Vote with your money

For this morning's 🧵I want to walk you through why threat actor (TA) groups like LockBit are able to get into large organizations like Fortune 500 companies and government entities seemingly easily. There's a lot of moving parts here, but I'll try to make it plain for everyone to understand. First, you have to understand a bit about risk and liability, and how orgs go about making it appear as though they're doing the right thing. And to understand that, you have to understand the culture and mindset. It all stems from a simple fact: Doing security well is hard. It's not sexy, it's time-consuming, and it requires everyone to be doing the right thing all the time, both inside and outside the group responsible for security. Once you acknowledge this basic tenet, there are a couple of ways you can go: You can actually do the hard thing. You can realize that no one's going to do everything right all the time and plan accordingly, building robust, resilient solutions that enable business. Or, you can take the easy way out. My long-time readers will know I tend to be rather cynical and think I'm about to say most orgs choose to take the easy way out. Nope! Most orgs think they're actually doing #2: building robust, resilient solutions that enable the business. But really, they killed that a long time ago, and instead they just prance around in its desiccated skin, giving the appearance of having done so. Orgs will do things like "due diligence", which is a fancy word meaning, "the industry has come to a de facto level of bare minimum work necessary to avoid being held legally liable should something happen". This includes things like implementing "industry best practices", and "best-in-class" and "best-in-breed" solutions, and passing regular security audits. What this results in is a whole lot of orgs who buy the same equipment, configure, deploy, and maintain it the same way, and who have to answer more or less the same questions as everyone else come audit time. I won't dive into just how much of a sham and scam security audits are, but suffice to say that they're the quintessential exemplar of a box-checking exercise, with no real measurable impact on actual security. So, you have all these orgs buying all the same software, equipment, and services as everyone else, because everyone else is doing it. You have them all deploying and configuring them the same way, because that's how everyone else is doing it. [quick side story: I once worked at a company that had to pass several hundred audits yearly. They were in a highly-regulated industry. Among the multiple security audits they had to pass, every single one of them required data to be encrypted at rest. What this means is that stored data should be encrypted. How this got interpreted by both the employees who should have known better, and the auditors, who definitely should have known better, is: "Oh, you have your database stored on a Bitlocker-encrypted volume. You're good." Everyone who knows anything is now shaking their heads, because they know that this is explicitly NOT what the control requires. The database is UNENCRYPTED as soon as the volume is accessed, and remains that way. It's only encrypted if the drive is physically removed from the device it's in. But, I digress.] So, what does this monoculture of software, service, and equipment mean? It means that when a TA group goes and spends large amounts of money for a zero-day in a solution used by one government agency or Fortune 500, chances are it's going to work on a whole ton of the rest of them. Cases in point: SolarWinds and MoveIT, to name two fairly recent massive breach vectors. And that's what these TA groups do: since they have hundreds of millions of dollars or more to burn, they spend it on recruiting top talent, and on buying capabilities from other criminals. This talent and these criminals have the luxury of spending months or years studying in minute detail every aspect of a particular solution. Every patch, every decompiled line of code. Sometimes, they'll just bribe an insider at the company that provides the software, service, or product (see the perennial security issues that T-Mobile has for a good example of insider threat used in this way). Once they have a weaponized exploit they can leverage, they either hit specific pre-chosen targets, or they scan the entire internet, exploiting every vulnerable instance of the solution they come across. They'll even go so far sometimes as to actually fix the vulnerability after they've gained a foothold in the organization, so other TA groups can't come along behind them, exploit it, and kick them out. For ransomware groups, they will sometimes spend days, weeks, even months inside the organizations they've exploited, looking around, figuring out what's worth taking, how everything's laid out. Only when they are satisfied that they've seen all there is to see and gotten all the value out of their access they can, including exfiltrating all the data they want, will they deploy the ransomware which locks up all the computers and demand money from the victims in order to unlock them. "But this is simple! Just restore from backups!" you say. Many companies don't keep most of those systems backed up. or the backups are too old. Or, the ransomware either destroys or encrypts the backups, too. This, by the way, is a strong argument for making daily backups and keeping them offline, as well as routinely practicing restoring your systems from backups, to ensure minimal downtime and maximum business continuity. Many companies also use cloud services and third parties that are either given sensitive data, or granted some level of access into the organization. TA groups will go after these third parties instead of the primary targets, as they are often even more insecure than the targets themselves, making the data or access easier to get. In some cases, these third parties have the "keys to the kingdom", so to speak, in that they manage the critical infrastructure for the company. SaaS (Security as a Service) companies are like that; they manage all the security solutions for multiple companies. And yes, these SaaS vendors have been hit by TA groups in the past and, yes, it was a nightmare for their customers. The TA groups, once they've deployed the ransomware, will usually threaten to publicly release the data they've stolen unless the ransom is paid. The TA groups have great customer service and tech support. Better than most of their victims, in fact, and will helpfully walk the victims through how to go about verifying that the TA group has, in fact, stolen their data, how to purchase the cryptocurrency they want to be paid in, how to transfer it to them, and how to apply the decryption keys their ransom money paid for to unlock their systems. You'd think the answer here is to simply not pay, and this would stop. You'd be wrong. In fact, an entire industry has sprung up around ransomware insurance -- companies that sell insurance against ransomware attacks. On the surface, this sounds well and good. In reality, companies pay these insurers, and when the companies are attacked, the insurers merely negotiate with the TA groups and pay them off. They're essentially middle-men for the criminals, ensuring they get paid. And this is an accepted industry practice. The sad fact of the matter is that systems have grown so complex, and humans are so fallible, that there is no such thing as "secure". Only "risk minimization". And, even then, the risk minimization that occurs is a ruse, designed to placate auditors and regulators, not to actually minimize risk. But, as long as everyone plays the game, makes all the right noises and dance moves, no one's peepee gets whacked too hard when the inevitable occurs, unless it's overly-embarrassing and the PR can't be spun well. Cf., the credit bureau who got hacked, and it turned out their CISO (Chief Information Security Officer) had a degree in music, and no actual security background. This is the world we live in. This is the world you trust your finances to, your health to, your very lives to. It's as fragile as tissue paper in a hailstorm. But, as long as everyone squeezes their eyes tight and shoves their fingers in their ears, we can all have the latest shiny, blinky, beepy gadgets to "make our lives better and easier". You should not be shocked that the Fed got popped. You should be shocked it took this long.