The Challenges of Authentication at Scale and Quantifying Risk
By Zane Pokorny on February 18, 2019
This week, we welcome back Levi Gundert, Recorded Future’s vice president of intelligence and risk. In a wide-ranging conversation, we discuss Insikt Group’s research into APT10, the challenges of authentication at scale, the importance of framing communication in terms of quantifying risk, and what it means to be an ethical hacker. Levi also shares the potential trends he’ll be following in the coming year.
This podcast was produced in partnership with the CyberWire.
For those of you who’d prefer to read, here’s the transcript:
This is Recorded Future, inside threat intelligence for cybersecurity.
Hello everyone, and welcome to episode 95 of the Recorded Future podcast. I’m Dave Bittner from the CyberWire.
This week we welcome back Levi Gundert, Recorded Future’s vice president of intelligence and risk. In a wide-ranging conversation, we discuss the Insikt Group’s research into APT10, the challenges of authentication at scale, the importance of framing communication in terms of quantifying risk, and what it means to be an ethical hacker. Levi also shares the potential trends he’ll be following in the coming year. Stay with us.
There’s a great piece of research that the Insikt Group put out, and it was actually the culmination of over a year of research and analysis. It was actually a joint effort with Rapid7 and also one of the victims, Visma in Norway. It was a compilation of everything that was observed. It was great that Visma came out and publicly talked about their experience as a victim in this case, which is not something that you often see. In this case, the Chinese MSS, or Ministry of State Security, had compromised Visma, we believe primarily for the access that it provided to all of the third-party organizations that Visma works with. It was great that they talked about their experience, so the data came from multiple places and multiple sources.
I think from my perspective, some of the more interesting takeaways from the report were, number one, that the initial access came from credential reuse in Citrix, and Citrix is obviously … It’s not obvious, but oftentimes, it’s external facing in terms of being able to access Citrix gateways and portals and using legitimate employee credentials. We don’t know exactly how the credentials were obtained in this case. But it’s an interesting trend and takeaway that credentials continue to be a huge challenge for enterprises where you have these larger organizations with a lot of complexity. It can be very challenging to manage the identity and access management component within an organization. We continue to see adversaries prefer to use credentials where they can to gain that initial foothold inside a network and an organization.
So, from my perspective, that was an interesting takeaway.
The other takeaway, of course, was, as I earlier talked about, was the targeting of Visma, we believe, for some of the third-party access that they provide. They’re a huge, managed-service provider in the Nordic region, and they have so many relationships. I think that’s true for most enterprises today, where there are hundreds or thousands of vendors and suppliers that businesses work with, and managing those relationships is very complex. We continue to see that third-party, fourth-party risk being a challenge. That’s another trend, at least that I find interesting in terms of the Chinese MSS targeting here.
I wanted to dig into each of these individually because I think there’s some good information to explore. First of all, when it comes to credentials and this ongoing problem of credential stuffing and credentials being reused and so forth, I continue to scratch my head that on the enterprise side, this continues to be as big a problem as it is. Because it strikes me that we have some workable solutions to this. Yes, they may not be as convenient as a username and password combo, but having to type in a code or having to have some sort of hardware dongle, it doesn’t seem like it’s going to ruin anyone’s day. Am I off the mark here? Are you as puzzled by it as I am?
No, I think you’re right, you’re absolutely right in terms of there are solutions out there that are going to significantly raise the bar in terms of having success with password reuse. There’s no doubt about that. The efficacy of two-factor authentication, I think, is well established. Again, the problem becomes when you’re dealing with thousands of applications, you’re dealing with thousands of endpoints, you’re dealing with so many different types of software and heterogeneous operating system environments. The level of complexity in trying to manage a solution like that, it’s very challenging.
So I think, in theory, you’re absolutely right, but in practice, there are so many challenges. And there are obviously going to be times where certain hardware or certain software isn’t covered in the overall umbrella of a solution that a company may choose. Part of it may be legacy applications, part of it may be unsupported hardware that someone forgot about. There’s so many outliers and all it takes is one, as we know, in order to gain a foothold sometimes inside a network. I think it’s that complexity that continues to be a driver for successful adversary activity.
Yeah, that’s a really good insight. I think … We talk about organizations’ abilities to map out their networks and even know everything that’s hosed up to their own systems.
Yeah, it’s incredibly challenging, it really is. There’s obviously a lot of vendors in these spaces. There’s a lot of good solutions and technologies, but at the end of the day, it’s still a team that is responsible for deploying and managing these solutions in a comprehensive way, and it’s … If you’ve never worked in a large enterprise environment and been responsible for something like that, it can feel overwhelming.
In your comings and goings, the organizations that you work with and collaborate with, the ones who are doing it right, are there any common threads there? Any things where you see, yeah, these groups are handling authentication effectively and at scale? Anything that those organizations have in common with each other?
I think a common theme is that organizations having success are looking at everything they do in information security operations from a risk perspective, and for the most part, they are able to identify real monetary loss that comes from not doing identity access management well. It really, in an enterprise, requires a lot of resources. So having the financial and human resources and people who know what they’re doing to build and manage these programs is so essential.
Oftentimes, the information security group is not able to obtain the resources they need, whether it be the right people, the right amount of people, or just the budget to comprehensively implement something. A lot of times you’ll see piecemeal implementation, but it’s not 100 percent comprehensive and the management of it is not 100 percent comprehensive. I think it’s hard when you … As a CISO and you have a set budget and it’s finite and you look at where you’re going to spend those resources. Hopefully, you’re able to do some risk analysis and make the determination that identity access management, potentially, in your organization really has to be at the top of the stack in terms of that resource prioritization.
Yeah, it’s interesting to me that you bring up this whole notion of quantifying risk, because it strikes me that that is something that I think boards of directors have gotten on board with. I guess that communication has gotten a lot better than it was over the past few years where that translation layer between the technical crew and the management crew are doing better at speaking each other’s language and understanding, and I guess more the technical folks’ being able to address the board when it comes to risk, which is the language they’re used to speaking.
Absolutely. Yeah, I think we’re seeing progress there. And I think, as you said, there’s a general realization that they may not speak the language of technology or security, but they do speak the language of risk and business risk. That’s part of the challenge with quantifying or monetizing risk, is that, no pun intended, but there’s a risk of upsetting the status quo within the larger organization. Traditionally, you see groups like GRC — governance, risk, and compliance — that have traditionally been responsible for calculating and articulating risk. They haven’t always done the best job when it comes to cyber risk component. A lot of it is because they don’t see the data, historical data, necessarily, they don’t see that availability to populate the models that they’ve been working with.
So, I think cybersecurity, in particular, cyber risk, has to think outside the box a little bit in terms of the models that are used for quantification. Even if it’s not something where you’re taking the results from the model directly to the board, even if it’s just for the CISO to understand, these are the areas where the model is telling us we could sustain the largest loss, just having that information for yourself as a CISO can be very valuable as you think about how you prioritize your security spend and where your security resources go.
For a long time, I think it’s been a “finger in the air” type exercise where someone from GRC asks for very minimal input from cybersecurity groups. I think the time is coming where you’re going to see cybersecurity groups start driving the narrative and the data behind the narrative themselves in a much more positive way.
Now, how do you not fall into the trap of being a Chicken Little, if you will? The sky is falling. We’ve got so many unknown unknowns when it comes to quantifying our risk. I’m thinking of … You may lock down all the systems, but as we’ve talked about in the news, that security camera that’s up on the wall that is connected to the network, somebody uses that as a way to get in, and nobody had considered that.
Yeah. And we actually talk about this a little bit, myself and my colleague, Dr. Bill Ladd, we wrote a paper called “The Probability of Loss.” We talk about a model actually based on something by Douglas Hubbard called “How to Measure Anything in Cybersecurity Risk,” and we talk about the application of that model. One of the things he talks about is that you don’t need perfect data to be able to come up with a good model and good outputs from a model. You have to be able to do a better job of estimating. And it turns out that we’re all pretty overconfident in what we think we know, and when we estimate things, we tend to be a little bit too overconfident. And to your point, we don’t account for those types of black swan scenarios.
In his book, he talks how to become a better trained estimator, so to speak. There’s a lot of valid scientific evidence proving out what he’s proposing. I think that’s part of what is the stopgap there, in terms of coming up with the data that you need to model. Again, you don’t have to come up with specific perfect values. You just have to come up with ranges. You have to come up with a … This is the minimal possibility and the maximum possibility, and then let the model take over.
Again, you look at the outputs of the model and say, does this relatively track with what we put into the model and why we put it in? The nice thing about the model we talk about in the paper is that the variables are transparent and the assumptions are transparent. Ultimately, if someone says, “I don’t agree with these numbers.” That’s good. You want to have a dialogue. You want to have a conversation. You want to dig into it and say let’s talk about it. Let’s talk about why you don’t agree and let’s talk about how we arrived at the numbers we did for projected loss. That’s absolutely a conversation that everyone should be trying to have in the broader organization.
I want to switch gears a little bit and talk about something that I know is part of your background, and that is ethical hacking. You are actually a certified ethical hacker. That’s not something that we’ve talked about on this show before. I wanted to … First of all, for you, how do you define that?
Oh, that’s a good question. I actually obtained my certified ethical hacker credential a long time ago. It was actually right after they started the program. I thought it was a really interesting program and I very much wanted to explore it. I think it’s actually come a long way in terms of advancing itself.
I guess I would say that it’s the ability to assume an offensive perspective and do it in a responsible way. You’re careful to operate within legal boundaries and you’re careful to obtain the approvals that you need before you start your work. Those are the parameters and the guidelines to then move yourself into an offensive mindset and think about better detection of security holes and vulnerabilities that you’re looking to ultimately surface for improving defenses.
I guess there’s a natural tension there where, especially when you’re talking about the offensive side of things. I can imagine you must think to yourself sometimes, oh, if only I could do this, then I would be able to do that. But I guess that’s where the ethical part comes in?
Yeah, absolutely. I think for the individuals that routinely do penetration testing or red teaming engagements, there’s always ground rules that get set beforehand in terms of what’s going to be permissible and what’s not. But, if you’re talking about it in just a general sense where you’re not doing any specific red teaming for your own organization or other organizations, I think there’s definitely a lot of that sentiment, where you think if I could do this, I’m pretty confident that the resulting data would be, or the resulting access, would be pretty worthwhile. There’s certainly, I think, a tension when you assume the offensive mindset that, you’re right, you could accomplish more if you didn’t have to operate within legal boundaries.
And I suppose there could be a frustration there where some of your adversaries from around the world don’t play by those rules.
Oh, absolutely. We continue to see, even back to the Chinese MSS activity, a lot of the TTPs there are the reuse of common tools that get used in offensive snares. So, they made use of China Chopper, a very prolific and popular web shell that was open sourced a long time ago. They made use of other tools, like Mimikatz, that are openly available and supported. There’s a thriving community of people that develop red teaming-type tools to ensure that defenses are the best that they can be. You can’t judge the efficacy of your internal security controls unless you’re doing that offensive work to determine, how do these tools work and how do my defenses stack up against them?
We continue to see nation-state adversaries who are using those types of tools, functionally being built for the red-teaming pentest communities. So, it’s very frustrating that they continue to use those because part of that activity tends to make attribution more difficult.
But, on the other side, it’s great for the red-teaming community, that it is such a widely supported and vibrant community.
Where do you see things headed this year? As you look out over the horizon towards this coming year, the next 12 months or so, are there any trends that you see that are starting to show themselves? Anything in particular that you think might be different from the year we had before?
Well, it’s interesting because it’s not an election year, at least for the U.S. presidential race, and we don’t have an Olympics happening this year. So in terms of major events, it’s a quieter year, I guess you’d say. But I continue, again, to be amazed with the amount of credentials. We continue to see billions of credentials dumped in the public domain. It’s interesting watching the criminal space react to that because there’s a lot of software out there that is actually developed for programmatic credential stuffing, Sentry MBA, Access Bomber, SNIPR. It’s interesting as we see the development of new tools that are basically built to help someone programmatically throw millions or billions of credentials at a particular web service or web application. It’ll be interesting to follow that development.
I think the other notable event is that cryptocurrencies have fallen in value, meaning a lot of the malware out there that was doing cryptocurrency mining is less impressive for the returns that it’s producing for criminal operators. So we’re starting to see a little bit of pick-up again in exploit kit activity. I think, it’s just a theory, I can’t prove that, but I think it’s interesting that it’s correlating a little bit to the decline in cryptocurrency prices.
Yeah, that is interesting. Do you think we’ll see a shift headed back towards ransomware?
It’s certainly possible. Again, when you see an uptick in exploit kit activity, meaning new exploit kits being sold in the underground economy, typically we see additional payloads coming with that, because once your machine is infected or compromised via drive-by, then there’s always an additional payload that comes with it. That payload, more often than not, may turn into something like ransomware because the payday is so direct.
I think the other thing, actually, that I was super interested in in the last couple months of last year was really the whole spam campaign targeting individuals with old credentials. It was a very clever twist on an old social engineering tactic, which was, “This is a legitimate email and we’re proving that because we’re showing you your username and password that you’ve used at some prior date on some forum, and you probably recognize it.” So it’s given this legitimacy to the spam campaign. It’s been a global spam campaign. We actually did some analytics following the money, and a lot of people were paying. A lot of people were paying $700 to $800 in cryptocurrency. They had made millions of dollars that we were able to track in a very short amount of time.
It was interesting because they had taken the wide availability of these credentials, as we talked about before, to the tune of billions of them and had just started emailing everyone in the databases with the corresponding passwords, and gave an air of legitimacy to the campaign. And it was nothing technically special, but it was very clever from a social engineering perspective.
It’s fascinating to me that as our technical tools become more sophisticated and better at doing the things that they need to do, that the value proposition gets better for the social engineering side, the … It swings back and forth.
Yeah, it is. It is very interesting. Very interesting, actually. I think one of the things that we may see this year is the acceleration of very granular extortion opportunities. For example, in the past we’ve seen actors in groups that are trying to extort the heads of companies once they steal a database or even encrypt a database. Very direct communications with the heads of these companies trying to extort money from them. But I think what we may see in the future is actually the targeting of individual victims within these databases instead of going at the companies directly, going at individual victims in a more granular way. That could be attempting to extort people over everything from, like we saw in the spam campaign, it was trying to extort people over their … What they were watching on the internet. But it could be everything related to … Like health records.
We’ve seen a couple of recent healthcare database breaches where there’s very sensitive information about individuals in those databases. There’s a lot of targeting opportunities trying to extort people … Perhaps, for example, threatening to release information from their medical records about the prescriptions they take to someone’s boss or their coworkers.
I think, unfortunately, it’s the worst of human nature. And I think threat actors and adversaries see a lot of potential in these types of extortion channels. And, unfortunately, victims in these stolen databases may become additional victims as they see opportunistic monetization coming out of that.
Our thanks to Recorded Future’s Levi Gundert for joining us.
Don’t forget to sign up for the Recorded Future Cyber Daily email, where every day you’ll receive the top results for trending technical indicators that are crossing the web, cyber news, targeted industries, threat actors, exploited vulnerabilities, malware, suspicious IP addresses, and much more. You can find that at recordedfuture.com/intel.
We hope you’ve enjoyed the show and that you’ll subscribe and help spread the word among your colleagues and online. The Recorded Future podcast team includes Coordinating Producer Amanda McKeon, Executive Producer Greg Barrette. The show is produced by Pratt Street Media, with Editor John Petrik, Executive Producer Peter Kilpe, and I’m Dave Bittner.
Thanks for listening.