The State of Cybersecurity – Year in Review

>> ANNOUNCER: Please welcome CEO Mandiant, Google

Cloud, Kevin Mandia

>> KEVIN MANDIA: Good afternoon.

I'm your second to last speaker today and then we

all have dinner to go to.

I've got about nineteen and a half minutes.

What I want to do is kind of brief you on the conclusions, at

least part of the conclusions that I have based on over 1,100

investigations we did during the year, based on several hundred

red teams we did during the year, the threat intelligence

that came from the threat analysis group, as well as

Mandiant's threat intelligence group, and then all the advisory

services that we did.

So, I did my best to collect those conclusions.

We will go through them very quickly.

And it's not just admiring the offense.

We are also going to do some things because we all

came here to learn how to defend our network, so

we're going to do that.

This is five of the conclusions that we have based on all of our

observations really right up until a few minutes ago.

I changed a few while I was backstage.

The reality is first and foremost, the conclusion when

looking at the last twelve months of incidents, it doesn't

feel like there's a lot of risks or repercussions to

compromising the enterprises that we see globally.

We see an acceleration on the innovation on offense.

I don't know if it's really accelerated but we saw good

innovation by offensive attackers and threat actors.

Ransomware has evolved to data theft, to extortion, to

potentially even now harassment and other things.

The board is more engaged.

And then I think we had the best year ever between the privacy –

or I mean the partnership between the government

and the private sector.

So, it's worked really well.

So, I will drill down on each one of these.

First and foremost, the few risks or repercussions

to the threat actors.

When we look at this, I think every modern nation understands

there is going to be spying and that you probably can't prevent

espionage and it's hard to come up with rules for espionage.

So, my theme here of imposing risk is on the criminal actors,

the folks that may have come to a height or a threshold where it

feels almost intolerable.

So, when you look at the slide behind me, I wanted you to see

the numbers, and these represent the lowest bounds

of the criminal enterprise compromising and doing

ransomware and extortion.

You get the chain analysis slide on the Bitcoin paid.

That seems to be tied to extortion or ransomware.

But more importantly, just the impact on private companies or

publicly traded companies that are just doing their jobs, and

we are seeing damages equating to 100 million, 800 million, and

these are the lower bounds.

The damages from this tends to go up and to the right.

So, the question that we always have is what do we do about it?

You know, and when you look at the ransomware problem, there is

a lot of folks in the camp of we have to do better defense.

I get that, and that's why we're all here.

We all want to do better defense.

The second thing we probably have to look at is

cryptocurrency and the means and ways in which we

can track cryptocurrency.

Some people think it's not always a great idea to have an

anonymous currency that can be paid thousands of miles

apart from one another.

The third thing we have to do is we have to look at the treaties

we have and modernize some of these treaties.

We need to have attribution and impose risk.

So, I would ask that all of the folks in law enforcement, in the

intelligence community, and in the private sector revisit some

of the ways we do attribution; and for the folks in different

governments globally, to look at what are the safe harbors and

safe havens for the criminal actors and can we modernize

treaties with those nations so that we can impose

more risks or costs?

I think the time has come where we have to continue to think it.

I know we have lots of task forces globally and we have lots

of groups working on this problem and we all look

forward to progress being made in that regard.

We have seen the acceleration of innovation and I will go

through each one of these categories individually, so

let's hop right into it.

And it's not necessarily bad news.

When you see innovation on offense, you really go right to

the zero day account, and we had a long run of tracking this from

1998 right up until now.

And it used to be between ten to fifteen zero days

a year were found.

And a zero day, of course, attack with no patch.

Now you're looking at we found ninety-seven zero days in the

last year in the wild, about a third of them found

by Mandiant and Google.

What I found most interesting about these zero days is really

shown on this slide, and I know there's a bunch of numbers here

but focus in on the amount of vendors impacted, and that also

includes like freeware.

I guess we just call it different libraries, a vendor.

But when you look at this, thirty-one vendors impacted, and

there's always the big three.

You're going to have Microsoft, you're going to have Google,

you're going to have Apple.

But then in addition to those, we have got twenty-eight other

organizations that there were zero day attacks against them.

To put that in perspective, there were about four companies

impacted outside of the big three in 2018.

So, the number of vendors being attacked is phenomenal.

Now, why are there this many zero days?

There is a whole bunch of rampant theories on it.

Maybe we got better at defense and so you have to

break in with zero days.

Maybe the offense is so well funded now they just

come up with them more.

Maybe AI is helping the offense find vulnerabilities faster.

Maybe we are all just shipping really bad software and not

trying hard enough to patch it.

I actually think maybe it's a combination of some of that, but

it's actually because the impact of the breach if you do

espionage, you get what you want, and if you do crime, you

get what you want.

Cyber intrusions are paying off.

That's why I think you are seeing this happen.

But again, what this means is you have got to have a way to

respond to the zero day.

This slide shows that globally, when we looked at every incident

we responded to, the number one way people broke in

was in fact an exploit.

What this means is all of us have to think – assume breach.

Do attack surface management, do patch management, and then

really have great rules for what happens post those things.

The assumed breach mentality.

I just saw Jeetu say segmentation is hard, updating

is hard, and patching is hard.

That's okay.

We've got to do them.

There will always be a zero day.

And you hear people say we are going to do secure by design and

get it down to zero, but zero day is not just software.

At some point in time when you assume breach, you also make the

assumption maybe you have an insider that can create

havoc on the network.

So, the bottom line: this trend is different.

From 1998 to approximately 2019, the number one way people were

breaking in is spearphishing and exploiting human trust.

It has changed since 2020 back to what it was like from 1993 to

1998, which is exploitation.

For those who just need to see what are they

exploiting, there you go.

There's the top three things that were exploited

in 2023 for us.

Chinese Nexus espionage improved during the year.

And I think the biggest improvement here I could dive

into, they had twelve zero days and the next nation we could do

attribution for had only two.

In my career, I usually saw Russia was number one with the

zero day exploitation and China started making that list around

2005, 2006, but now they are leading in that list.

When we look at the majority of the zero days that we

see for espionage, we cannot attribute them to the nation

behind them, which means maybe the espionage is being

surreptitious when they do it.

When you look at that go from the zero days, I can combine the

next two bullet points that you need custom code

when you hack edge devises.

When you hack edge devices, you are

circumventing EDR space.

You're circumventing the end point protections that we have.

We've seen Chinese cyber espionage do this two years ago.

They did it again throughout 2023, specifically compromising

things like VPNs, email gateways, and other network

devices that we rely on to defend our networks.

So – and then whenever you see LOTL, that stands

for living off the land.

That is a technique that I think every red team aspires to and

every offense or threat actor aspires to.

That is simply breaking in and accessing your networks the way

your people do because that is the most effective way

to remain surreptitious and hide in the noise.

So, the Chinese Nexus Espionage improved throughout the year.

I would argue all trade craft did and I'll have another

slide on that shortly.

The evolution of spearphishing is interesting to me.

Part of it was driven by, I think, Microsoft disabled the

default running of macros in documents in Office containers.

That was a great step.

We all got better at end user training.

Our secure email gateways got better.

We went to more multifactor authentication.

So, it's my opinion that attackers now are spearphishing

through other coms channels.

That simple.

What I would tell you, probably the fastest way to cut through

this because I have eleven minutes and I have a lot I want

to cover, is the attacks that I saw successful, you could detect

all of them if you have web proxy logs, because

what you need to detect is the downloading.

Like nobody knows how much inspection your

secure email gateway does.

If you get a document with a link in it, you don't know how

deep the secure email gateway is going to go tracking

what you link to.

So, you want to make sure you are not downloading .EXEs,

.BATs, .COM, .VS, all the different executable files.

The other technique was to have compressed archives that were

password protected, different secure email gateways.

We really don't publish how to handle some of those things so

you want to go to your web proxy logs and set up rules for that.

And the third most effective rule, and we gave you twelve in

our M-Trends Report, twelve different rules to use to detect

the new techniques of spearphishing, is if you don't

normally use third party storage like OneDrive or SharePoint or

Google Drive, drive.Google.com, set up rules to look for what

you're downloading from these places.

Attackers are circumventing the secure email gateway with links

and trying to get you to download and execute things.

So, we can catch that and everybody has gotten a lot

better at that.

Overcoming MFA.

We have seen this happen enough that I wanted to put

a slide in here on this.

It's really the first two things on this slide.

It's the push notification fatigue where, and that's

happened in cases we responded to, where we just keep jamming,

if you are an attacker, jam a bunch of push notifications to

somebody until they just hit yes, I will take

that push negotiation.

Most of us don't have that problem anymore because we're

aware of ways to circumvent it.

Second thing is one-time passwords are timed

one-time passwords.

That's been overcome as well.

And the other three is where you want to go.

So, it's not good enough to say, yes, we do

multifactor authentication.

We have to do multifactor authentication that prevents

help desks from giving away one-time passwords or to prevent

the SIM swaps, because I'll tell you two things I can't fix with

rules and alerts, SIM swapping and your help desk is designed

to help people.

We are responding to some of the most devastating breaches

because bold, aggressive English native speakers are calling help

desks and helpers are trying to help them.

And they are getting one-time passwords set to access networks

and wreak havoc afterward.

So, make sure your MFA can withstand the social engineering

attacks that have gotten way better than in the past.

Better OPSEC and evasion.

I really just want to go to probably the infrastructure.

You know, I can tell you when people write malware, they don't

write malware that logs.

Fine.

And then the customized malware that we are seeing is starting

to leverage the – when they compromise edge devices,

it's leveraging code that's already there.

It's actually like appending Python to other, pre-existing

code so you can create a new URI to download to or something.

I would focus on the infrastructure.

We are seeing modern espionage groups and even criminal

elements recognize it is best to compromise your victim/target

from local IP addresses or same nation IP addresses.

And then another problem that we're seeing is really

compromising people when they are outside the enterprise.

And we all need to figure out a way to make sure we can protect

our employees when they are accessing enterprise resources

from outside the enterprise, from non-enterprise resources.

Compromising their homes, getting the key logger in there,

seeing the account information posted on different telegram

sites, is a real problem.

But when I look at this, the infrastructure is creating a lot

more difficult attribution, difficult rule sets.

And then living off the land techniques, almost every threat

group is starting to go to this.

Long story made short, we need better security operations

because we are going to have to be able to detect after the zero

day, after the exploit, what the attackers are doing the second,

third, and fourth stages of the MITRE attack chain.

Which brings me to this slide, which is to what are the top

five things we are seeing used or the TTPs after the breach.

You see them right here.

Detecting anomalous use of power shell, very important.

Detecting HTTP traffic or HTTPS traffic that's anomalous on your

network, very important.

Knowing lateral movement via RDP or noticing remote RDP from

outside your network, very important as well.

And service execution.

I haven't figured out a good one and maybe one of my folks will

catch them in the hallway on noticing file deletion,

but it is the fifth one.

And – but you need rules to detect, if you assume breach,

these things without a doubt.

So, that was a lot of bad news, right?

It's like attackers are innovating faster,

there's no risks or repercussions to attackers.

The reality is we are detecting attacks sooner than ever before.

We started recording dwell time – well, you can see it here.

In 2011, on every case that we responded to, and Mandiant

traditionally gets hired for the cases that are out of the scale

and scope where people do need our help.

So, we don't respond when people are five minutes

behind the problem.

Dwell time went all the way from 416 down to ten.

I think part of the reason the dwell time went from sixteen

days days down to ten is we did respond a little

bit more to ransomware.

People tend to notice when they have been ransomed.

Then the detection by source – I showed this slide to somebody

and they were like, is that good or bad?

I want to make this unequivocal.

You'd rather detect your own incidents than have a third

party detect it because they you can handle it

discreetly and on your terms.

Usually when you know from a third party, you've got to

wonder how many third parties know what happened to you.

But this is a great trend and you can see.

It was amazing to me.

When we first started responding to breaches in 2004, 2005, it

was basically 100% third party notification of

the breach to people.

You get down to 54%, I think that's real good.

I think that defense operations has improved about as well as

the offense is innovating.

So, not a bad year for either side.

Ransomware has evolved, no question about it.

There's a lot of reasons for this.

Every company has heard of ransomware.

Most companies, even including going from the 1A

enterprises down to small to medium businesses, are

preparing for it.

You have companies that have said we've identified

our assets that matter.

We have backed up those assets.

Those assets include active directory and configuration

files for critical components of our business.

We have made sure our backups are safe.

We have done tabletop exercises with the board that has us

literally simulate having the worst ransomware we could ever

have happen to us.

We have gone to our identities and looked at creep and scope

and we've shrunk our identity access for a lot

of different accounts.

And you get the idea.

We network segmented.

And you go through all the things.

I can tell you where people are at.

Not many companies have now dry runned how do we operate the

business if we get ransomed and we don't have

these 10,000 servers?

And I can tell you the number one question every board has and

every executive has once ransomware does hit you, how

long before we're up?

It's hard to answer that question until you have to but I

think almost every company that we work with, and 1A enterprise,

has gotten to that stage of we know what we'll do when there's

a ransomware attack and we've done our best to

reduce the blast radius.

So, we've gotten good.

However, the TTPs have evolved and it's creating more pain

through dealing with if they do get in and do get data, sharing

data with reporters, making it so that the pain for executives

is exceptionally high.

I don't want to give too many examples of this because it's

too many good ideas for threat actors but it's just amazing to

me now when you have been ransomed, it's more likely than

not you will be extorted and it's more likely than not you

will start getting other activities and communications

from the ransomware actors.

Boards are definitely more engaged than ever

before in cybersecurity.

That's a trend that's been going like this all along.

I think there's a couple of reasons but very

first and foremost, boards read the headlines.

There's a lot of headlines right now.

Second thing is boards go where sometimes there is regulation.

When you see the US government's Security and Exchange Commission

saying to every publicly traded company, over 4,500 companies,

you have to have the following reporting requirements annually

on your risk management for cyber and your governance for

cyber, you get the board's attention.

Boards are there to provide oversight to companies.

And we are seeing that that oversight has been mandated and

we have to communicate it.

But there's just a lot of reasons why globally, between

sovereign data laws, privacy laws, and cybersecurity

standards, legislation, and regulations that are emerging,

boards are very engaged.

And I think this has been the best year in my career, I

started working in cybersecurity in 1993, that I saw the defense

accelerate with public and private sharing.

And I will go through two examples.

I can only pick one to elaborate on.

Probably the second one.

First one is secure by design.

Every nation, when you are a software vendor, you are

thinking about this.

There is a lot of reasons for it.

One, the government is saying, hey, here is secure by design.

It's signed by many different agencies.

The second reason for it actually is a civil complaint

filed against SolarWinds where they kind of say your software

development lifecycle was below the line period.

So, when you see those sort of things, companies take notice

and decide we are going to take it seriously.

But one of the things that happened within the last month,

month and a half, is the Cyber Safety Review Board here in the

United States under the Department of Homeland Security

issued a report on a breach that occurred in 2023 to a cloud

provider that – where there was a key, a token signing cert that

was seven years old used to mint tokens and one-time

authentication for a really, really big scope for

the access of email.

But what I want to focus in on is the twenty-five

recommendations that was done in that report for all of the cloud

service providers as well as the US government.

And I can kind of sum them up but one of the things

was do victim notification.

If you are a cloud service provider, tell people

when you believe they have been compromised.

Find a method to do that.

There is another one called how about great logging that comes

with what you are paying for so that you can audit security

events in your network.

Better identity and access management was

throughout the report.

And then transparency.

The thought that if you have a vulnerability as a cloud service

provider, you've got to provide it, and you should share with

all of your customers what your security practices are.

So, I put recommendation seven in the report right in the slide

so you can see it because when I read it, I went,

wow, that's something.

That is a recommendation that says every year, the major cloud

providers that provide services to the government are going to

say here is our security practices and here is how we are

doing on your recommendations, so that all of us can make

choices based not just on availability, but make choices

based on security.

And very quickly because I'm over time, we get to talk to

CISOs when they are under duress.

For all the CISOs in the room, this is only seven or eight of

the constant themes that come up every time.

And I didn't put them in any particular order at all.

So, if these are the things you are thinking about as a CISO,

you are right on par with thousands of CISOs.

With that, I would like to thank all of you for your time.