
I'll call out Charles Orton for his vision and his leadership just to set that up, but there will be nations that will not participate. We see the impact of that. Law enforcement agencies that have to issue a mutual legal assistance treaty in order to be able to get Whois data is freaking crazy.
We know that the odds are stacked in the favor of attackers. With that point, whereby they only have to be right once, we've got to protect and stop everything, or the asymmetry of information, where they can actually get access to everything they want, and we have to piece things together with threat intelligence. Will we ever have a single law enforcement covering the whole globe? I don't see it because you look at geopolitics today.
We all agree on everything, don't we?
It's like saying, “Well, hey. Can we get every nation to agree to harmonize national security requirements across the globe?” No. I don't want to get too far deep into this, but there is a natural scrap and fight for resources. There will be countries that will try to extend their reach in order to be able to gain access to some of these assets, and that will, in fact, create friction and tension.
This is the shape of the world that we live in. We're eight billion people on this planet. Every government is trying to do the best they can for their citizens. At some point, that will be at the cost of other citizens.
Let's go more positive and talk about some of the things that you have been a part of that are having a real-world impact on individuals on stopping stuff. I know that you're involved in nomoreransom.org. What do they do?
nomoreransom.org was born out of 2016, really, out of all of these types of ransomware attacks that began to spread into the enterprise. We had the success, or we actually had some takedowns, where we actually got access to decryption keys.
The sense was, “OK, well, we've got these decryption keys, but where does anyone go to get them because you don't know where they all are?” We launched this initiative in 2016. We had seven decryptors. We made them available.
Over the course of the years, we've started to increase the number of partners and increase the number of decryptors, now we're at about 150 free decryptors. We don't ask you for your email address. We don't track your IP address. We just tell you the variant of ransomware you've been impacted by, and then we give you a free decryptor, if there is one.
We are, at least, and I would say at least because in some cases, we don't really get the telemetry on whether a decryption was successful or not, but we're at around about a billion dollars, we believe, in terms of crime prevented.
That's amazing.
That was a while back, so I'm sure it's more than that now.
How does the end user know which key they're supposed to get?
I think we changed the name of it. We had Crypto Sheriff. We give you the opportunity to upload an encrypted file, then we'll do the analysis, and we'll tell you the variant.
That's cool.
Yeah, I think so. I think the thing that people fail to acknowledge on No More Ransom is that the best part of this is the ability to be able to report crime. We've got a ton of opportunities and links there where you go through to report a crime, pick the country, click on the link, and then you can actually submit a file to your law enforcement agency, in order for them to be able to measure the impact of ransomware.
That's awesome that you facilitate the reporting as part of the process of helping people decrypt.
It wasn't my idea. I'm going to say, when you have all of these law enforcement agencies on there, pretty much the first thing they say for us from a tech perspective, we're like, “Oh, well, ransomware decryptors. Right, we'll create […].” When you have law enforcement, they're like, “Yeah, but we would like to start to measure this.”
People don't report crime like they would if your house got burgled or your computer got stolen. If we're not reporting it, we don't know the impact of it. If we don't know the impact of it, then politicians won't do the investment… Share on XPart of the problem is we just don't know what we don't know. People don't report crime like they would if your house got burgled or your computer got stolen. If we're not reporting it, we don't know the impact of it. If we don't know the impact of it, then politicians won't do the investment it needs. The same thing happens in the enterprise.
Is it that people do believe people don't report it because they don't know where to report it, or they don't think it's worth reporting? This is purely from my perspective. If someone broke into my car, it would make perfect sense, “Oh, yeah. Let me call my local law enforcement, call the police department of the city that it happened, and that's the right thing to do.” If I had a laptop get ransomwared, I do good backups. I would just reformat it, go on with my life, and probably not even think about it.
Some people will probably report ransomware, I guess, depending upon the impact that it has. But if you have a crypto miner on your computer, I'm not bothered. But then, what we then end up happening is we end up having this adware. I remember when we were at McAfee, when we had the consumer part, we used to have this category called potentially unwanted programs or PUPs.
We knew the whole PUP market was massively, massively profitable for criminals, but nobody really bothered about it because then, law enforcement will go, “OK, what's the impact that it has on our economy?” Well, probably not a lot. We don't know because people aren't reporting it, but people aren’t reporting it because it's so insignificant.
I can just go into the registry, just delete some registry keys, and then delete the things that pop up and start-up, and I'm good. But actually, if I reported that and everybody reported that, then we can go, “Well, actually, they're making tens of millions of dollars, and then maybe we can do something.” That's the thing. There's just opaqueness about this whole cybercrime area.
Again, probably the fact that this is a global issue presents its own, “Well, if I'm here, I report there, I report to them, but you report to them.”
I think that's why J-CAT is so important, because then you have international liaison officers who have the ability to be able to determine the impact that it has to individual nations, and then you can actually have one of the law enforcement agencies actually act as the lead for that. I think that's why international law enforcement collaboration is so important because you're right. Almost any crime was either digital crime or digital-enabled crime. Having that ability to be able to coordinate and collaborate is so important.
Interesting. Are there plans to expand No More Ransom to other cybercrimes, or are you just trying to keep it as a decryptor specifically?
I think No More Ransom is one that makes sense. I just don't know. I guess maybe, but I don't know how you would do that. How would you do that for DDoS? What are we going to give you? I don't know.
I think that's why ransomware is probably the right vehicle because, “Hey, there was a lock. We will give you a key.” It's that easy. How would you do that for DDoS, or how would you do that for crypto miners? I don't know how you would do that, but there are other things that the cyber threat align, sharing indicators with our peers in the industry. There's a ton of additional working groups, collaborations, and ISACs, that are constantly partnering with and sharing intelligence.
That, to me, is the really great part because we're not in competition with each other, we're in competition with the adversary. The adversary is good. All of them are good. They're good, quick, and fast. They're successful, well-resourced, and well-funded. We have to do what we can to do the same.
Speaking of funding, all of the ransomware I've seen, the payment is always via crypto. Are there resources that track wallets used in crypto to try to reduce the amount of money that's sent to them?
Certainly tracking the wallets, absolutely. But then, of course, they have ways in which to watch the money, split the payments up, and put it through. Yes, there are groups and companies that we will work with, collaborate with, and coordinate with. Of course, there is a level of transparency there.
I think that's why things like the analysis were so successful because we were able to track the wallets. But of course, washing the money is something that they have professionals to do for them. That's part of the ecosystem.
Some of the challenges that we face is that a well-resourced and a well-funded group can go out and hire individuals for specific functions that they're very good at. They can have somebody to do an initial entry attack. They'll actually hire people to break into organizations, and they'll have people that will do lateral movement. Whereas before, it was, “Here's an email. Click on the link. Click on the link. You’re infected.”
Now, they went, well, actually, if we had people that knew their way around a network, then perhaps, what we can do is we can find a way to extort more money from them. Part of the challenge that we face is that it's an economy, and they can afford to pay well.
And people will want their data, or they're afraid of sextortion. Some small percentage of people will pay, and that becomes its own problem.
I don't know if it's a small percentage. If you look at the numbers that they're making, they're not insignificant.
Yeah. I think in terms of sextortion emails, when I get them, one of the things I always do is look at the wall to see how much money it's gotten in the last 24 hours or 48 hours. Maybe it's gotten a couple of thousand dollars. But if you're sending that up to millions and millions and millions of people, it doesn't take many for it to be highly profitable for the individual who's sending it.
Yeah, that was that old book. Do you remember the old book? I think it was called Spam Kings. We're showing our age here, I think. When you read Spam Kings, that's what they relied upon. They would send spam out. If only 0.1% or 0.2% of people fell for the trap, it's fine because it was easy. You find a couple of open mail relays, send a ton of emails, and you'll get some wins back.
I think that's the biggest advantage criminals have, I think. OK, sure. Geography helps, absolutely, I think. Yes, you can be in territories and regions. I'm sure, hiding underneath the surface web helps, but we've seen dark web shops being shuttered as well. But for me, their biggest advantage is automation. They can simply send things at scale.
Like you said, sending a BEC fraud scam, for example, they can send a ton of emails. Or if they want to do a more targeted attack, they can go on the social media account of the CFO, for example. They have the opportunity to be able to automate a lot of them. That's the biggest advantage, I think, they have. Equally, we have automation ourselves. We have machine learning. This is constantly a game of cat and mouse.
Do you see more of the threats that you look at as being targeted or widespread, and, “We're going to scan every web server we can find for this particular Apache exploit, versus I'm trying to get into IBM's accounting department”?
I think a lot of it is opportunistic. An awful lot of it is opportunistic, which means, “Hey, there is an […] or there is an unpatched system. We’ll go and do that, and we'll go and target that.” What I suspect, though, is that there is a level of targeting. Certainly, some of the cases we've had to deal with, it's just how they got in, how they crafted an email, or convinced a third-party contractor to do something who was connected to the corporate network by the corporate VPN.
I think there is probably an element of both. Unfortunately, there's so much of it that's opportunistic. We can't see the signals amongst the noise. If you look at the prevalence of exploitation against a very, very common entry or common attack, you're constantly fighting against thousands and thousands of systems. The challenge is trying to find the signals amongst the noise becomes difficult, especially in an attack, where a vulnerability or an exploit has been publicly made available or is released.
I used to run whatismyipaddress.com. I get lots of people saying, “Oh, I turned on packet sniffing on my router,” and, “Oh my gosh. There are hundreds of people trying to attack me.” Yes and no. It's not you they're trying to attack. They're just scanning everything.
By the way, I love whatismyipaddress.com. I have used it. I have used it myself. There was this company that released a study today about RDP. They basically released an RDP honeypot. I'm trying to find the number, but that was it.
For the year, their RDP honeypot had 13 million login events. They weren't targeting you. They were brute-forcing using administrator administrator or admin admin. Guess what? That's quite a lot. But again, that doesn't mean that there are 13 million threat actors out there.
There could be, but probably not. I don't know.
Somebody will flag up and say, “Hey, I'm in. Boom, there you go.” Then all of a sudden, it launches to something else. That's the advantage they have. They can automate the scans, go across the Internet. “Hey, we're in.” “OK, fine, I'll get to that in a minute.”
And then there's like, “Oh, well, what did we get into? Let's try to figure that out.” Then a little bit more intelligence and forethought goes into potentially what happens after that.
Certainly, if it's an organization that's larger, then all of a sudden, they'll get people that will come in and say, “Well, actually, look, that's quite a valuable company,” and then we can determine if it's ransomware. We're not dealing with that archetypal stereotype that is the bane in history.
The hoodie, that's not the issue. It's organized crime, or it's a state-sponsored attack. That's it. That's what it is. It's unlikely to be somebody just doing it for kicks. It's an industry, and it makes money. I think the sooner we start to try to go back against that particular notion.
The hoodie, that's not the issue. It's organized crime, or it's a state-sponsored attack. That's it. That's what it is. It's unlikely to be somebody just doing it for kicks. It's an industry, and it makes money. -Raj Samani Share on XFor me, for example, I'll never use the word hacker. I just don't. It's not accurate; it’s criminals. They are criminals. They're conducting crime. They are extorting or blackmailing. That's what they're doing. We have to try to move away from these lazy stereotypes, I feel.
The hacker was the person who was just looking to see, can they get in, not actually trying to do anything wrong. Now, organized crime has moved in, and, “Hey, we're going to use this to make money.”
I think I did my CISSP over 20 years ago. I still remember one of the questions, which was, “Can you explain the definition of a hacker?” The definition of the hacker then was not somebody with criminal intent, it was something about curiosity. What was the term of someone with criminal intent? I think they used to call it crack. I think they see it.
Yes. I think it was a cracker.
I think we don't use that term.
We realize we have lots of silly phrases. Let’s just stop using them.
Again, I don't think these stereotypes help us. You go and speak to somebody in a leadership position, or you speak to somebody like a head of state, and you talk about DDoS, Xfail, or C2s, they just look at you like you just landed from another planet. That's why I love Cliff Stoll's book. I still love that book, which is, it was done in a way that people can understand. I cannot tell you the number of people I've given that book to as a gift, hoping that they would read it.
What is the complete title of the book? I want to make sure that we link it in the show notes.
Cliff Stoll. The Cuckoo's Egg.
OK. We'll make sure to link it in the show notes for those who want to read it.
It's funny, I probably should have given you links to my books, but my books are very boring. Apologies to my co-authors, but they're really thick technical manuals and stuff.
What are your books?
With Eric Knapp, who is literally one of my most favorite people on the planet, I did Applied Cyber Security and the Smart Grid. With Jim Reavis and Brian Honan, we did the CSA, the Cloud Security Alliance Guide to Cloud Computing. I've done a couple of technical editing as well, a couple of books as well, which I won't get into.
Both of those sounds pretty technical to begin with and to think that it gets more technical from there.
I had fun writing them. I remember I asked Dave Litchfield, Jr. because Dave did the Database Hacker's Handbook. I said, “Oh, Dave. I'm thinking of writing a book.” This is years back. He went, “It's not as glamorous as you think, Raj.” I went, “Really?” He went, “No. You don't get paid much.” “OK, thanks, Dave.” He was right, by the way. He was absolutely right. Dave's usually right.
As we wrap up here, any particular other additional resources you want to mention, or where can people find you online? Not that you want to be found online.
For now, I'm still on Twitter, @raj_samani. LinkedIn obviously is still there. If I don't accept, I'm super paranoid, so I apologize on LinkedIn in advance. But resources, AttackerKB is a free resource you can use. No More Ransom, again, phenomenal resource. Everyone should know Metasploit. Obviously, Velociraptor, pretty much, one of the greatest DFIR tools out in existence. Big props to Mike Cohen and Matt Green.
We'll keep sharing information about the latest vulnerabilities, the latest threats, the latest attacks. We've got to work together as an industry. I will post everything that I possibly can, share as much as I possibly can. If you don't like it, or you think we can do more or less, just let me know.
My DMs are open for the moment, but I think recently, Twitter has just become a bit of a madhouse, so I'm getting so much spam in there. I might have to close it. But for now, my DMs are open, and you can just let me know. Let's do what we can to make a more safe society.
Awesome. Raj, thank you so much for coming on the Easy Prey Podcast today.
My pleasure. Thank you for the invite.
Leave a Reply