Threat Actors and the Motivation Behind the Attack

00:00:12 Brandon Witte 

Hi everyone and welcome. This is Brandon Witte. I’m the CEO of Sightline Systems and I’ve got Brian Dixon, security architect at Unisys Corporation, as the Co. Host this session, we’re going to talk about the threat actors and motivation behind cyber attacks, and we’re excited to have with us. 

Cyber security expert Damien Apone, the global Security program director at Genuine Parts Company. 

So Damian over the past several years, we’ve seen a staggering increase in the number of ransomware and cyber attacks. 

00:00:46 Damian Apone 

Yeah, so as a matter of fact you know. Looking back, you know latest statistics show that every 39 seconds there’s a new attack somewhere on the web. The amount of damage is being done by cybercriminals has doubled from 2015 from $3 trillion. That’s over $6 trillion annually just In damage being done by ransomware alone. The attacks have increased over 150% since 2020, so the attacks are certainly on the rise across the globe. 

00:01:20 Brandon Witte 

And guys, it seems like as you said, every day we’re hearing about another company falling victim to some kind of cyber attack. And Brian, It just seems like this problem is going to continue to get worse. 

00:01:31 Brian Dixon 

I completely agree just being in the cyber security field. Past few years, we’ve seen customers trying to deal with and struggle dealing with some of the attacks that they’ve been facing over the last few years. But especially with COVID last year and still ongoing people working remote data centers no longer being in one location. Everything kind of being fluid in the cloud and multi cloud. 

We’re just seeing a lot of advanced stage attacks that a lot of the legacy tools and things that customers have been doing are no longer really effective. So we’re seeing this. 

This obviously is a big issue, so it can get worse. 

Like you said, Damien, who’s behind these attacks in your opinion and who really are the threat actors trying to gain access? Yeah, so I think you know cyber security. 

00:02:11 Damian Apone 

In general, it is mystifying to a lot of companies, there’s still a lot of denial of that. I’m not really a target. I’m not really. There’s no threat to me. Typically when we look at the threat actor landscape and so some will say they break it into five categories, some six. 

So the number of categories that they break it seem to vary, but at the bottom line, for me it’s really three different types of groups. One are the nation state actors themselves and we’re familiar with this as you know. 

Their goal is to steal secrets right? And their chief goal is espionage threat. 

It could be chaos, economic destruction. These are things that are led by China by Russia by Iran. 

And and so they’re state sponsored. The second group is really the hacktivist, if you will or the social group and their primary goal is just either exposing secrets or disrupting services that they perceive as being evil. They don’t necessarily target particular companies, but  they’re really more those fringe believers where a company like a wiki leaks. 

For example, right, they’re trying to reveal evil in companies. 

Sony Pictures was another one of those cases where they were trying to do that, the activists were trying to influence. And then really the third group, which is the biggest group, is the you know, cyber criminals themselves. 

And really these are the ones that we hear over and over about. These are the ones that are leading the ransomware attacks. The data breaches and things like that, ’cause really for them it’s all about money and there’s a lot of different ways to monetize on an attack. But those are primarily the three that we see in the industry today. 

00:04:10 Brian Dixon 

No, thanks for that. That’s very interesting and you know, I like to think that I’m pretty smart when it comes to understanding technology and software and especially security. But it even baffles me still like, how do these organizations and these individuals learn how to do and create these exploits and actually get into companies and take out data and do what they do? 

00:04:30 Damian Apone 

Well, it’s really interesting that some of these companies, some of. These individuals that do it. They start very young and I believe it was Twitter. 

There was a Twitter hack a couple years ago in Florida and the gentleman who did it was 17 years old, right? So some cases you know, young, younger people are getting interested in this in some cases with nation states they have a whole program dedicated to churning these out. Even in some of the cyber criminals. Some of what they do is not overly sophisticated. 

The Nigerian Prince scam, for example. 

There’s a bunch of people and people still fall for the Nigerian Prince scam. To this day, anybody can write a really bad email, which they’re really bad emails. And you know they can inject the malware so. 

What we’re seeing is, well is a rise of this ransomware or cyber crime as a service. 

So if you can do parts of the whole exfiltration, but maybe not other parts, you can buy the ability from somebody else too. You know, if you don’t, know how to escalate privileges, for example. You can buy that as a service on the dark web. So the ability in the fact that they’ve created services around that is really, really scary. So just about anybody who really wanted to be a cybercriminal has that ability today just by paying a portion of what you get for their service. 

00:05:56 Brandon Witte 

That’s really interesting, because if they’re able to do this and and so easily find these attacks to implement, what doesn’t that make it easier for us? Or shouldn’t it be easy to catch them? Or the ones that are making these things available? 

00:06:15 Damian Apone 

Yeah, that’s a great question, and it’s a great point. 

So the interesting thing when we start talking about specifically ransomware as an example, the the the most active ransomware families that are out there, the dark sides of the world, and some of the others. You can go out online. Google top ransomware attacks 2021 look at what their tools, techniques, and procedures are. They call MTTP it. There is an organization called Mitre Emitree that basically maps it, so we have the playbook for the bad guys of how they execute their attacks. 

We’re just ignoring it, and so a lot of what we’re seeing. 

Can it be diminished? 

Absolutely, it can be, and the other good news is it’s a lot of it’s publicly available, so we know what the most exploited vulnerabilities are. We know the methods that they are, that they’re proliferating ransomware in a company. The information is there I think. We just need to listen and lookf for it. 

00:07:19 Brian Dixon 

What, in your opinion, what do you think companies can do to help better protect themselves, not just from an attack, but from a successful attack? 

00:07:28 Damian Apone 

Yeah, I think that you know most often is the foundational stuff, right? Do the basics first and then sometimes you know I’ve gotten questions around all these really complex attacks and the truth of the matter is, the attacks are not complex, they’re really not. 

And like I said, you can go online and most of the attacks are following the same vulnerabilities. They’re exploiting the same vulnerabilities they’re exploiting. 

The same, you know, configuration mistakes, so it’s not really complex. 

We just don’t do the basics exceptionally well, so you know, I think if we if you align to the minor attack framework again, it’s publicly available, it is the bad guys playbook. 

But make sure you’re doing the basics. 

Things like you know your vulnerability, scanning and patching that you know today you know average patch time can be anywhere between 60 to 150 days and, you know that it sounds good, but it’s that’s just from the time that it patches available. That’s almost six months, so there are a lot of cases where today you’ll find companies that still have not Petya. You know doing that? Basic hygiene? Getting rid of your end of life, making sure that you know you have segmentation in place. Which is where we’re leveraging Unisys specifically today is you know, the more you make it harder for the bad guy to get what they want. The less they’re going to to deal with you, so the more difficult you make it. 

By making sure you’ve got good passwords by making sure that you can escalate privileges that your your don’t have the vulnerabilities for them to exploit. 

The other big really key area gets to be email. Don’t overlook. Email right, can cause a lot of these things. 

00:09:16 Brian Dixon 

How does the attacker get in? 

00:09:18 Damian Apone 

Right, the attackers typically are getting in via email, whether it is a phishing email or a business email, compromise, and email is responsible for about 94% of all malware that’s being deployed in an organization. Once you get the malware in, then it’s off to the races for the bad guys and, quite honestly, they have no timetable, they are. They are exceptionally patient. Uhm, they will sit there as long as they’re undetected for as long as they want. I believe the average dwell time now is coming down, which is really good news. From an average perspective, but the average dwell time can range between 49 to 150 days. So I understand that. 

If I can live in your environment for up to six months, and you’re not patching for up to six months later. There’s a lot of bad things that can be done so, by doing the basics by making sure you’re aligning and understanding how they’re going to attack you and then then preparing your defenses to know that if there this particular attack is going to escalate privileges. 

What can I do to prevent that from happening then doing that? That is the most practical advice to preventing some of that right so. I would say that. Security or compliance is definitely not a solution here. I I know there’s a lot of people. You know scratching their heads. Or worrying about the Biden. Security cyber security regulations just passed. Uhm, what I would say is you know if you’re going to do compliance, you know compliance equals minimum requirements. A lot of times it’s the check the box if you if you do the right things from a security perspective, you’re going to achieve that compliance as a as an end result, so I wouldn’t focus on how do I comply with the regulation, as much as what you need to secure, because really, depending upon the attacker and the nature. 

What I see in my company, if I’ve experienced it in my company, is you know, I’m not a threat. You know, there’s nobody a threat to us. I don’t have what they want. That’s not true. No one would want to attack me. That’s not true either. 

So, so how they choose their targets gets to be very, very interesting, right? 

And it depends on the threat actor. 

And sometimes it isn’t a direct attack on you. Right, sometimes you are the mule to somewhere else the HVAC company that was leveraged to get into target for it, for instance. But understanding why they attack, so you know, nation states they’re after government secrets. 

They’re there to create chaos again. 

Activists, they have their own their own things so. 

But the nation state you know who are they targeting? They’re targeting businesses as well as government run organizations well, I’m not a government run organization, no, but do we do business with the government? 

Are we taking a posture on something and I think you know, we’ve seen that over the past summer where with a lot of social issues coming up here in the United States that certain companies that may stand against those social beliefs are being targeted and then really do I make money? 

Am I perceived to be cash or data rich? 

For me I work in a Fortune 200 company. That’s a lot of money that we make, so the bad guys look at us as a target and say you’ve got a lot of money. I may not have the data, but if they feel that they can get the money out of us one way or another, either through ransomware or through a data breach then that’s their motivation to attack so, and you know the interesting thing is, some companies face a threat from all three categories. And they may not. 

The really interesting thing about the colonial pipeline incident was dark side. 

The ransomware group that attacked Colonial pipeline after it happened. They were very, very quick to point out. Hey, this is not politically motivated. This is not a political statement. All we want is the money, right? Because they are a key. Component to the infrastructure you know, jabs the same thing, right? They’re a key component to the infrastructure in terms of a meat packing. We just packed meat. Why would anybody want to attack us? Because they were perceived to have deep pockets and would pay the rent. 

Gets to be interesting as well, unfortunately, as we’ve seen other events, especially around critical infrastructure, occur that were not necessarily related to cyber. But should cause alarm and concern right folks can remember earlier this year in Texas when the power grid went out. Right, that was. 

Not necessarily done because of a cyberattack. But it shows. If they could do it, the impact that that could have the impact of, you know, just breaching an accounting system at Colonial pipeline. 

What does that? What effect does that have? 

So if you’ve got data that can be monetized on the dark web, if you’ve got or perceived to have deep pockets. Or dealing in some of these. Things you can be a threat on multiple levels, it’s a lot. It’s crazy to see the success these people are having against organizations and the money that they’re actually trading to meet there. 

00:14:50 Brian Dixon 

I guess the last thing I want to ask and then I’ll hand it back to Brandon. 

What is your opinion on companies? Some of the recent data breaches and attacks that we’ve seen. They’ve paid ransom right? So they’ve done that in an effort to think that they’re going to get their data back. Have you seen any situations where they’ve been maybe attacked again through that that exchange of paying that ransom? 

00:15:10 Damian Apone 

Yeah, there’s a couple of trends that are going on, so the first one as you mentioned was follow on attacks and and so we are certainly seeing that. Probably not as rampant because I think where people are learning the first time, if you pay the ransom. Some of the ransomware, like I said, Dark side, is the ransomware group with the heart. They say won’t attack hospitals. They won’t attack educational groups, but not all or that way. Not all have that morality. Some will say hey, if you pay the ransom the first time I’m going to attack you again, ’cause you probably haven’t fixed the problems, so I’m going to charge you double the ransom, so we do see that occurring. 

The other trend that we’re actually starting to see on the rise right now is kind of a double ransom that they’re calling it. Where I’m going to hold your files and help you pay the ransom and then sometimes you may get your files unencrypted. 

You may not, they’ll give you the key. If you pay, they will give you the key to unlock. Now, whether or not it actually works. That may be something totally different. But what they’re also doing is they’re saying, hey, I’m gonna. I’ve ransomware on your stuff. We’ve stolen your data, and if you don’t pay me this other ransom, I’m going to expose that as well, so they’re kind of doing it 2 for one, where they’re locking you up and taking your data, and basically, you know, extorting you to. To not leak the fact that they’ve done that. And a lot of that is because of those dwell times, because if they, if I can live in the environment, they’re exceptionally patient. 

They’ll sit there for months on end and just learn your business, and they’ll imitate the people that they need to imitate. Or they will proliferate whatever they want to do. Uhm, there is some some debate around the dwell time of why it’s come down, and I think the why it’s come down there’s a camp. That will say. It’s coming down because the actors are acting quicker, especially in light of ransomware, right? So the threat actor gets in. They don’t need as long to figure out how to lock everything up. 

So that dwell time, how long are they in my environment, is going down artificially because they’re acting sooner than they have in the past. But yeah, just because you pay a ransom and the other key thing around ransomware. A lot of companies are purchasing cyber security insurance right now. 

Premiums are on the rise dramatically 100 and 5200%. If you can get the cyber insurance coverage, there is a lot of focus right now around ransomware as well, because the insurance companies are are really. We getting a lot of claims in that particular area what I would advise people is check your check your policy, check the conditions of your policy because in some cases if you actually pay the ransom it may negate your insurance coverage. 

So there there’s a lot of things that companies may or may not do. Hey, just pay the ransom and they’ll go away. You are set up. If you’re going to do that, great. Fix yourself so it doesn’t happen again. 

But also make sure that if you do have ransomware insurance or cyber insurance, you read the policy and know what the provisions around ransomware are. 

00:18:29 Brian Dixon 

Wow yeah, thanks for that information. It’s super helpful to know. 

Back to you, Brandon. 

00:18:34 Brandon Witte 

Yeah, and one last question on this is that so someone that’s been compromised and the data has been taken and I pay my ransom, they give me my key. 

Is it fair to say that they’ve also opened up a whole another set of potential vulnerabilities so that you know, as you said, they can just come back again the second or third time, even easier than the 1st. 

00:18:59 Damian Apone 

Yeah, I think so once the company gets breached in a lot of times, the others have their data breach reports. 

I think what happens is after the containment right, did we it did? That’s when the handwringing comes in the teeth, gnashing, come into place. 

How did they get it? 

It’s important to go through that payment to be honest, to say well how did they get in? How could this have been proved? Again, how do we stop from even getting there, right? 

Let’s do the basics. 

Let’s do those core responsibilities of patching and scanning and fixing. The more of that you do that takes out a lot of 80%. Really, if you just patch vulnerabilities, if you have good email controls in terms of blocking phishing, the more opportunities you can take away from the bad guy, the better off you’re going to be, and I think that hindsight that Monday morning quarterbacking of gosh, how did this happen? You know it’s almost better to do that now and simulate that through a table top. And hey, we failed the table top, but that’s OK. What can we do to better protect it? It will highlight things. It will highlight alot of things. That maybe you have a lot of technical debt, a lot of companies have technical debt. But the other thing here is that I want to highlight is it’s not all about the technology. And really to be really protective from a security perspective, don’t just look at, did I fix a vulnerability or why do we have an old system out there? It’s all about people, process and technology. 

Do I have the right people? Are they looking at the right things, because the human configures technology, so maybe we didn’t configure something correctly. Do I have the right processes in place that if something is found that we’re notified so a lot of times there’s a lot of money, it’s probably a $300 billion industry in terms of cyber security software, it’s not necessarily technology failures that. We have people. We have process failures that been manifested on the technology side. So you know, are we checking the firewall rules? Are we reviewing who has access into the system? 

Those aren’t technology things, those are. Those are people in the process. So I think it’s important to do that ’cause it will highlight and you got hit once. Every actor does something different, which is why if you go out and look and say. Oh, how are the most common things happening? There’s 567 different paths that they may go. Through so don’t just check the one path where you got got. If you will check the other six as well right? The more that you can prepare and know, and if you find things. That’s OK, you want to. Find it before the bad guys do and then fix it. ‘Cause if you fix those things, they’re just going to say hey, you know what? It’s not worth my time. I’m just going to move on and find somebody else who’s not as well protected. 

00:21:51 Brandon Witte 

So thanks so much guys. We’re out of time for today, but I want to thank Damian great stuff there on your insight and background on the space. Really appreciated. Thank you. 

And Brian, thanks so much and join us next time as we dig in a little bit more on what we can do and the top things that can can be done to help better protect companies from the increase in attacks that we’ve been seeing. 

Thanks so much.