B (3:58)

Yes, it absolutely makes sense. And so adversaries like Scattered Spider and other groups with similar types of motives have shifted the ransomware playbook. They're taking techniques are defying traditional perimeter defenses. So can you explain why identity as an attack vector is so devastating and why existing security tools are so blind to it?

A (4:15)

You're going to hear me talk about things like living off the land, which I'll get into a little more detail here. But this is a critical point, because Scattered Spider, their approach is it's not new or novel. But what is novel is the way they're employing the techniques that they are. So they're not inventing anything new necessarily. They don't rely on traditional malware that security tools are designed to catch. So that's number one. They bypass perimeter defenses by using sophisticated social engineering. A good example of this would be vishing, which is it's the same as phishing, but through voice. And what that means is they're native English speakers. So they pose as empathetic, articulate, well informed and knowledgeable IT staff. So you pick up the phone, call your it, but it's actually them. And then they figure out a way to engineer you to basically give them access. That's basically how this works. And this means that they abuse legitimate administrative tools as a result. So by manipulating you as the user, they now use your credentials and then are able to pivot and access cloud services that you had access to. And this allows them to move laterally within the network. And this is actually what's called living off the land, which I mentioned before. So this makes it exceptionally difficult to detect because traditional signature based detection tools won't find this type of thing. You need to start employing things like anomaly and behavioral types of detection. One of the things that I find really interesting though, is that they brought back an old technique that was not often used, which is bringing your own vulnerable driver, mainly because it's an effective technique, but it's not an often used one until now. And these attacks load signed but outdated drivers. And this allows them to disable endpoint detection response products like CrowdStrike Falcon, for example, rendering them useless. And this is particularly effective in virtualized environments where they can encrypt an entire hypervisor of VMs in seconds, causing total paralysis of critical services like Active Directory. That's pretty much the, I'd say the long and short of the high level of what their capabilities are.

B (6:20)

All right, so could you break down that attack path a little bit further? What is it about legacy infrastructure that makes it so easy for them to sabotage a company's ability to recover and sometimes even take out that backup system itself?

A (6:32)

The attack starts with the human element, their masters, as I mentioned before in social engineering or hacking the person, often by posing as an employee and calling the IT help desk to request a password reset or MFA bypass. As we've sort of discussed, that's basically it is that they will pose as an employee, call the IT help desk, try to get their account or the person they're posing as account reset or their MFA disabled so that they can just get access has proven pretty successful. This identity compromise gives them a key, and this key or this golden Saml back door that bypasses all security controls. So once they have that foothold, they're able to weaponize identities and move laterally, escalate privileges and so on. When they target legacy infrastructure, such as a backup system running on, say a vulnerable virtual machine, it becomes like a perfect target for sabotage, mainly because they're most likely using native tooling. If it's in the cloud, for instance, they rely upon native services which may lack a lot of the security features that are inherent to third party products like native immutability, quorum authentication, retention lock. So there are certain protective features that exist within some third party projects that may not exist in native tools. And on the on prem side of things and say legacy environments, there are some people that are still using backup software and methodologies that are decades old and they haven't modernized, which are very easy to exploit as a result. So I mentioned before that they also their technical capabilities also extend to hypervisor encryption. Well, if they're able to access the hypervisor and perform encryption, they can also access the virtualization interfaces to encrypt entire ESXi clusters. And this tactic can take an entire backup system offline. And this is how organizations that rely on ESXi cluster and dealing with the hypervisor encryption, it may leave their organization with no way to recover at all.

B (8:28)

Right, that makes sense. So what are some of the key capabilities that organizations should look for when they're going through some type of modernization so they don't accidentally reintroduce the threat during a recovery?

A (8:38)

So the speed of these attacks is really accelerating. CrowdStrike earlier this year reported a breakout time that has dropped to as low as 48 minutes. And for those who don't know, breakout is not the same as initial access. It's the breakout time is how long it takes to achieve the ability to move laterally. So they've already gained access to your environment and the breakout time is that now they're moving around. And the fact that that can all take place within 48 minutes is pretty scary. So given that time is not on your side, I think resiliency is really going to shape up to be the future in terms of managing a security posture. Just security operations as a whole dive into that a little bit what cyber resilience really is. So cyber resilience is the ability of an organization to prepare for, respond to and recover from cyber attacks or other digital disruptions while continuing to operate your critical business functions. So it goes beyond traditional cybersecurity by integrating multiple groups such as risk management, business continuity, disaster recovery, incident response, all into a unified strategy. The goal is not to prevent the attack, but to withstand them and then bounce back quickly with minimal impact. Therefore, cyber resilience to me in our view, is about accepting the assumption of a breach. Because with that attitude, that mindset, you're always thinking from a defensive posture and a mindset, and this means restoring both your data and identity systems to a trusted clean state without reintroducing the attackers backdoors or persistence mechanisms. So instead of focusing like how quickly we can detect and respond, we also have to take those frameworks and metrics and extend it further by well, how long does it take to not only detect and then respond, but also recover? I know most people are familiar with RTO recovery time objective, you know, which is a metric of how many times or how much, you know, seconds, minutes, days, you can then return to that recovery. But there is so much more that happens within the recovery process from scoping to identifying a clean snapshot to recover to to then actually restoring the data. Because if you're dealing with this over the Internet and you have petabytes of data, that's going to take some time. That's not a quick thing even with a modern Internet speeds. So you have to account for all of these different timelines, even the ability to verify once you've restored everything, your infrastructure, applications and services, then you have to validate everything is working. So resilience to us is that, well, let's reintroduce a new framework of not just detect and respond, but also recovery and include those two metrics in the overall framework. So you have a whole timeline from detection all the way to full business continuity. Right.

B (11:28)

I couldn't agree more. Resilience and recovery are just going to become more and more important as time goes on and as more organizations face adversaries like Scattered Spider. So this has been great Joe, thank you for sharing your perspective and insights. If folks want to learn more, where should they go to look?

A (11:43)

0Labs rubric.com that's where we post all of our blogs, white papers, where we're shifting from a annual report now to a quarterly one or that's our mission right now. So you can find a lot of that on xerolabs.rootrig.com awesome.

B (11:58)

Wonderful. Well Joe, thank you again so much. It was great. And until next time.

A (12:02)

Thanks Caleb. Sam.