The State of Cybersecurity – Year in Review

RSA Conference
6 May 202421:09

Summary

TLDRKevin Mandia,作为Mandiant的CEO,在一次演讲中分享了基于1100多次调查、数百次红队测试、威胁情报分析和咨询服务得出的五大结论。他指出,目前对攻击者来说,攻击企业似乎没有太多风险或后果,攻击手段不断创新,勒索软件已经演变为数据盗窃、敲诈勒索,甚至可能包括骚扰等行为。他还强调了董事会对网络安全的参与度提高,以及政府与私营部门之间合作的重要性。Mandia讨论了攻击者创新的速度、零日漏洞的增加、针对边缘设备的定制恶意软件、以及攻击者如何利用现有基础设施进行攻击。他还提到了多因素认证(MFA)的挑战、更好的操作安全和逃避技术,以及如何通过改进安全运营来检测攻击。最后,他提到了检测攻击的时间缩短,以及如何通过准备和响应来减少勒索软件的破坏。

Takeaways

  • 📈 **攻击者创新加速**:过去一年中,攻击者在攻击手段上的创新加速,包括勒索软件的演变和数据盗窃等行为。
  • 💡 **企业面临的风险和后果**:全球企业面临的网络攻击风险和后果似乎没有显著增加,导致攻击者更加肆无忌惮。
  • 🔒 **零日漏洞利用增加**:2023年发现的零日漏洞数量显著增加,攻击者利用这些漏洞进行攻击。
  • 📘 **董事会对网络安全的关注增加**:由于法规和媒体报道,董事会对网络安全的关注度达到历史新高。
  • 🤝 **公私合作伙伴关系加强**:政府和私营部门之间的合作在网络安全领域达到了前所未有的水平。
  • 🔐 **多因素认证(MFA)的重要性**:尽管MFA已经广泛使用,但攻击者通过社会工程学手段绕过MFA的案例在增加。
  • 🚨 **安全运营的提升**:为了检测攻击者在入侵后的行动,需要更好的安全运营和事件响应策略。
  • 📉 **检测时间缩短**:组织发现和响应安全事件的时间(dwell time)正在减少,表明安全防御能力的提升。
  • 🛡️ **防御措施的演进**:企业正在采取更全面的措施来准备和应对潜在的勒索软件攻击。
  • 🌐 **云服务提供商的安全实践**:云服务提供商被建议提高透明度,每年向客户报告其安全实践和改进措施。
  • 📚 **CISO的关注点**:CISO们在面对安全挑战时,关注的关键议题包括安全运营、事件响应、威胁情报和合规性等。

Q & A

  • 根据Kevin Mandia的演讲,过去一年中网络攻击的主要趋势是什么?

    -过去一年中网络攻击的主要趋势包括攻击者创新的加速,特别是零日攻击的增加,勒索软件的演化,以及董事会对网络安全的更多参与。攻击者面临的风险或后果似乎不多,这导致了对企业的攻击增多,并且攻击手段更加先进和隐蔽。

  • 演讲中提到的网络攻击对企业造成的损害有多大?

    -演讲中提到,网络攻击对企业造成的损害非常严重,有的损害甚至达到了数亿美元,并且这些数字还只是下限。

  • Kevin Mandia认为我们应该如何对抗零日攻击?

    -Kevin Mandia认为我们应该采取假设已经被入侵的心态,进行攻击面管理和补丁管理,并制定良好的规则来应对这些情况。即使存在零日攻击,也需要有应对措施。

  • 演讲中提到了哪些对抗网络攻击的策略或建议?

    -演讲中提到的对抗网络攻击的策略包括加强防御、改进对加密货币的追踪、更新现有的国际条约以加强归因和风险施加,以及提高安全运营能力来检测攻击后的行动。

  • 如何理解演讲中提到的'living off the land'技术?

    -“Living off the land”是一种攻击技术,攻击者利用目标网络中已经存在和运行的合法工具和程序来进行攻击,这样做可以更有效地隐藏攻击行为,减少被发现的风险。

  • 演讲中提到的网络攻击手段有哪些变化?

    -演讲中提到,从2020年开始,网络攻击手段从利用钓鱼邮件和人际关系信任的方式,变回了利用漏洞利用的方式,这与1993年到1998年间的趋势相似。

  • 演讲中提到的多因素认证(MFA)存在哪些弱点?

    -演讲中提到多因素认证(MFA)存在的弱点包括一次性密码的安全性问题,帮助台可能无意中泄露一次性密码,以及SIM卡交换攻击等,这些都需要通过改进MFA来克服。

  • 演讲中提到了哪些网络攻击后的常见行为(TTPs)?

    -演讲中提到的网络攻击后的常见行为包括异常使用PowerShell、异常的HTTP或HTTPS流量、通过RDP的横向移动、远程RDP的使用,以及服务执行和文件删除。

  • 演讲中提到的网络攻击的'dwell time'是什么?

    -“Dwell time”指的是网络攻击者在未被发现的情况下在被攻击网络中潜伏的平均时间。演讲中提到,这个时间已经从2011年的416天减少到了10天。

  • 演讲中提到的董事会对网络安全的参与度如何?

    -演讲中提到,董事会对网络安全的参与度比以往任何时候都要高,这主要是由于网络安全事件的频繁报道、监管要求以及与网络安全相关的法律法规的增加。

  • 演讲中提到的'secure by design'是什么?

    -“Secure by design”是一种软件开发方法,它要求从设计阶段就将安全性考虑进去,以减少软件漏洞和提高软件的安全性。演讲中提到,政府和法律诉讼都在推动软件供应商采取这种方法。

  • 演讲中提到的云服务提供商的安全实践有哪些建议?

    -演讲中提到的云服务提供商的安全实践建议包括进行受害者通知、提供与服务费用相匹配的优质日志记录、改进身份和访问管理以及提高透明度,例如每年向政府报告安全实践和改进情况。

Outlines

00:00

📈 网络威胁与创新:Kevin Mandia的年度回顾

Kevin Mandia,Mandiant的CEO,分享了基于1100多起调查、数百次红队测试、威胁分析和咨询服务的结论。他强调了网络攻击的增长趋势,特别是勒索软件的演变,以及政府与私营部门之间合作的加强。Mandia还讨论了对企业构成威胁的低风险和后果,以及如何通过法律执行、情报社区和私营部门的合作来提高对犯罪分子的风险。

05:01

🔍 零日攻击与防御策略:不断演变的网络威胁

Mandia讨论了零日攻击的增加,以及攻击者如何利用这些漏洞。他提到了攻击者利用VPN、电子邮件网关和其他网络设备来绕过端点保护。此外,他还谈到了钓鱼邮件的演变,以及攻击者如何通过不同的通信渠道进行攻击。Mandia强调了多因素认证(MFA)的重要性,以及如何提高其抵抗社会工程攻击的能力。

10:02

🚨 网络攻击的新趋势:从零日到持久性威胁

演讲中提到了网络攻击的新趋势,包括攻击者如何利用现有基础设施和“本地生存”技术来隐藏其活动。Mandia强调了需要更好的安全运营来检测攻击的后续阶段。他还讨论了检测攻击的关键技术,包括异常的PowerShell使用、HTTP/HTTPS流量、远程桌面协议(RDP)的横向移动和文件删除。

15:02

⏱️ 攻击检测时间的缩短:安全防御的进步

Mandia展示了从2011年以来,攻击被检测到的平均时间(即“居住时间”)如何显著减少。他指出,现在公司比以往更早地检测到攻击,这表明安全防御正在取得进展。他还提到了第三方发现攻击的减少,这意味着公司更倾向于自己发现并处理安全事件。

20:05

🛡️ 勒索软件的演变与董事会的参与

Mandia讨论了勒索软件的演变,以及公司如何准备应对这种威胁,包括备份重要资产、进行桌面演练和减少身份访问。他提到,尽管攻击者的技术在进步,但公司在防御措施上也取得了进步。此外,他还强调了董事会在网络安全问题上的参与度增加,以及政府和私营部门在安全最佳实践和透明度方面的合作。

🌟 CISOs的关注点:网络安全的关键议题

最后,Mandia总结了在与CISOs的对话中经常出现的七到八个主题,表明CISOs在网络安全方面的关注点。他强调了CISOs在应对网络威胁时的共同挑战和考虑因素,并列出了一些关键议题,但没有具体说明这些议题的细节。

Mindmap

Keywords

💡网络攻击

网络攻击指的是通过互联网对个人、企业或组织的计算机系统进行的非法侵入和破坏行为。在视频中,网络攻击与企业面临的风险和挑战紧密相关,特别是提到了攻击者创新加速和对企业的损害,如通过勒索软件和数据盗窃等手段。

💡零日漏洞

零日漏洞(Zero day)是指软件或系统中未被开发者知晓的安全漏洞,攻击者可以利用这些漏洞进行攻击,而开发者还没有发布补丁。视频中提到,去年在野外发现了97个零日漏洞,这表明攻击者利用这些漏洞进行攻击的频率在增加。

💡勒索软件

勒索软件是一种恶意软件,它通过加密受害者的文件或系统来要求赎金。视频中提到勒索软件已经从单纯的数据加密演变到数据盗窃、敲诈勒索,甚至可能包括骚扰等行为,显示了其不断进化的趋势。

💡多方利益相关者

多方利益相关者指的是在某一领域或问题上拥有不同利益和观点的各方。视频中提到政府和私营部门之间的合作伙伴关系,强调了在网络安全领域内,不同利益相关者之间的合作对于应对威胁至关重要。

💡数据泄露

数据泄露是指未经授权的个人或团体获取并泄露敏感或保密信息的行为。视频中提到了数据泄露的危害,强调了企业需要采取措施保护数据,防止泄露。

💡网络钓鱼

网络钓鱼是一种通过伪装成可信来源的通信来诱骗用户提供敏感信息的攻击手段。视频中讨论了网络钓鱼的演变,包括攻击者通过不同的通信渠道进行钓鱼攻击,以及如何通过日志分析来检测这些攻击。

💡多重身份验证(MFA)

多重身份验证是一种安全措施,要求用户提供两种或以上的身份验证方式,以增加安全性。视频中提到了MFA的重要性,以及如何通过防止帮助台泄露一次性密码或防止SIM卡交换来提高MFA的安全性。

💡操作安全(OPSEC)

操作安全指的是组织采取的措施,以保护其操作免受敌方情报收集和监视的威胁。视频中提到了攻击者如何通过更好的操作安全和规避技术来隐藏其行动,使得追踪和归因变得更加困难。

💡网络隔离

网络隔离是一种将网络或网络中的某些部分与更大的网络或互联网隔离开来的做法,以提高安全性。视频中提到了攻击者通过绕过网络隔离技术,如VPN和电子邮件网关,来渗透网络。

💡安全运营

安全运营指的是组织内负责监控、保护和响应网络安全威胁的团队或部门的日常活动。视频中强调了安全运营的重要性,尤其是在检测攻击后的第二、第三和第四阶段,即攻击链的后续阶段。

💡董事会参与

董事会参与指的是公司董事会成员在公司治理中,特别是在网络安全问题上的积极参与。视频中提到董事会比以往任何时候都更加关注网络安全,这与全球范围内的数据法律、隐私法律和网络安全标准、法规的涌现有关。

Highlights

过去一年中,全球企业面临的网络攻击风险和后果似乎没有显著增加。

攻击者的创新速度加快,勒索软件已经从单纯的数据加密发展到数据盗窃、敲诈勒索,甚至可能包括骚扰等行为。

企业董事会对网络安全的关注度提升,政府与私营部门之间的合作达到历史最佳水平。

网络攻击的犯罪成本较低,导致了攻击者行为的增加,特别是勒索软件和敲诈行为。

对攻击者施加风险是减少网络犯罪的关键,需要通过法律和技术手段提高攻击成本。

零日漏洞(Zero Day)的数量显著增加,2022年发现了97个,涉及31个不同的供应商。

攻击者利用零日漏洞的手法正在变化,从利用社会工程学(如鱼叉式钓鱼)转向直接利用软件漏洞。

需要假设网络已经被渗透,并采取相应的防御措施,如攻击面管理和补丁管理。

中国网络间谍活动在2023年有所增强,特别是在零日漏洞利用方面。

攻击者越来越多地使用“Living off the Land”(利用现有工具)技术,以更难被检测的方式隐藏在正常网络活动中。

鱼叉式钓鱼(Spearphishing)的演变,攻击者开始通过其他通信渠道进行攻击,以规避传统的电子邮件安全防护。

多因素认证(MFA)的挑战,攻击者通过社会工程学手段绕过MFA,如通过帮助台获取一次性密码。

更好的操作安全(OPSEC)和逃避技术,攻击者利用定制化的恶意软件和现有基础设施进行攻击。

需要更好的安全运营来检测攻击者在MITRE攻击链的第二、第三和第四阶段的活动。

检测攻击的时效性提高,从2011年的平均416天缩短到10天。

勒索软件的演变,攻击者在成功渗透后通过数据共享和敲诈增加受害者的痛苦。

企业董事会对网络安全的参与度前所未有地提高,部分原因是监管要求和媒体报道。

公共和私营部门之间的合作在防御措施上取得了显著进展,特别是在安全设计和信息共享方面。

云服务提供商被建议每年公开其安全实践,并根据政府的建议进行改进。

CISO们在压力下经常考虑的七个主题,包括安全设计、事故响应、威胁情报等。

Transcripts

00:11

>> ANNOUNCER: Please welcome CEO Mandiant, Google

00:14

Cloud, Kevin Mandia

00:27

>> KEVIN MANDIA: Good afternoon.

00:28

I'm your second to last speaker today and then we

00:31

all have dinner to go to.

00:32

I've got about nineteen and a half minutes.

00:34

What I want to do is kind of brief you on the conclusions, at

00:37

least part of the conclusions that I have based on over 1,100

00:41

investigations we did during the year, based on several hundred

00:45

red teams we did during the year, the threat intelligence

00:48

that came from the threat analysis group, as well as

00:51

Mandiant's threat intelligence group, and then all the advisory

00:54

services that we did.

00:55

So, I did my best to collect those conclusions.

00:57

We will go through them very quickly.

00:58

And it's not just admiring the offense.

01:01

We are also going to do some things because we all

01:03

came here to learn how to defend our network, so

01:05

we're going to do that.

01:07

This is five of the conclusions that we have based on all of our

01:09

observations really right up until a few minutes ago.

01:12

I changed a few while I was backstage.

01:15

The reality is first and foremost, the conclusion when

01:18

looking at the last twelve months of incidents, it doesn't

01:21

feel like there's a lot of risks or repercussions to

01:24

compromising the enterprises that we see globally.

01:27

We see an acceleration on the innovation on offense.

01:29

I don't know if it's really accelerated but we saw good

01:32

innovation by offensive attackers and threat actors.

01:36

Ransomware has evolved to data theft, to extortion, to

01:40

potentially even now harassment and other things.

01:43

The board is more engaged.

01:44

And then I think we had the best year ever between the privacy –

01:49

or I mean the partnership between the government

01:51

and the private sector.

01:53

So, it's worked really well.

01:54

So, I will drill down on each one of these.

01:55

First and foremost, the few risks or repercussions

01:58

to the threat actors.

02:00

When we look at this, I think every modern nation understands

02:04

there is going to be spying and that you probably can't prevent

02:06

espionage and it's hard to come up with rules for espionage.

02:09

So, my theme here of imposing risk is on the criminal actors,

02:14

the folks that may have come to a height or a threshold where it

02:19

feels almost intolerable.

02:21

So, when you look at the slide behind me, I wanted you to see

02:23

the numbers, and these represent the lowest bounds

02:26

of the criminal enterprise compromising and doing

02:29

ransomware and extortion.

02:30

You get the chain analysis slide on the Bitcoin paid.

02:34

That seems to be tied to extortion or ransomware.

02:37

But more importantly, just the impact on private companies or

02:41

publicly traded companies that are just doing their jobs, and

02:45

we are seeing damages equating to 100 million, 800 million, and

02:50

these are the lower bounds.

02:52

The damages from this tends to go up and to the right.

02:55

So, the question that we always have is what do we do about it?

02:58

You know, and when you look at the ransomware problem, there is

03:00

a lot of folks in the camp of we have to do better defense.

03:04

I get that, and that's why we're all here.

03:06

We all want to do better defense.

03:07

The second thing we probably have to look at is

03:10

cryptocurrency and the means and ways in which we

03:13

can track cryptocurrency.

03:15

Some people think it's not always a great idea to have an

03:18

anonymous currency that can be paid thousands of miles

03:22

apart from one another.

03:23

The third thing we have to do is we have to look at the treaties

03:27

we have and modernize some of these treaties.

03:30

We need to have attribution and impose risk.

03:35

So, I would ask that all of the folks in law enforcement, in the

03:37

intelligence community, and in the private sector revisit some

03:41

of the ways we do attribution; and for the folks in different

03:43

governments globally, to look at what are the safe harbors and

03:48

safe havens for the criminal actors and can we modernize

03:51

treaties with those nations so that we can impose

03:54

more risks or costs?

03:55

I think the time has come where we have to continue to think it.

03:58

I know we have lots of task forces globally and we have lots

04:02

of groups working on this problem and we all look

04:05

forward to progress being made in that regard.

04:09

We have seen the acceleration of innovation and I will go

04:12

through each one of these categories individually, so

04:15

let's hop right into it.

04:16

And it's not necessarily bad news.

04:18

When you see innovation on offense, you really go right to

04:21

the zero day account, and we had a long run of tracking this from

04:24

1998 right up until now.

04:26

And it used to be between ten to fifteen zero days

04:29

a year were found.

04:31

And a zero day, of course, attack with no patch.

04:33

Now you're looking at we found ninety-seven zero days in the

04:37

last year in the wild, about a third of them found

04:40

by Mandiant and Google.

04:42

What I found most interesting about these zero days is really

04:45

shown on this slide, and I know there's a bunch of numbers here

04:47

but focus in on the amount of vendors impacted, and that also

04:52

includes like freeware.

04:53

I guess we just call it different libraries, a vendor.

04:57

But when you look at this, thirty-one vendors impacted, and

05:00

there's always the big three.

05:01

You're going to have Microsoft, you're going to have Google,

05:03

you're going to have Apple.

05:04

But then in addition to those, we have got twenty-eight other

05:07

organizations that there were zero day attacks against them.

05:10

To put that in perspective, there were about four companies

05:13

impacted outside of the big three in 2018.

05:17

So, the number of vendors being attacked is phenomenal.

05:21

Now, why are there this many zero days?

05:24

There is a whole bunch of rampant theories on it.

05:26

Maybe we got better at defense and so you have to

05:29

break in with zero days.

05:31

Maybe the offense is so well funded now they just

05:33

come up with them more.

05:34

Maybe AI is helping the offense find vulnerabilities faster.

05:39

Maybe we are all just shipping really bad software and not

05:42

trying hard enough to patch it.

05:43

I actually think maybe it's a combination of some of that, but

05:47

it's actually because the impact of the breach if you do

05:49

espionage, you get what you want, and if you do crime, you

05:53

get what you want.

05:54

Cyber intrusions are paying off.

05:57

That's why I think you are seeing this happen.

05:59

But again, what this means is you have got to have a way to

06:04

respond to the zero day.

06:07

This slide shows that globally, when we looked at every incident

06:11

we responded to, the number one way people broke in

06:13

was in fact an exploit.

06:16

What this means is all of us have to think – assume breach.

06:20

Do attack surface management, do patch management, and then

06:25

really have great rules for what happens post those things.

06:30

The assumed breach mentality.

06:32

I just saw Jeetu say segmentation is hard, updating

06:36

is hard, and patching is hard.

06:38

That's okay.

06:39

We've got to do them.

06:40

There will always be a zero day.

06:42

And you hear people say we are going to do secure by design and

06:45

get it down to zero, but zero day is not just software.

06:48

At some point in time when you assume breach, you also make the

06:51

assumption maybe you have an insider that can create

06:54

havoc on the network.

06:55

So, the bottom line: this trend is different.

06:58

From 1998 to approximately 2019, the number one way people were

07:04

breaking in is spearphishing and exploiting human trust.

07:08

It has changed since 2020 back to what it was like from 1993 to

07:12

1998, which is exploitation.

07:15

For those who just need to see what are they

07:16

exploiting, there you go.

07:17

There's the top three things that were exploited

07:19

in 2023 for us.

07:21

Chinese Nexus espionage improved during the year.

07:25

And I think the biggest improvement here I could dive

07:27

into, they had twelve zero days and the next nation we could do

07:30

attribution for had only two.

07:32

In my career, I usually saw Russia was number one with the

07:35

zero day exploitation and China started making that list around

07:39

2005, 2006, but now they are leading in that list.

07:43

When we look at the majority of the zero days that we

07:46

see for espionage, we cannot attribute them to the nation

07:49

behind them, which means maybe the espionage is being

07:52

surreptitious when they do it.

07:54

When you look at that go from the zero days, I can combine the

07:57

next two bullet points that you need custom code

08:01

when you hack edge devises.

08:03

When you hack edge devices, you are

08:05

circumventing EDR space.

08:06

You're circumventing the end point protections that we have.

08:09

We've seen Chinese cyber espionage do this two years ago.

08:12

They did it again throughout 2023, specifically compromising

08:18

things like VPNs, email gateways, and other network

08:22

devices that we rely on to defend our networks.

08:24

So – and then whenever you see LOTL, that stands

08:28

for living off the land.

08:30

That is a technique that I think every red team aspires to and

08:34

every offense or threat actor aspires to.

08:36

That is simply breaking in and accessing your networks the way

08:39

your people do because that is the most effective way

08:43

to remain surreptitious and hide in the noise.

08:45

So, the Chinese Nexus Espionage improved throughout the year.

08:48

I would argue all trade craft did and I'll have another

08:51

slide on that shortly.

08:53

The evolution of spearphishing is interesting to me.

08:56

Part of it was driven by, I think, Microsoft disabled the

08:59

default running of macros in documents in Office containers.

09:05

That was a great step.

09:06

We all got better at end user training.

09:09

Our secure email gateways got better.

09:11

We went to more multifactor authentication.

09:14

So, it's my opinion that attackers now are spearphishing

09:17

through other coms channels.

09:20

That simple.

09:21

What I would tell you, probably the fastest way to cut through

09:25

this because I have eleven minutes and I have a lot I want

09:27

to cover, is the attacks that I saw successful, you could detect

09:32

all of them if you have web proxy logs, because

09:35

what you need to detect is the downloading.

09:37

Like nobody knows how much inspection your

09:40

secure email gateway does.

09:41

If you get a document with a link in it, you don't know how

09:43

deep the secure email gateway is going to go tracking

09:46

what you link to.

09:48

So, you want to make sure you are not downloading .EXEs,

09:52

.BATs, .COM, .VS, all the different executable files.

09:56

The other technique was to have compressed archives that were

09:59

password protected, different secure email gateways.

10:01

We really don't publish how to handle some of those things so

10:04

you want to go to your web proxy logs and set up rules for that.

10:07

And the third most effective rule, and we gave you twelve in

10:10

our M-Trends Report, twelve different rules to use to detect

10:14

the new techniques of spearphishing, is if you don't

10:17

normally use third party storage like OneDrive or SharePoint or

10:21

Google Drive, drive.Google.com, set up rules to look for what

10:25

you're downloading from these places.

10:27

Attackers are circumventing the secure email gateway with links

10:30

and trying to get you to download and execute things.

10:33

So, we can catch that and everybody has gotten a lot

10:35

better at that.

10:37

Overcoming MFA.

10:38

We have seen this happen enough that I wanted to put

10:40

a slide in here on this.

10:41

It's really the first two things on this slide.

10:44

It's the push notification fatigue where, and that's

10:48

happened in cases we responded to, where we just keep jamming,

10:52

if you are an attacker, jam a bunch of push notifications to

10:54

somebody until they just hit yes, I will take

10:56

that push negotiation.

10:58

Most of us don't have that problem anymore because we're

11:00

aware of ways to circumvent it.

11:01

Second thing is one-time passwords are timed

11:04

one-time passwords.

11:05

That's been overcome as well.

11:07

And the other three is where you want to go.

11:10

So, it's not good enough to say, yes, we do

11:12

multifactor authentication.

11:14

We have to do multifactor authentication that prevents

11:17

help desks from giving away one-time passwords or to prevent

11:22

the SIM swaps, because I'll tell you two things I can't fix with

11:26

rules and alerts, SIM swapping and your help desk is designed

11:31

to help people.

11:32

We are responding to some of the most devastating breaches

11:36

because bold, aggressive English native speakers are calling help

11:40

desks and helpers are trying to help them.

11:43

And they are getting one-time passwords set to access networks

11:47

and wreak havoc afterward.

11:49

So, make sure your MFA can withstand the social engineering

11:53

attacks that have gotten way better than in the past.

11:55

Better OPSEC and evasion.

11:57

I really just want to go to probably the infrastructure.

12:00

You know, I can tell you when people write malware, they don't

12:03

write malware that logs.

12:05

Fine.

12:06

And then the customized malware that we are seeing is starting

12:08

to leverage the – when they compromise edge devices,

12:12

it's leveraging code that's already there.

12:14

It's actually like appending Python to other, pre-existing

12:17

code so you can create a new URI to download to or something.

12:21

I would focus on the infrastructure.

12:23

We are seeing modern espionage groups and even criminal

12:26

elements recognize it is best to compromise your victim/target

12:31

from local IP addresses or same nation IP addresses.

12:35

And then another problem that we're seeing is really

12:38

compromising people when they are outside the enterprise.

12:41

And we all need to figure out a way to make sure we can protect

12:44

our employees when they are accessing enterprise resources

12:48

from outside the enterprise, from non-enterprise resources.

12:51

Compromising their homes, getting the key logger in there,

12:54

seeing the account information posted on different telegram

12:57

sites, is a real problem.

12:59

But when I look at this, the infrastructure is creating a lot

13:02

more difficult attribution, difficult rule sets.

13:05

And then living off the land techniques, almost every threat

13:08

group is starting to go to this.

13:09

Long story made short, we need better security operations

13:13

because we are going to have to be able to detect after the zero

13:16

day, after the exploit, what the attackers are doing the second,

13:19

third, and fourth stages of the MITRE attack chain.

13:22

Which brings me to this slide, which is to what are the top

13:25

five things we are seeing used or the TTPs after the breach.

13:29

You see them right here.

13:30

Detecting anomalous use of power shell, very important.

13:34

Detecting HTTP traffic or HTTPS traffic that's anomalous on your

13:38

network, very important.

13:40

Knowing lateral movement via RDP or noticing remote RDP from

13:44

outside your network, very important as well.

13:47

And service execution.

13:48

I haven't figured out a good one and maybe one of my folks will

13:51

catch them in the hallway on noticing file deletion,

13:54

but it is the fifth one.

13:56

And – but you need rules to detect, if you assume breach,

13:59

these things without a doubt.

14:02

So, that was a lot of bad news, right?

14:04

It's like attackers are innovating faster,

14:06

there's no risks or repercussions to attackers.

14:08

The reality is we are detecting attacks sooner than ever before.

14:12

We started recording dwell time – well, you can see it here.

14:14

In 2011, on every case that we responded to, and Mandiant

14:18

traditionally gets hired for the cases that are out of the scale

14:22

and scope where people do need our help.

14:24

So, we don't respond when people are five minutes

14:26

behind the problem.

14:28

Dwell time went all the way from 416 down to ten.

14:31

I think part of the reason the dwell time went from sixteen

14:33

days days down to ten is we did respond a little

14:35

bit more to ransomware.

14:36

People tend to notice when they have been ransomed.

14:41

Then the detection by source – I showed this slide to somebody

14:44

and they were like, is that good or bad?

14:46

I want to make this unequivocal.

14:48

You'd rather detect your own incidents than have a third

14:51

party detect it because they you can handle it

14:53

discreetly and on your terms.

14:55

Usually when you know from a third party, you've got to

14:57

wonder how many third parties know what happened to you.

15:00

But this is a great trend and you can see.

15:02

It was amazing to me.

15:03

When we first started responding to breaches in 2004, 2005, it

15:07

was basically 100% third party notification of

15:09

the breach to people.

15:11

You get down to 54%, I think that's real good.

15:13

I think that defense operations has improved about as well as

15:18

the offense is innovating.

15:20

So, not a bad year for either side.

15:23

Ransomware has evolved, no question about it.

15:26

There's a lot of reasons for this.

15:26

Every company has heard of ransomware.

15:28

Most companies, even including going from the 1A

15:31

enterprises down to small to medium businesses, are

15:33

preparing for it.

15:34

You have companies that have said we've identified

15:36

our assets that matter.

15:37

We have backed up those assets.

15:39

Those assets include active directory and configuration

15:41

files for critical components of our business.

15:44

We have made sure our backups are safe.

15:47

We have done tabletop exercises with the board that has us

15:51

literally simulate having the worst ransomware we could ever

15:55

have happen to us.

15:56

We have gone to our identities and looked at creep and scope

16:00

and we've shrunk our identity access for a lot

16:03

of different accounts.

16:04

And you get the idea.

16:05

We network segmented.

16:06

And you go through all the things.

16:08

I can tell you where people are at.

16:10

Not many companies have now dry runned how do we operate the

16:14

business if we get ransomed and we don't have

16:17

these 10,000 servers?

16:19

And I can tell you the number one question every board has and

16:22

every executive has once ransomware does hit you, how

16:25

long before we're up?

16:27

It's hard to answer that question until you have to but I

16:30

think almost every company that we work with, and 1A enterprise,

16:34

has gotten to that stage of we know what we'll do when there's

16:37

a ransomware attack and we've done our best to

16:39

reduce the blast radius.

16:41

So, we've gotten good.

16:42

However, the TTPs have evolved and it's creating more pain

16:49

through dealing with if they do get in and do get data, sharing

16:54

data with reporters, making it so that the pain for executives

16:58

is exceptionally high.

16:59

I don't want to give too many examples of this because it's

17:01

too many good ideas for threat actors but it's just amazing to

17:05

me now when you have been ransomed, it's more likely than

17:08

not you will be extorted and it's more likely than not you

17:11

will start getting other activities and communications

17:14

from the ransomware actors.

17:15

Boards are definitely more engaged than ever

17:17

before in cybersecurity.

17:19

That's a trend that's been going like this all along.

17:20

I think there's a couple of reasons but very

17:22

first and foremost, boards read the headlines.

17:24

There's a lot of headlines right now.

17:26

Second thing is boards go where sometimes there is regulation.

17:30

When you see the US government's Security and Exchange Commission

17:34

saying to every publicly traded company, over 4,500 companies,

17:37

you have to have the following reporting requirements annually

17:41

on your risk management for cyber and your governance for

17:45

cyber, you get the board's attention.

17:47

Boards are there to provide oversight to companies.

17:50

And we are seeing that that oversight has been mandated and

17:54

we have to communicate it.

17:55

But there's just a lot of reasons why globally, between

17:58

sovereign data laws, privacy laws, and cybersecurity

18:03

standards, legislation, and regulations that are emerging,

18:06

boards are very engaged.

18:09

And I think this has been the best year in my career, I

18:14

started working in cybersecurity in 1993, that I saw the defense

18:19

accelerate with public and private sharing.

18:23

And I will go through two examples.

18:25

I can only pick one to elaborate on.

18:26

Probably the second one.

18:28

First one is secure by design.

18:30

Every nation, when you are a software vendor, you are

18:33

thinking about this.

18:34

There is a lot of reasons for it.

18:35

One, the government is saying, hey, here is secure by design.

18:38

It's signed by many different agencies.

18:39

The second reason for it actually is a civil complaint

18:42

filed against SolarWinds where they kind of say your software

18:47

development lifecycle was below the line period.

18:51

So, when you see those sort of things, companies take notice

18:55

and decide we are going to take it seriously.

18:56

But one of the things that happened within the last month,

18:59

month and a half, is the Cyber Safety Review Board here in the

19:01

United States under the Department of Homeland Security