Risky Business #773 -- Cybercriminals are dropping like flies in Russia - Risky Business

Summary7 min read

Risky Business #773 – Cybercriminals are Dropping Like Flies in Russia
Hosted by Patrick Gray, featuring co-host Adam Boileau and sponsor Vijit Nair of Corelight
Release Date: December 4, 2024

Introduction

In the latest episode of Risky Business, host Patrick Gray and co-host Adam Boileau delve into a week’s worth of pressing information security news. From significant regulatory investigations to high-profile cybercriminal arrests and ransomware attacks, this episode provides an insightful analysis of the current cybersecurity landscape. The discussion is rounded off with an in-depth sponsor interview with Vijit Nair, VP of Product at Corelight, focusing on the evolving state of cloud detection and response.

Major Security News

1. FTC Opens Antitrust Investigation into Microsoft

The episode kicks off with an exploration of the Federal Trade Commission’s (FTC) newly initiated antitrust investigation into Microsoft. This development has surprisingly garnered limited attention within infosec circles.

Patrick Gray [00:04]:
"Adam, the first thing I want to talk about today is the FTC opening an investigation into Microsoft, which is a huge deal, which doesn't seem to be the subject of much discussion in infosec circles."

Adam Boileau [01:35]:
"Microsoft is such an important part of everybody's ecosystem and work life and especially infosec... [the investigation] is a kind of a big deal."

The discussion highlights Microsoft's extensive bundling of security products under its E5 licensing scheme, questioning whether this practice constitutes an abuse of market power. The hosts ponder the implications of potential regulatory actions, such as the FTC mandating the spin-off of Microsoft’s cybersecurity division.

Patrick Gray [04:25]:
"What if the FTC mandates that Microsoft needs to take its cybersecurity solutions business and spin it out into a different company. Would you buy shares in it?"

2. Crackdown on Russian Cybercriminals

Patrick and Adam then turn their attention to recent arrests of Russian cybercriminals, including the high-profile ransomware affiliate Adam Boileau mentions.

Adam Boileau [08:27]:
"It's a very high profile, like, ransomware affiliate who I believe might have developed some tools as well... And he's being sentenced to a life term."

The conversation reflects on the perplexing nature of Russia’s internal actions against cybercriminals, noting the inconsistency and lack of clear rationale from an outsider’s perspective.

3. Stoli Vodka’s Chapter 11 Bankruptcy Amid Ransomware Attack

Stoli Vodka has filed for Chapter 11 bankruptcy in the U.S. following a severe ransomware attack that began in August.

Patrick Gray [10:16]:
"Stoli's U.S. subsidiaries have filed for bankruptcy after a ransomware attack, with $308 million stolen and expected recovery by March next year."

The hosts discuss the historical context of Stoli’s struggles with the Russian government and the impact of the ransomware attack on the company’s operations.

4. Data Extortion and Possible Insider Threat

The episode covers ongoing investigations into Snowflake data extortions, including a suspected U.S. Army soldier’s involvement.

Patrick Gray [12:00]:
"Brian Krebs wrote that the suspect may be a US army soldier recently stationed in Korea, known as Kyber Phantom."

The discussion highlights the challenges of attributing cybercrimes and the potential ramifications of insider threats within the military.

5. Uganda Central Bank Breach

A significant breach at Uganda’s central bank resulted in the theft of approximately $17 million, with efforts underway to recover the funds.

Adam Boileau [15:40]:
"A whole central bank heist is rare and highlights the vulnerability and importance of robust audit and monitoring systems."

The hosts note the rarity of such incidents and the implications for financial security in central banking institutions.

6. Exxon’s Covert Operations Against Climate Activists

A Reuters exposé reveals how Exxon allegedly used the lobbying group DCI Group to hack and leak data from climate activists, aiming to discredit them.

Patrick Gray [16:37]:
"Exxon used intermediaries to hack activists’ emails, leaking them to the press to undermine their credibility."

The conversation underscores the ethical and legal implications of corporate espionage against environmental activists.

7. Ransomware Hits Costa Rica’s Energy Sector

Costa Rica’s state-owned energy provider, Recope, has been targeted by a ransomware attack, causing disruptions to accounting and operational systems.

Patrick Gray [23:10]:
"Recope is bringing in U.S. expertise to address the ransomware attack, hoping to avoid a repeat of past crises."

This segment highlights the critical nature of cybersecurity in national energy infrastructure and the ongoing threat of ransomware to essential services.

8. Blue Yonder Incident and Security Scorecards

The podcast touches on the ongoing issues faced by Blue Yonder due to a ransomware incident and critiques the effectiveness of security scorecard services.

Patrick Gray [24:08]:
"Blue Yonder has restored service to some customers but continues to grapple with the fallout from the attack."

Adam Boileau [25:30]:
"Security scorecards often focus on trivial findings rather than providing meaningful security insights, making them largely ineffective."

9. Salt Typhoon Campaign and the Encryption Debate

The discussion moves to the Salt Typhoon campaign, where the U.S. government urges the use of encrypted services to thwart Chinese telco snooping.

Patrick Gray [27:54]:
"The Salt Typhoon incident has intensified the encryption debate, balancing societal safety with individual privacy."

Adam Boileau [31:17]:
"Lawful intercept capabilities are inherently insecure, designed to access communications without guaranteeing complete protection."

10. DMM Bitcoin Cryptocurrency Theft

A major incident involving the theft of $308 million in cryptocurrency from DMM Bitcoin is analyzed, with suspected links to North Korean laundering schemes.

Patrick Gray [32:44]:
"DMM Bitcoin promises to make customers whole, but recovering $300 million stolen in a ransomware attack seems implausible."

Adam Boileau [34:01]:
"The stolen funds are likely laundered through platforms in Cambodia, making recovery efforts challenging."

11. Tools for Managing Twitter Data

Patrick introduces Micah Lee’s tools for managing Twitter data, emphasizing the importance of trusting third-party applications.

Patrick Gray [34:44]:
"Micah Lee’s tools allow users to delete tweets and manage their Twitter data securely, unlike other untrusted apps."

Adam Boileau [35:54]:
"The tools programmatically navigate Twitter’s interface to automate data management, a complex task tackled effectively by Micah Lee."

12. Riversdale Pump Station Hack in Australia/New Zealand

A purported hack of the Riversdale Pump Station, causing operational disruptions in Melbourne’s infrastructure, is scrutinized for possible misinformation.

Patrick Gray [38:00]:
"The Riversdale Pump Station is actually in New Zealand, not Australia, raising questions about the credibility of the hack claims."

Adam Boileau [39:14]:
"The impact on infrastructure like pump stations is minimal, often leading to short-lived operational fixes rather than significant disruptions."

13. New Zealand Navy Ship Incident

An unusual incident involving the New Zealand Navy is recounted, where a ship ran aground due to autopilot malfunctions, highlighting non-cyber disasters.

Adam Boileau [40:55]:
"A New Zealand Navy ship ran aground after autopilot errors caused thruster failures, leading to the vessel sinking."

Patrick Gray [41:48]:
"Shout out to the Kiwi Navy for handling the situation, despite the technical mishap."

Sponsor Interview: Vijit Nair on Cloud Detection and Response

The episode transitions to an insightful discussion with Vijit Nair, VP of Product at Corelight, focusing on the complexities of cloud detection and response (CDR).

State of Cloud Detection and Response

Vijit Nair explains the fragmentation in cloud security solutions, emphasizing that detection and response in the cloud require a multifaceted approach rather than a singular solution.

Vijit Nair [43:57]:
"As folks moved into the cloud, security was often an afterthought, leading to fragmented solutions that don’t converge into one unified detection stack."

Challenges in Standardizing Cloud Security

The conversation highlights the lack of standardized security primitives across different cloud providers, complicating the integration and effectiveness of security measures.

Vijit Nair [48:07]:
"One of our customers’ biggest challenges is dealing with multiple cloud providers each having different security frameworks. Our goal is to provide a standardized approach that simplifies SOC operations across diverse environments."

The Role of EBPF in Cloud Security

Nair discusses Embedded Berkeley Packet Filter (EBPF) as a promising standardized primitive for workload and network monitoring across various cloud platforms.

Vijit Nair [50:44]:
"EBPF provides a standardized way to instrument workloads and network traffic across all major cloud providers, facilitating unified security monitoring."

Future of Cloud Detection and Response

The discussion concludes with an outlook on the necessity for comprehensive and standardized detection and response solutions in the evolving cloud landscape.

Patrick Gray [52:45]:
"When it comes to cloud detection and response, it's clear that a unified approach is not feasible. Instead, a combination of specialized tools leveraging standardized primitives like EBPF will be essential."

Vijit Nair [56:22]:
"Indeed, Patrick. The future lies in creating interoperable and standardized security frameworks that can adapt to the dynamic nature of cloud environments."

Conclusion

Patrick Gray wraps up the episode by thanking Vijit Nair for his valuable insights and reiterating the importance of comprehensive security strategies in both on-premises and cloud environments. The hosts underscore the multifaceted challenges in the current cybersecurity landscape, from regulatory scrutiny and cybercriminal crackdowns to the intricate dynamics of corporate espionage and ransomware threats.

Patrick Gray [42:53]:
"That was Vijit Nair from Corelight. Big thanks to him and Corelight for being this week's sponsor. We’ll be back next week with more Risky Business for you all. Until then, I’ve been Patrick Gray. Thanks for listening."

This episode of Risky Business offers a thorough examination of the latest cybersecurity issues, providing listeners with expert analysis and thoughtful discussions on navigating the complex and ever-evolving threat landscape.

Loading summary

Transcript113 lines

[00:04]
Patrick Gray
Hi everyone and welcome to Risky Business. My name's Patrick Gray. We'll be chatting with Adam Boileau in just a moment about all the week's security news. And then it will be time for this week's sponsor interview which is with the VP of product at corelight, Vijit Nair. And we're talking to him really about how cloud detection and response, it's not really converging on one thing. There's always going to be elements of like app monitoring, something for your kubernetes, something for your endpoints, something to keep an eye on API calls and of course network data. It's an interesting high level chat. And that one's coming up after the news, which starts now. Although I guess news for me is as soon as we're done recording today, I'm actually jumping on a plane and heading down to Sydney to record a podcast in the flesh at the lecture theater of the Museum of Contemporary Art in Sydney with Mr. Chris Krebs. And the reason I mention it is because the there's still like eight to 10 tickets left. So if anyone in Sydney is listening to this and wants to come along, that's happening tomorrow at about 9am So I will link through to the rego link in this week's show notes and I look forward to seeing you all there. But Adam, the first thing I want to talk about today is the FTC opening an investigation into Microsoft, which is a huge deal, which doesn't seem to be the subject of much discussion in infosec circles. And I find that really surprising. Why do you think that is?
[01:36]
Adam Boileau
That's, it's a great question. I mean, Microsoft is such an important part of everybody's ecosystem and work life and especially infosec. Right. And we have all seen, you know, I guess especially as they moved into the cloud, the very kind of tight integration between their security products and their business, like their business software and stuff. And you know, the FTC's previous, like the previous antitrust work against Microsoft really had a very long lasting impact. And this is back in the like browser wars era of you know, Internet Explorer versus at the time, Firefox, I suppose. And that really, you know, has shaped so much of how Microsoft has behaved. So it's, it is a kind of a big deal. But I guess the political uncertainty in the US at the moment about what the next administration would do with an investigation like this is, I mean there's so much uncertainty, I guess it's hard to get too excited until, you know, the shape of that.
[02:35]
Patrick Gray
Yeah, I mean, we've linked through to a Associated Press article here that points out in the headline, FTC Opens Microsoft Antitrust Investigation that Trump Administration Must Carry on or Drop. Which seems, now that I think about it, a strange way to put it. But, you know, the FTC chair, Lina Khan, you know, J.D. vance, who's the incoming vice president, has said positive things about her as well. So really, we don't know whether or not it will continue under the incoming administration. But I want to talk about why it's interesting from a security person's perspective, which is that Microsoft bundles so much stuff under E5. Now, of course, it does have some good security products, like Microsoft Defender is a great edr, right? But they also bundle an awful lot of crap. And you got to ask yourself, if it weren't for their ability to bundle like this, would anyone buy it? Right? So the thought exercise that I came up with in terms of evaluating whether or not Microsoft is kind of abusing its market power is to just think, okay, say flash forward, it's three years from now. The FTC has mandated that Microsoft needs to take its cybersecurity solutions business and spin it out into a different company. Would you buy shares in it? Right. Would you buy shares in it? Or would you be worried that the only thing keeping a lot of its security business spinning is E5 bundling? And I think that's the question at the core of this. Right. I think it was actually Chris Krebs, who, you know, as I pointed out, I'm interviewing him tomorrow. Once we were at a conference, actually having a drink. And what did he say? He had a line. I don't even know if it's his line, but he said Microsoft should be in the business of making secure products, not security products. Now, sure, he works for a company that competes with Microsoft in the EDR space, but I think that's a sentiment I agree with, frankly.
[04:25]
Adam Boileau
Yeah, I mean, certainly it would be nice if you didn't need all of those security products and Microsoft doing a good job. You know, there's a reason they've been refocusing a whole bunch lately because they've been beaten with so many sticks about their security practice. And it's not unreasonable to say that, you know, they have moved so quickly in the last, you know, five years into the cloud world that, you know, their good practice hasn't really caught up. I mean, and, you know, they've got a lot of work to do. So. Yeah, I can absolutely see that argument. Although I suppose, like you compare to Maybe it's not reasonable to compare to Google's Alphabet chronicle, you know, kind of. That's a separate thing. It's part of it, you know, that maybe that mess is not comparable, I don't know. But either way, Microsoft absolutely has to do better. And I would prefer that they focused on making good products than they did on making security products.
[05:23]
Patrick Gray
Well, I mean, that's the issue that we care about, right, which is the incentives piece of this, where they're making so much money out of sell. You know, there was a saying I came up with which is Microsoft sells you a foot gun and then sells you the bulletproof shoe. Right. And so the incentives are sort of all out of whack, but there's not much I think the FTC can do about that particular problem. But what they can do is see whether Microsoft's business practices in bundling all of this security software under its licensing schemes is anti competitive. And I don't think it's. I think it's a real heavy lift to show that that's not anti competitive, just in my view.
[05:58]
Adam Boileau
Yeah, but I guess the other, the thing that comes to my mind is in the cloud world where the vendor runs the software and the servers and the systems, the role of third party security products is greatly diminished. Right. In the case of Amazon, for example.
[06:16]
Patrick Gray
But it's not in this case. That's the whole point. They're selling the products, right. And they're selling it to the, you know, via bundling, to the detriment of their competition. That's the whole point.
[06:27]
Adam Boileau
I mean, yeah, I agree with you, but like I'm just trying to imagine, like say they had to spin out a bunch of their security products. Like there are things that you could imagine being standalone, purchasable, like their edr, like Defender for Endpoint or whatever. But all of the things that you would be buying in your E5 that you get in your E5 bundle, if you don't mean to buy them, a whole bunch of them are kind of things that Microsoft would have to do anyway. That wouldn't be a standalone product that you would buy. That's just an expectation you have of Microsoft running the service, things like providing audit logging or whatever. Right. Consuming the logging. You could buy another tool to process it and give you the data you want from the log, the intelligence you want from logging. But there's a bunch of this stuff that's just like in a cloud world is the thing the service provider needs to and should be doing. And you know, I think there's an argument that Microsoft shouldn't be upselling those security features when it's as a service, but that's kind of a different kettle of fish again. So.
[07:24]
Patrick Gray
Yeah, that's great. Well, let's, let's watch it. I mean, you know, I think I was talking to someone who's quite informed about all of this, and I said, you know, is it a possible remedy that they could force Microsoft to divest their cybersecurity products division? And they said, of course, but it's the US Government, so they're going to choose something completely insane, uh, instead. Like, I think, what is it? The DOJ has been looking into Google's behavior and wants them to spin off Chrome, which is like just an insane idea on certain levels. Right?
[07:52]
Adam Boileau
Kind of dumb. Yes.
[07:53]
Patrick Gray
Yeah. So they'll find something insane to do about it, and then we'll, we'll get on this show and talk about how nuts it is. Moving on to some law and order news. Adam and Wazawaka has apparently been arrested by Russian authorities. Of course, this is a very high profile, like, ransomware affiliate who I believe might have developed some tools as well. But, you know, we've seen a spate of, you know, lengthy sentences doled out to Russian cybercriminals who saw some brevil people sentenced a while ago. And, you know, the arrests and the sentencings continue.
[08:27]
Adam Boileau
Yeah, it's kind of strange because, I mean, looking from the outside, you want to have a simple picture that explains to you why Russia be like Russia be. And, you know, most people who are especially ex Russians, they've immigrated out into the west, say, look, Russia is just. It's its own thing. And, you know, it doesn't always make sense. I mean, whether this guy ends up in, you know, a special penal colony or whether he manages to bribe his way out or whatever else, we don't really know. But it's just, it seems confusing to the outsider. And I don't know that I have more better analysis than that. I am confused by Russia.
[09:05]
Patrick Gray
Well, I mean, we did see prior to the outbreak, well, prior to Russia's invasion of Ukraine, we did see that things were kind of moving in this direction. And it feels like that all stalled out, but it's sort of picking up again. And I can't explain it either. But as you say, like, everyone's addicted. Everyone wants a simple narrative here, and there just isn't one. You know, life is complicated. Russia is complicated. So I think that.
[09:28]
Adam Boileau
Exactly. Yeah.
[09:29]
Patrick Gray
And meanwhile, they've handed down a life Sentence to the kingpin of the hydraulic drug marketplace. I mean, not technically a cybersecurity story there, but you know, it is an online crime and you know, Russia has not done this before. So it does seem like there is a crackdown of sorts occurring or, you know, like a renewed focus on tackling, you know, cybercrime and cyber enabled crime in Russia.
[09:53]
Adam Boileau
Yeah, but a life sentence is certainly pretty significant. And I don't think we've seen that before in Russia. The financial penalties that the hydro market and his various associates got were very small, like in the tens of thousands of dollars kind of realm. Whereas previously we've seen big fines and seizures of property and stuff, but in this case, very small monetary amount, but life sentence. So again, I don't understand Russia.
[10:17]
Patrick Gray
Yeah, yeah. So those last stories were from Darina Antonio over at the Record. And yeah, this guy got sentenced to what I think we can call the Full Ross.
[10:28]
Adam Boileau
Full Ross.
[10:31]
Patrick Gray
But you know, we're going to see if he actually winds up getting, getting freed next year. So that'll be interesting. So let's talk about Stoli Vodka filing for Chapter 11 bankruptcy protection in the United States and explaining that a big part of the reason why they've had to do that is because of a ransomware attack that began in August that they're not expecting to fully recover from until March next year. So just a wild story. John Greig has done a terrific job, as he usually does, of writing this one up and sort of explaining, you know, a bit of the history around Stolle and its and its battles with the Russian government, which wanted to like, re. Nationalize Stoli after it was spun out in the 90s or whatever. Just a wild ride, this story all around.
[11:19]
Adam Boileau
Yeah, yeah, exactly. Because that was my first question when I saw the headline. I was like, I wonder like, is Stoli a Russian company still? Or how does this work? And in this case, its U.S. subsidiaries have filed for bankruptcy after ransomware. And the original founder of Stoli is a Russian who fled the country and is kind of pro Ukraine. And at some point the Russian government nationalized or took over some of their facilities in Russia. Like they took like $100 million worth of vodka facilities.
[11:50]
Patrick Gray
That was recent. That was in March 2022. Yeah, they took over the last distilleries that they were still operating in Russia. But this goes Back to like 2000.
[12:00]
Adam Boileau
This legal. It's a tortured story. And you know, there's no, there's no like evidence to say that the fact that the U.S. you know, entities got ransomware pretty bad. You know, whether that was kind of, you know, politically motivated as opposed to just regular common garden things, getting ransomware and it's bad kind of thing.
[12:24]
Patrick Gray
But this ties back to what we were saying, right, which is Russia is complicated and there's no simple narrative. This could just be garden variety criminal ransomware or it could be, you know, they're getting their. Getting their instructions from the Kremlin. You just don't know.
[12:37]
Adam Boileau
You just don't know. Or even just, you know, patriots. You know, if someone gets got mad about, you know, about it and decided to do it themselves, like it's. Yeah, who knows? Either way, they're having a bad time and they're going to attempt to kind of restructure their way out of it. So, yeah, I guess good luck. Good luck to them.
[12:58]
Patrick Gray
Now we've seen two arrests over the snowflake data extortions, but there's a third suspect who's still in the wind. And Brian Krebs wrote up a report last week looking at what this person's, who this person could be. And it looks like this person may actually be a US army soldier who is, is or was recently stationed in Korea. So this is a bit of beautiful Krabsing here.
[13:24]
Adam Boileau
Yeah, yeah, definitely solid Krabsing. This guy goes mostly by the name Kyber Phantom. And Krebs has been kind of tracking his various previous identities and his activity across forums has a couple of other names that he. That he goes by and kind of ties them all together with some social media posts or other cacophorum posts where the guy says that, you know, at some point someone had dossed him, they had some argument, and he said, lol, you just dosed a US Military base. So good. Good on you, buddy. And also there's some pictures of, you know, like, camouflage and military equipment and stuff in his post. So it's kind of a. It's an interesting, like my. I guess I'm curious as to, like, if you were a serving U.S. military person, like, if you have enough spare time to run a cybercrime operation as well. Or to be. I mean, I guess. I guess you must. There's a lot of hurry up and wait in the military. But it's an interesting, kind of interesting yarn from Krebs. And I would not want to be the guy. He. Krebs reached out to him and the guy was just like, oh, lol. This was just, you know, opsec. Epic opsec troll, he said. Which is what they always say when Krebs has totally nailed the truth about this stuff. So.
[14:39]
Patrick Gray
Aha. You took my bait to believe that my identity is not what it in fact is. Yeah, exactly.
[14:45]
Adam Boileau
Exactly. Yeah.
[14:47]
Patrick Gray
Oh man. But no, I guess, you know, everyone's got hobbies, right? Like, even if you're stationed on a base, you're not working 24 7.
[14:53]
Adam Boileau
No.
[14:54]
Patrick Gray
And how much time does it take to take, you know, info stealer creds and plug them into a few snowflakes?
[15:00]
Adam Boileau
That's true. That's true, yes. That's a pretty fast process.
[15:02]
Patrick Gray
It is, it is. I mean, calling these people hackers is kind of like, I don't know, bit of a, bit of an insult to hackers. Another one from Darina over at the Record. There has been a breach at the central bank in Uganda with attackers making off with around $17 million. I believe half of that has been frozen already by banks where the funds were transferred to, but some of it was withdrawn. I mean, we haven't seen one of these in a while. The North Koreans were targeting SWIFT terminals at central banks in places like Bangladesh years ago. But yeah, I mean, you don't see this every day, which I thought is a reason to mention it.
[15:41]
Adam Boileau
Yeah, like a whole central bank is. That's a pretty juicy target. And you know, they're not necessarily hard targets. But, you know, at the same time you would hope that a central bank has good quality audit and monitoring, like so at least they would spot these things happening. And it sounds like in this case they did spot it and they managed to claw some back. But I mean, it's just, I don't know, it's kind of, it's kind of funny in a way. Like, you know, a whole central bank heist. Like you make movies about that and yet here we are with, you know, kids or North Korean, you know, army doing it. And we don't know which, of course.
[16:15]
Patrick Gray
Because, well, I think they said it was a. Was it Southeast Asians? Yeah, yeah. Southeast Asian hacker group in this case has got the attribution. But yeah, I mean, who knows, like someone in an Internet cafe in the Philippines going, lol, you know, here's 17 million. But you know, you think probably they're going to get busted.
[16:36]
Adam Boileau
Probably, yes.
[16:37]
Patrick Gray
Yeah. Now let's have a look at this expose over at Reuters, which has been written by Raphael Satter and Christopher Bing. And by the looks of things, they've been working on this story for a very, very long time. And what they've done is tied a lobbying, lobbying group called DCI Group that did a lot of work for Exxon, the energy firm or oil firm. They've looked at how Exxon was using DCI Group to hack activists and like leak their data to the press to discredit them. When these activists were trying to say, trying to prove that Exxon knew that climate change was being caused by fossil fuels, but was, you know, being very misleading about it. So they were trying to put together a legal case akin to the one that targeted tobacco companies, saying that they knew that their products were causing health, health impacts. But, but we're lying about it. And you know, this is just such an amazing look at the sort of dirty tricks that should only exist in the movies. But you know, it's all laid out here. And this involves that Israeli private investigator who I believe was contracting some of these hacking services to Indian firms like Reuters has done a lot of coverage on that. But this whole thing ties it together beautifully. And it's just, I got to be honest, it's a really depressing read.
[17:55]
Adam Boileau
Yeah, it really is. I mean the idea of a big corporate like Exxon and in this case an environment destroying planet heating multinational hiring a big money law firm which then subcontracts out to some intermediate. Who subcontracts. Who subcontracts and then everybody's washing their hands all the way down until someone's email gets stolen and then leaked and then used against them. And then everybody along the line goes, well, we just thought we were paying lawyers. We didn't know we were hiring hackers for hire services.
[18:28]
Patrick Gray
Yeah, we had a little bit of money set aside for opposition research, but we didn't know they were going to do this. I mean that's the, you know, and that's why like previously when looking at some of this hacker for hire stuff, I can't even remember who I had that conversation with, but apparently hedge funds love these, these cutouts that they can use to get market intelligence and whatever. Right? So. But it's just grotty.
[18:50]
Adam Boileau
Yeah, yeah, it really is. And I think one of the guys who is central to the story in a previous case that he worked, he said, oh look, we just, I just found these guys email on the Internet. I don't know where it came from and I think in that case he was tied to Bell Trox, one of the Indian hack of a hire firms and you know, pretty clear where it came from. So it's just kind of gross. And also I, I really feel for environmental activists who feel like they're being targeted by a multinational and having Their stuff broken into. It's just being hacked is kind of distressing when you know someone's been in your email, in your personal files and whatever, and stole them and leaked them. And to feel like that's happening because of a giant company with infinite resources, et cetera, et cetera, it just feels gross. And this was individuals in some cases, but also organizations like Greenpeace.
[19:50]
Patrick Gray
Yeah.
[19:51]
Adam Boileau
So, yeah, it's pretty. Pretty serious business. And yeah, great reporting from the team over at Reuters, too.
[19:58]
Patrick Gray
Yeah. I mean, you'd meet an environmentalist who might say, yeah, man, Exxon's hacking my email. And you just say, sure, buddy.
[20:04]
Adam Boileau
Yeah, exactly. You'd meet them down at the pub, you know, on a Friday night. You'd be like, yeah, yeah, okay, yeah, sure.
[20:09]
Patrick Gray
But you're really important. Yeah, Exxon's. Exxon's scared of you. They're hacking your mail. They're leaking it to the press to discredit you. Sure, mate. You know, but it's true.
[20:18]
Adam Boileau
But it's true. Yeah, yeah. I mean.
[20:22]
Patrick Gray
All right, let's move on to this next one here. And this one is wild, man. It's a story from Korea that our colleague Catalyn Kimpanu unearthed. Talk to us about the arrests in Korea involving the chief executive, like, including the chief executive of a company that manufactured and exported 240,000 satellite broadcast receivers. Why would he be arrested, Adam? That's strange.
[20:50]
Adam Boileau
So the story. The story in the charging notes from the Korean law enforcement is that this set top box company included distributed denial of service clients in its firmware for its set top boxes, that it shipped a quarter of a million people. And apparently it included this feature specific request of its customer who was themselves being ddosed by some other competing Korean satellite TV firm. And they wanted to fight back, so they paid to put a DDoS system into the set top boxes. And of course, this whole scheme has now somewhat fallen apart. But like, every time you see a story like this, and especially I think we've seen a few like this in South Korea where the sort of, you know, corporate level, DOS or corporate level, like, I'm thinking there was a file sharing system, like appear to be a file sharing system we were talking about a couple of months ago where it was a similar kind of thing where they all got hacked and dropped malicious code on people who are running this thing as part of that.
[21:54]
Patrick Gray
Yeah, yeah, yeah, I remember that now. I knew it was ringing some sort of bell, I just wasn't sure on the specifics.
[21:59]
Adam Boileau
Yeah, so it's. I Don't know whether, you know, I don't know what's going on in South Korea. Like, obviously they're having a better time, a bit of a time at the moment generally, but it's a pretty wild story. And I used to work with satellite TV equipment back in a previous job at Internet service provider. Our main vendor was South Korea. And they sent one of their engineers over to work with me on some Linux drivers stuff that I was working on. And so I spent a couple of weeks locked in a room with him working on driver code. And we didn't really speak much language, but we both spoke nerd. And you kind of just get a. South Korea is kind of different. It's a weird place that I don't have a whole bunch of frame of reference. And when you've seen stories like this. Yeah, it's just, you know, sometimes things are different than we expect here in the West.
[22:44]
Patrick Gray
Yes, sometimes things are a little bit more different than you can quite wrap your head around. That's the way you do that. Oh, okay, right. I'll just have to adjust my worldview.
[22:52]
Adam Boileau
Yeah, exactly, exactly.
[22:54]
Patrick Gray
Yeah, it's a crazy one. And yeah, the political moment in South Korea like, you know, woke up here in Australia and the President's declared martial law or something for no obvious sort of reason. And I don't know, I think it's all pretty much wrapping up. But yeah, very, very, very strange political situation and crisis in South Korea today. Now let's talk about some ransomware stuff. Costa Rica is having a hell of a time because a state owned energy provider has been hit with a ransomware attack which has caused disruption to, I think, you know, their sort of accounting and, and whatnot. I don't think it's disrupted oil flow sort of much like Colonial Pipeline in that way. So, yeah, this company, Recope has, has been attacked and apparently they're bringing in some expertise from the United States to help them deal with that. And it's not obvious whether or not that is, you know, whether they've called the State Department or Cyber Command or whatever, because previously the US Government had given some assistance to Costa Rica when it was being absolutely battered with ransomware a couple of years ago. But, you know, would be guessing that if you're the, you know, Costa Rican government, you're hoping this isn't the beginning of another, you know, ransomware crisis, because that was hectic when that happened a couple of years back.
[24:09]
Adam Boileau
Yeah, yeah, it certainly, it certainly was. And you know, like, major energy disruptions like this are you know, important. They're national security issues and yeah, it's, you know, it sounds like they're backed up pen and paper for, you know, managing, you know, the records of unloading ships and distributing fuel and so on and so forth. So yeah, it seems, seems pretty serious and I don't know, like I don't know that I want to be the person on the plane heading out to Costa Rica to try and solve this problem. Like that's an incident response job. That's, you know, it's pretty serious.
[24:38]
Patrick Gray
Yeah. Now a quick update too on Blue Yonder. Nothing much on their website as usual, but they have apparently restored service to a few customers and they're continuing to work through it and whatever. But that one ain't over. I just wanted to point to something funny though, which is when I was googling for their update I stumbled across the Up Guard page showing the security rating for Blue Yonder and they get 781 out of 950 which. And the reason I wanted to discuss this is I've always loathed these like security scorecard related services that for a while it was thought that, you know, these type of services would help insurance companies, you know, adjust premiums and whatnot. They are basically meaningless. I mean, I'm sure, you know, someone with a really bad scorecard rating is just like an incident waiting to happen. But you can have a good rating and still get absolutely wrecked. And that's why I don't like those ratings.
[25:31]
Adam Boileau
Yeah, I mean so much of the rating is going to be like, does your website have a certificate that gets an A on the SSL lab score list? Have you ticked all those tiny little boxes in the SSL finding pen test report? And as someone who wrote a lot of pen test reports, we spent so much time making our SSL finding good so that it could deal with every possible misconfiguration. Not because any of them mattered from a security perspective, but because they were the sole metric by which these kinds of external scorecard things or people would judge your organization. So they've always seemed a bit bunkum because you have so little visibility as an outside party into what the reality of the inside of an organization is. And yeah, it's, I'm amazed that anyone still relies on these kinds of things because as you say, like if there's an F rating, like if you're terrible, then probably not great, but anything other than that, pretty much meaningless.
[26:27]
Patrick Gray
Yeah, I mean, what is it? My most, the most annoying finding I can think of out of A vuln scanner is when there was one I saw where you could force like a null cipher or something. You could force a TLS connection that didn't encrypt, like if you demanded it from the client. And I'm just thinking, really, that's a, you know, that's a critical finding. Just wild. I also got a bit of intel on that, apparently, as per my source, the. And I don't know if this is out there elsewhere through the threat intel companies or whatever, but my source tells me the termite ransomware crew is behind the Blue Yonder incident. So there you go. They're a relatively recent crew by the looks of things. There's another one targeting Ian Global, which this is an energy sector vendor in. Is it Texas, I think. Texas, yeah. So, I mean, there's been a few of these. Right. So Halliburton had some sort of incident. New Park Resources. Hard to know how serious this one is. I mean, they're even saying in their filings the company has not yet determined whether the cybersecurity incident is reasonably likely to materially impact the company's financial condition or results of operations. So I think with a lot of these that hit the media, you got to realize some of them are coming through SEC filings where there's been an attempted incident, it's been contained relatively quickly and they've moved on, but it still gets written up as like, oh, ransomware attack. So we don't really know much there.
[27:54]
Adam Boileau
Yeah, those SEC filings are a great source for journalists that want to hunt a story up. But, yeah, there's usually very little other detail. So, yeah, could be big, could be tiny. No one can really say until, you know, you either see some real impact or you manage to snoop on, you know, ransomware negotiation somewhere and get some juicy details.
[28:13]
Patrick Gray
Yep. Now we've got a write up from Kevin Collier over at NBC News, and he's pointing out that, you know, the United States government is now urging people to use encrypted services in order to defeat telco snooping by the Chinese as part of the salt typhoon campaign. Now, I've had someone say to me on social media, oh, there's a bit of irony and us suggesting that the FBI use something like signal to communicate with sources when the FBI is also having trouble, you know, getting, getting those comms and complaining about it. And the reason, one of the reasons that they would need to use something like signal is because Calia was, you know, the, the lawful intercept equipment at the telcos was, was compromised. That Argument carries a little bit of weight, I guess, but not all that much, given that the Salt Typhoon attackers did not actually task any interceptions via the KALIA equipment. And even non E2EE in this instance would have protected the communications and the metadata. But then there's the point, which is like, if it's non E2EE, there's going to be some sort of KALIA interception equivalent for that service and the attackers could just go there. So, you know, I think the Salt Typhoon thing has really helped kick along the encryption debate somewhat, and I think we all need to sit down and have a think about what sort of access law enforcement needs, which I don't think. I mean, certainly in the case of Australian authorities and Australian intelligence agencies, they're not asking for complete breaks to stuff like Signal, but they are asking the tech companies to maybe meet them halfway. We had the Director General of ASIO on the show a while ago asking, I mean, I'm guessing it was meta, hey, would you mind being able to drop us into the neo Nazi group chats? You know, which seems like a reasonable request to me and not one that would make me feel, you know, worried about. About my privacy, certainly. But it is an interesting state of affairs, isn't it, when, you know, telco lawful intercept is one of the things being targeted by state adversaries.
[30:21]
Adam Boileau
Yeah, yeah. I mean, it's ironic, I guess, on one hand. On the other hand, like, this seemed that, as I've said before, like, as a very much reasonable kind of tasking for an intelligence agency to go after lawful intercept capability and snoop on other people's stuff. But, yeah, it is. Given the history of The FBI and US law enforcement and their, you know, fights against E2E and also access to end devices to circumvent E2E, it is a little bit ironic, but at the same time that really underscores the reality of it, which is these are complicated problems of balancing safety for society as a whole with individual privacy and, you know, the effectiveness of law enforcement and, you know, the kind of money made by companies that can break into phones or break into encrypted comms or whatever else. You know, there's just a lot of equities there and, you know, if there was an easy answer, we would be doing it.
[31:18]
Patrick Gray
But lawful intercept at scale is never going to be 100% secure.
[31:23]
Adam Boileau
Exactly. Kind of by design. It has to be able to get things that people don't expect. The thing that I liked about the story, other than that sort of the irony of it is the admission that telcos are just so wrecked that they're probably never going to be able to throw everybody out of there. And I like having people, you know, kind of have to say that out loud because obviously I have feelings about the inside of telco networks. And accepting that truth into your heart, I think is a beautiful thing for me to watch.
[31:52]
Patrick Gray
Yeah, I mean, I don't know what the solution is going to be here, but, you know, the status quo seems a little tense, and I do expect stuff to change over the next few years. Wired also has a interview with Meredith Whitaker of the Signal foundation, which is worth a look. One thing that she's really talking about is, well, you know, it costs $50 million a year to run Signal, and you know, there's funding challenges there. I, you know, I honestly think people would pay for certain features for Signal. Like if you just said, if you want to use emojis, it's going to cost you five bucks a year, hey, problem solved. You know what I mean?
[32:26]
Adam Boileau
Like Discord model, if you want animated gifs, you got to pay money. And, you know, there's absolutely worse business models to fund the important work that that Signal does. But also, like a regular cheap Signal subscription, it's not that expensive. And, you know, I don't begrudge them that money when I pay for it.
[32:44]
Patrick Gray
Now, we spoke earlier this year about a Japanese crypto service, DMM Bitcoin. They had an incident back in May where $308 million of cryptocurrency was stolen. And I, you know, I thought, I can't remember if I said it on the show, but I did think they're promising to make their customers whole. And I don't know how they're going to do that when $300 million has been stolen. Turns out, yeah, that's not going to happen.
[33:10]
Adam Boileau
No, it looks like they are shutting down. They've handed off what remains of their assets to some other party to manage. But yes, that $300 billion, you ain't getting it back if you were storing it in that particular exchange. The irony is it's probably worth $430 million now. So good job. I think North Koreans seems to be the theory, Zach. XBT tracked some of the money, leaving it across the blockchain and said it kind of looked like how North Koreans launder it, got split up into a bunch of 30 million dollar chunks and then moved onwards from there. So, yeah, some of it's gone through that platform in Cambodia that we talked about as well. So the HUI one I think it was something laundered through there and presumably onwards to North Korea. So yeah, yeah, good job, Knox.
[34:02]
Patrick Gray
Via a casino in Macau or however they're doing, as is traditional. Yeah, I wonder if this will turn into another Mt. Gox situation because I've spoken previously that someone I know, they had a little bit of, they had like, you know, a tiny amount of bitcoin at Mount Gox when it got hacked. And then of course, you know, the whole thing shut down and it wound up with the courts for years and years which eventually determined that they needed to get their bitcoin back instead of, you know, a percentage of the bitcoin back rather than money, which meant everyone sort of was forced to hodl for years and now their $20 is worth $200,000 or whatever. So maybe these people, they're just locked into hodling and they're 10% of their Bitcoin that they'll get to keep is going to be worth a gajillion dollars when bitcoin hits.
[34:44]
Adam Boileau
Crypto ecosystem is just so dumb.
[34:49]
Patrick Gray
Now I want to talk a little bit about a project by Micah Lee who has created various tools over the years. He has created a product that lets you do things like delete tweets with certain attributes from your account or wholesale delete everything. And it's just interesting that there's. And he's not the only one, there's this little cottage industry of apps that'll let you do stuff like delete your tweets, which is, I mean, what an amazing job Musk has done to actually create this industry. Right.
[35:21]
Adam Boileau
Of third party apps, a blossoming third party ecosystem. People who can delete you from his platforms.
[35:26]
Patrick Gray
Yeah, yeah, yes, exactly. So the reason I want to mention Micah's one is because one of the reasons I haven't used any of these apps to like manipulate my Twitter data or you know, nuke all of my DMs. I've nuked a lot of them, but did that manually is because I haven't trusted any of these app makers, right. Because I just don't know them. Whereas Michael Lee, he's a known quantity in this space and I just sort of think, well, now I'm going to be feel comfortable to go and use that product to do things to my Twitter data.
[35:55]
Adam Boileau
Yeah. And it's really interesting, like the actual product itself, because originally he had written some tools to do this via the API and then when X shut down API access or otherwise made it kind of impractical, he rebuilt this thing. So Essentially, it drives a client side browser on your machine and you can kind of watch it clicking around and it sits there and just points and clicks through Twitter's interface and deals with rate limiting and all the other dumb stuff that's happened so that it can automate what would otherwise be a very, very long and very tedious manual process. And that's a fiddly job to do, right? Writing something that can programmatically drive a human interface, and especially something as bonkers as modern Twitter. He's definitely done the Lord's work in building a tool that can actually do that reliably. So, yeah, I mean, I think I'm in the same boat as you, right. Where I also have a, you know, a Twitter account that's just sitting there fallow, but filled with content. And yeah, I also did not trust any of the tools to do it. So this is probably what we've been looking for.
[37:01]
Patrick Gray
Yeah. And meanwhile, Blue sky just continues to go to the moon. You know, I think I've got like six and a half thousand followers there now because I think there's all these starter packs and whatever. I mean, I got like 32,000 on Twitter, but I don't care. Like, a lot of the people who would have followed me on Twitter, you know, maybe I broke a story years ago, like what went wrong in the Australian census and, you know, collected a bunch of followers who just haven't paid attention really to me ever since. And, you know, that's not the point. Like, a follower point is not the. A follower count is not the point of social media. But once you get to a certain level, it's fun, right? And certainly, you know, I'm just stoked to have, you know, that sort of following on a platform like Bluesky, because when I put something out there, it results in discussion and engagement and, you know, fun ideas. Right. So definitely that's where I am now. I don't think I've posted to Twitter in weeks now, and I'm enjoying that. But we are going to actually link through to a tweet for this item. A friend of mine pointed this out to me, which is one of these Russian hacktivist groups is making a lot of noise about how they have gone after targets in Australia. Right. So one was like a storm water pump station, apparently in Melbourne, and they're like, we've locked it and put it into manual mode and the Australians are supporting the Ukro Nazis and blah, blah, blah, blah, blah. The thing is, they name it as the Riversdale Pump Station. There is a Riversdale Road in, like, around Camberwell in Melbourne, because they say it's in Melbourne, but I can't find any mention of a Riversdale pump station on the Internet. Whereas there is one in New Zealand. And I sort of wonder, did these guys land on a box in New Zealand and think that it's Australia? Because that'd be kind of funny. And they also claim to have taken out some of the industrial control systems controlling, like a fruit and vegetable warehouse in Sydney. But again, you know, if you do something to manipulate the temperature in an environment like that, I'm guessing someone gets an alert and then they just go, sort it out. So I just think this is a great example of this type, this type of hacktivism. There's been ddoses as well. They managed to take ing down for like five minutes or something. And you just sort of think, this is it.
[39:14]
Adam Boileau
Yeah, that's. That's the best you can do. I mean, I know over on Between Two Nerds, our other show where Tom and the Grok talk, they're always very big on how cyber doesn't actually work because it doesn't really do anything important. And this is such a great example of that. So the Riversdale in New Zealand actually isn't far from where I live. I've been there. I've been to Riversdale beach, which is a very small community, and the pumping stations there, you know, like, tiny, by the side of the road. Like, literally, it's sort of a little box on the side of the road. And there was some controversy here at one point when those boxes were a little too tall and people were pushing prams along, might run into them. So they put up a fence around it. But that does visually impaired.
[39:57]
Patrick Gray
Like, it doesn't seem like. Did the boxes move? Did you have to dodge them?
[40:02]
Adam Boileau
I mean, there's not even a pavement in Riversdale. Like, literally, it's a grass berm with a box on it. They've now put a fence around so you don't accidentally drive into the COVID of these pumping stations. So.
[40:12]
Patrick Gray
But I did manage to find coverage of this controversy from the New Zealand Herald. Headline is Pump station fears rebuffed. If you want to get. If you want to get an idea of, you know, what serious news is in New Zealand.
[40:25]
Adam Boileau
Well, maybe Riversdale is overflowing with sewage at this very point in time. So thanks to Russian hackers.
[40:30]
Patrick Gray
Now, look, just before we wrap it up, I need to tease you about an incident that happened in New Zealand as well, seeing as we're Talking about all things New Zealand. Why don't you tell us? Because, you know, we can learn about disasters that are non cyber, you know, non cyber disasters can teach us about cyber disasters, Adam, one of your navy ships actually ran aground, caught fire and sank. The incident report is out now. What happened, Adam?
[40:56]
Adam Boileau
Yes. So the illustrious New Zealand Navy, obviously we're a maritime nation right in the heart of the Pacific and we have a long and proud history of sailing and navigation and so on. Yeah. So our boat was near a reef in Samoa and it rammed the reef and sank. And the reason it rammed to the reef, that it was like surveying the reef, that was its job, was to look at the reef. And the reason it ran aground was because the thrusters on the ship were thrusting, as you would imagine, and they wouldn't turn. And the reason it wouldn't turn and hence drove onto the reef was they left the auto part on and whilst trying to diagnose the thruster failure that was preventing the ship from turning, the autopilot correctly drove the ship onto the reef, which.
[41:49]
Patrick Gray
Yeah, D big shout out to the Kiwi Navy on that one.
[41:54]
Adam Boileau
And that's like a statistically significant amount of the tonnage of our navy as well. So. Yeah, and actually a few months ago, one of our ferries that connects the two main islands of New Zealand, very creatively named north island, the south island, one of the ferries that connects them together did the same thing. Someone accidentally turned the autopilot on and drove it into the side of the channel that it was, that was sailing down. So.
[42:20]
Patrick Gray
Boats, boats. New Zealand has some boat like challenges. Although I cannot tease you about boring place names, given that I live in a country with a desert named the Great Sandy Desert, which, you know, creativity on that one is nil, mate. We are going to wrap it up there. Great to chat to you as always and yeah, we'll do it all again next week. Thanks again.
[42:42]
Adam Boileau
We certainly will, Pat. I will see you then.
[42:53]
Patrick Gray
That was Adam Boileau there with a check of the week's security news and also a bit of a discussion about the New Zealand Navy's woes. It is time for this week's sponsor interview now with Vijit Nair, who is a VP of Product over at corelight, which makes, you know, the industry standard network security data sensor. Right. You just drop it anywhere, it's open source based and it will crunch your network data and provide you with an event stream that's actually very, very useful. Right. And a lot of people are now putting Corelight into the their cloud environments. Because it is useful there. And that's kind of the basis for this conversation, which is to really look at the state of cloud detection and response, which has not converged on to being one thing. Right. So this conversation is really about how in your cloud environments you're going to need a little bit of everything, you're going to need some application specific monitoring, you're going to maybe need something for your kubernetes, you're going to need to do some network monitoring as well, something for your endpoints. It's just not going to be one thing. So here is Vijit Nair with that conversation. I hope you enjoy it.
[43:58]
Vijit Nair
As folks moved into the cloud, you know, the usual cliche security was an afterthought and all of that, but where folks sort of went first was can I lift and shift all security I have in my on prem into the cloud? Right? And that naturally became I have a firewall in here, give me a virtual firewall that I can deploy in cloud. I have an EDR in here, give me an EDR in the cloud. And quickly. I think what people ended up realizing was that deploying these things in the cloud, especially how cloud environments were built up to be, which is fast moving, elastic, ephemeral and so on, these things, if anything, became an impedance mismatch in the cloud, essentially you were forcing engineering teams like DevOps teams to do a lot of the nitty gritty work needed to deploy the lift and shift products in the cloud. And that's where the model ended up causing a lot of friction and income. You know, folks like the VIS and Orca of the world that, you know, landed on a fascinating technology, agentless technology of what they call site scanning. But essentially they can kind of copy, replicate, clone your environment and then go find a bunch of, you know, configuration issues, vulnerability issues and so on in your environment without having your DevOps teams need to do a bunch of stuff, right? So that became, that landed really well in the market. As these teams were sort of migrating into the cloud, these tools became kind of an Easy way, a SaaS based approach, easy to use for the existing DevOps teams to do kind of CSPM security posture management. So that's kind of where it began and that's where you see kind of that burgeoning set of startups in that space, Viz is doing great. Orca, Prisma, cloud and so on have kind of really succeeded in that space.
[45:54]
Patrick Gray
So I mean, that's true, there's been a lot of success in the sort of CSPM space. But we haven't seen uniform sort of detection stacks pop up for cloud. Right. So CSPM definitely established and vulnerability scanning, configuration management and whatnot. But yeah, we don't have much in the way of a uniform approach to doing, you know, attack detection.
[46:19]
Vijit Nair
Right.
[46:19]
Patrick Gray
In cloud environments. And you could roll a core light sensor for example, into your cloud environment and do your network based stuff, but nothing much sort of generic beyond that, Right, right, yeah.
[46:29]
Vijit Nair
And that's partly, that's exactly the kind of mismatch between kind of where CSPM vendors are. Like if you look at posture management, it's mostly protection based, it's mostly kind of doing kind of the pre boom stuff, so to speak. Right. Whereas in the detection response space there hasn't been sort of as much often evolution. And I give it sort of two or three main reasons, right? One is a lot of the organizations are still relatively early in their journey in terms of cloud maturity. Some of the most sophisticated organizations that kind of really invest in detection response and really need that for their team in terms of threat hunting and detection engineering and so on, are still kind of partway through their journey. Right. They're not there in terms of moving some of their most sophisticated workloads into the cloud, but they're beginning to get there. So they are starting to demand more and more of that from either cloud native services or from vendors. So now you're beginning to see almost every CSPM vendor has integrated some form of workload protection, some form of agent based protection that you can deploy in your Kubernetes stack, in your VMs and stuff like that. And then you're starting to see a whole slew of startups that focus on CDR ADR like application detection response, cloud detection response. A whole slew of startups come up in that space and you can see viz sort of acquired, you know, a company sort of very much in that space as well.
[47:59]
Adam Boileau
Right.
[47:59]
Vijit Nair
So you're, you're starting to see that evolution happen sort of, you know, very quickly here as customers are starting of demand, these kind of things.
[48:07]
Patrick Gray
I mean there's heaps that focus on the Kubernetes stuff, right. So RAD is one that sponsors us, right? They do Kubernetes stuff. There's some good options with Linux now, I think Sandfly Security, they've got Rob Joyce as an advisor, they're actually based out of New Zealand, but they've got a very interesting Linux security product. And you know, as I mentioned earlier, you can throw like a corelight sensor if you want to get that Network metadata and crunch it for security purposes. You can do it that way. What I find interesting, though, is that there's all that stuff that slips through the cracks when it comes to that native functionality of the actual cloud platforms. You know what I mean? When we saw, even with that hack years ago, the Capital One hack, which didn't really target the applications themselves, it was like using vulnerabilities in Amazon's metadata service and whatnot. Where's your detection stack for that? So that's the part that I find really interesting, is sure we can move over those existing primitives. Even some of this application event streaming stuff, that sort of. That doesn't matter whether that's on PREM or cloud. If you instrument an application, you can run detections against it, but there's nothing really unifying, is there, that holds it all together.
[49:14]
Vijit Nair
There isn't. And part of this you could challenge the cloud. Security providers themselves have not done a great job at establishing a standard set of primitives for what it means from a security standpoint. Right?
[49:29]
Patrick Gray
Yeah, yeah, yeah. But I mean, they'll give you access to all of the APIs with various levels of documentation, and then they say, we figure it out, we just do the plumbing, you know, shared responsibility.
[49:40]
Vijit Nair
Right.
[49:41]
Patrick Gray
Which means it's not our problem.
[49:43]
Vijit Nair
We take the money part of the share and you take the responsibility part of the share.
[49:47]
Patrick Gray
That's exactly right.
[49:48]
Vijit Nair
Yeah, but that's exactly it. I think they've, you know, I mean, we see this kind of when our customers deploy us for network monitoring in different cloud providers. Right. The kind of access that network monitoring and network we can get into, kind of where network monitoring fits and CDR in general. But when we go into these customers or in these cloud providers, every cloud provider has a different sort of perspective when it comes to what does it mean to monitor network traffic for security purposes. Right. So you think, you know, AWS does VPC flow in one way, Google does it very differently, and Azure does it very differently. And what they monitor or what they capture in terms of flow are different from one to the other. When it comes to getting down to traffic monitoring and getting actual access to packets, they're already different levels of services, different levels of cost, how they interpret it, and so on are extremely different. And that's just one example. I think that same example exists.
[50:45]
Patrick Gray
Well, I mean, it is the case that just the way Azure is built made them introducing virtual network taps very difficult. I believe they've got it mostly sorted out now, but it's inherent in the platform that that's hard for them.
[50:57]
Vijit Nair
Right. So I hear that they have it mostly sorted out now, but I'm not holding my breath. Yeah, but that has also generated a slew of sort of other providers that are now providing solutions on top of these cloud environments where they can deploy in a VPC and they can proxy all their traffic through them so that now you can mirror off of a central choke point. So there are a bunch of other solutions that have sprung up in the ecosystem to kind of solve that problem that the cloud providers have not sort of organically solved. But your earlier point. Yeah, I mean there aren't, you know, there isn't a clean template from a security perspective, be it network monitoring, application monitoring or otherwise, that has been instantiated. Which is why you see, you know, a fragmented set of startups that are trying to sort of all go at it on their own and come up with sort of, you know, their own interpretation of what it means to apply in the cloud security space.
[52:04]
Patrick Gray
I mean, I mean, I think where this is going, right, is that there's not going to be one unified kind of approach to this sort of thing because you do need all of those primitives, right? Like you are going to need some sort of host based inspection, you're going to need some sort of application instrumentation, you're going to need some sort of network traffic inspection, you're going to need something for your kubernetes. And the piece that's kind of missing I think at the moment is you're going to need something to do proper inspection on like API triggered events in cloud environments, which at the moment is just a giant black hole for most organizations. So I think we can kind of get to the point now where when it comes to cloud detection and response, it's not going to be one thing.
[52:46]
Vijit Nair
Right, it's not going to be one thing. But at least if the access to the infrastructure can be slightly standardized, that unlocks a whole bunch of opportunities. One example I'll offer is EBPF is now starting to gain a lot of traction. It's embedded in almost every Linux flavor out there for every one of these cloud providers. Interestingly enough, when you think about sort of workload instrumentation or network instrumentation, EBPF is a safe sort of easy way to instrument your workloads, be it VMS or be it containers, and get you access to system processes to memory to like much deeper observability than you're used to. And guess what, it's now standardized across all cloud providers and kubernetes running in your data center as well. So does that provide kind of one standard primitive that you can use for all kinds of workload monitoring and network monitoring? That could be one approach. Right?
[53:43]
Patrick Gray
Yeah.
[53:44]
Vijit Nair
You don't have something similar for application monitoring because that's still the realm of the cloud provider. Exactly.
[53:51]
Patrick Gray
It's not just per cloud provider. I mean, these are custom applications per service.
[53:55]
Vijit Nair
But I mean, even within different services, within a single cloud provider, you see kind of dramatic variances in how every service defines addition of a user, like crud of a user changes in their services. Every service is almost designed by a different company, even though they all kind of part of the same cloud service provider.
[54:17]
Patrick Gray
But this is the stuff that makes me nervous is all of that cloud back end plumbing stuff that's not very well understood, it's often not documented very well. And it doesn't seem that there's like a huge number of products that can sift through that information and give you reliable detections. But you know, at least we do have, you know, the network stuff, as you're saying, like that as a primitive has been, you know, mostly ironed out at this point. You know, we do have some options for, you know, kubernetes for Linux, for, you know, all sorts of sort of, you know, cloud based hosts. But yeah, that other stuff, as I say, it makes me a bit nervous.
[54:55]
Vijit Nair
Right, right, right. And honestly, the standardization across the cloud providers is one of the biggest themes we are hearing from our customers. Right. Because when they're coming to us, their biggest challenge is almost nobody is deployed in only Azure or only AWS or only somewhere else. So they're looking for, and their SOC teams can't learn three or four different tools for three or four different cloud providers. So when they come to us, they're usually looking for, can you give us kind of that de facto language standard that we can now apply across all these cloud providers so that when our SOC team is looking at data from on prem from cloud, they are looking at the same thing. Right. And they're also seeing attackers kind of laterally move from on prem environment through their cloud exchanges into the cloud, kind of, you know, leverage permissions or kind of auth that they can steal credentials that they can steal in an on prem environment and then laterally move into their cloud and being able to stitch kind of that attacker action together with that same set of data, same set of primitives, becomes extremely important.
[55:59]
Patrick Gray
Well, you're preaching to the converted when it comes to the idea that maybe you should have some traffic monitoring in your cloud environments and that you should do that in a sort of standard way that you can stitch together with your, you know, on prem telemetry. But Vijit Nair, that was a fascinating conversation about all things cloud. Thank you so much for joining us on the show to walk through all that. Let's see what the future brings.
[56:23]
Vijit Nair
Indeed. Thanks for having me on, Patrick.
[56:25]
Patrick Gray
That was Vijit Nair from Corelight there. Big thanks to him for that and big thanks to Corelight for being this week's sponsor. We really, yeah, I really dig Corelight and I always enjoy the interviews I do with them. So if you need some basic network monitoring or some advanced network monitoring, they've got you covered. But that is it for this week's show. I do hope you enjoyed it. I'll be back next week with more Risky business for you all. But until then, I've been Patrick Gray. Thanks for listening.