This article is part of the series "[Podcast] John P. Carlin". Check out the rest:
Leave a review for our podcast & we'll send you a pack of infosec cards.
Get the Free Pen Testing Active Directory Environments EBook
In this concluding post of John Carlin’s Lessons from the DOJ, we cover a few emerging threats: cyber as an entry point, hacking for hire and cybersecurity in the IoT era.
One of the most notable anecdotes are John’s descriptions of how easy it was to find hacking for hire shops on the dark web. Reviews of the most usable usernames and passwords and most destructive botnets are widely available to shoppers. Also, expect things to get worse before they get better. With the volume of IoT devices now available developed without security by design, we’ll need to find a way to mitigate the risks.
Cindy Ng: You may have following our series on John Carlin’s work during his tenure as Assistant Attorney General for the U.S. Justice Department. He described cyber as an entry point as one of our threats using our latest election process as an example. But now, John has a few more emerging threats to bring to your attention, hacking for hire and cyber security in the IoT era. One of John’s striking descriptions is how easy it is to find hacking for hire shops on the dark web. Reviews of the most usable usernames and passwords and the most destructive botnets are widely available to shoppers. Expect things to get worse before they get better. With the volume of IoT devices created without security by design, we’ll need to find a way to mitigate the risk.
John Carlin: Let me move to emerging threats. We’ve talked about cyber as an entry part, a way that an attack can start. Even when the cyber event isn’t really the critical event in the end, our electoral system and confidence in it wasn’t damaged because there was an actual attack on the voting infrastructure, if there’s an attack where they steal some information that’s relatively easy to steal and then they get to combine with the whole campaign of essentially weaponizing information, and that caused the harm. The other trend we’re seeing is the hacking for hire. I really worry about this one. I think over the next five years, what we’re seeing is, the dark web now, it’s so easy to use, well, I don’t recommend this necessarily, but when you go on it, you see sophisticated sales bazaars that look as customer-friendly as Amazon.
And when I say that I mean it literally looks like Amazon. I went on one site and it’s complete with customer reviews, like, “I gave him four stars, he’s always been very reliable, and 15% of the stolen user names and passwords that he gives me work, which is a very high rate.” Another one will be like, “This crook’s botnet has always been really good at doing denial-of-service attacks, five stars!” So that’s the way it looks right now on the dark web, and that’s because they’re making just so much, so much money they can invest in an infrastructure and it starts to look as corporate as our private companies.
What I worry about, is because those tools are for rent, use the botnet example, you know, one of the cases that we did was the Iranian Revolutionary Guard Corps attack on the financial sector. They hit 46 different financial institutions with the distributed denial-of-service attack, taking advantage of a huge botnet of hundreds and hundreds of thousands of compromised computers. They’d knocked financial institutions, who have a lot of resources offline, effected hundreds of thousands of customers, cost tens of millions of dollars.
Right now, on the dark web, you can rent the use of an already made botnet. So the criminal group creates the botnet, they’re not the ones who necessarily use it. Right now they tend to rent it to other criminal groups who will do things like GameOver Zeus, a case that we did, you know, they’ll use it for profit, they’ll use it for things like injecting malware that will lead to ransomware or injecting malware for a version of extortion, essentially, where they were turning on people’s video cameras and taking naked pictures, and then charging money, or all the other criminal purposes you can put a botnet to.
But it doesn’t take much imagination to see how a nation stayed or a terrorist group could just rent what the criminal groups are doing to cause an attack on your companies. In terms of emerging threats, you’re certainly tracking the Internet of Things era. I mean, you think about how far behind we are given where the threat is just because we moved very, very quickly from putting everything we value, from analog to digital space, connecting it to the internet over a 25-year period roughly. We’re now on the verge of an even more transformative evolution, where we put not just information, but all the devices that we need from everything, from the pacemakers in our heart, the original versions that were rolled out, actually this is still an issue, for good medical reasons they wanted to be able to track in real-time information coming out of people’s hearts, but they rolled it out un-encrypted, because they just don’t think about it when it comes to the Internet of Things.
They were testing whether it worked, which it did, but they weren’t testing whether it would work where they had security by design, if a bad guy, a crook, a terrorist, or a spy wanted to exploit them. Drones in the sky, they were rolled out, same problem, rolled out originally not encrypted commercial drone. So, again, a 12-year-old could kill someone by taking advantage of the early pacemakers, they could with drones as well. And then the automobiles on our roads, forgetting the self-driving vehicle already, estimates are 70% of the cars on the road by 2020 are essentially gonna be computers on wheels.
One of the big cases we dealt with was the proof of concept hack where someone got in through the entertainment system through the steering and braking system, then led to 1.4 million car recall of Jeep Cherokees. So that’s the smart device used to cause new types of harm, from car accidents, to drones in the sky, to killing people on pacemakers. But we also just have the sheer volume, it’s exponentially increasing and we saw the denial-of-service attack that we’ve all been warning about for a period of time take place this October, knocked down essentially internet connectivity for a short period of time. Because there were just so many devices, from video cameras, etc., that are default being rolled out and can be abused. So, hopefully there will be regulatory public policy focus to try to fix that.
In the interim though, my bottom line is, things are gonna get worse before they get better on the threat side, which is why we need to focus on the risk side. We won’t spend too much time on what government’s been doing. We’ve talked about some of it a little bit already, but this is…the idea is, we need to, one, bring deterrents to bare, make the bad guys feel pain. Because as long as they’re getting away completely cost-free, offense is gonna continue to vastly outstrip defense. Number two, we gotta figure out a way to share information better with the private sector.
And I think you’re hopefully seeing some of that now, where government agencies, FBI, Justice, Secret Service are incentivized to try to figure out ways to increase information sharing for information that, for many, many years now, has been kept only on the classified side of the house. And that’s a whole new approach for government, and it just in its early steps. But, we’ve been moving too slowly given where the threat is, we need to do more, faster. You know, just a couple weeks ago they heard the Director of the FBI said, “Okay, they came after us in 2016 in the Presidential election, but I’m telling you they’re gonna do it again in 2020,” and the head of National Security Agency agreed. That’s in just one sphere, so I think we’re definitely in a trend now where we need to move faster in government.
What’s law enforcement doing? They’re increasing the cooperation. They’re doing this new approach on attribution. When I was there, we issued towards towards the end a new presidential policy directive that tried to clarify who’s in charge of threat, assets, intel support to make it easier. That said, if any of you guys actually looked at the attachment on that, it had something like 15 different phone numbers that you’re supposed to call in the event of an incident. And so, right now, what you need to do is think ahead on your crisis and risk mitigation plan, and know by name and by face who you’d call law enforcement by having an incident response plan that you test when the worst happens.
And there’s reasons…I’m not saying in every case do it, but there are reasons to do it, and it can increase the intelligence you get back. It’s a hedge against risk, if what you thought was a low level act, like a criminal act, the Ferizi example, turns out to be a terrorist, at least you notified somebody. You also want to pick a door, and this requires sometime getting assistance, you want to pick the right door in government, that ideally minimizes the regulatory risk to your company, depending on what space that you’re in, that the information that you provide them, as a victim, isn’t used against you to say that you didn’t meet some standard of care.
Even if…with the shift of administration, I know generally there’s a talk about trying to decrease regulations under this administration, but when it comes to cyber, everyone’s so concerned about where the risk is, that for a period of time I think we’re gonna continue to see a spike, that’ll hopefully level off at some point as each of the regulators tries to figure out a way they can move into this space. So, what can you do? One, most importantly, treat this as an inevitability. You know there’s no wall high enough, deep enough to keep the dedicated adversary out, and that means changing the mindset.
So, where…just like many other areas, this is a risk management, incident response area. Yes, you should focus front end on trying to minimize their ability to get in but you also need to assume that they can, and then plan what’s gonna happen when they’re in my perimeter. That means knowing what you got, knowing where it is, doing things like assuming they can get into my system. If I have crown jewels, I shouldn’t put that in a folder that’s called “Crown Jewels,” maybe put something else in there that will cause the bad guy to steal the wrong information. Have a loss of efficiency, which is why it’s a risk mitigation exercise. I mean, you need to bring the business side in to figure out, how can I, assuming they get in, make it hardest for them to damage what need but most to get back to business. Sony, despite all the public attention, their share price was up that spring, and that’s because they knew exactly who and how to call someone in the government. They actually had a good internal corporate process in place in terms of who was responsible for handling the crisis and crisis communication.
Second, assuming again that there are sophisticated adversaries that get more sophisticated, they can get in if they want to, you need to have a system that’s constantly monitoring internally, what’s going on from a risk standpoint, because the faster you can catch what’s going on inside your system, the faster you can have plan to either kick them out, remediate it, or if you know the data is already lost, start having a plan to figure out how you can respond to it, whether it’s anything from intellectual property, to salacious emails inside your system. And that way, you quickly identify and correct anomalies, reduce the loss of information.
Implement access controls, can’t hit this hard enough. This is true in government as well, by the way, along with the private sector. The default was just it’s just easier to give everybody access. And I think people, when it came very highly regulated types of information, maybe literally, if you know, you had source code, key intellectual property, people knew to try to limit that. But all that other type of sensitive peripheral information, pricing discussions, etc., my experience, a majority of companies don’t implement internally controls as to who has access and doesn’t, and part of the reason for that is because it’s too complicated for the business side so they don’t pay attention to doing it, and you can limit access to sensitive information and others.
Then you can focus your resources, for those who have access, on how they can use it, and really focus on training them and target your training efforts to those who have the access to the highest risk information. Multi-factor authentication, of course, is becoming standard. What else can you do? Segmenting your network. Many of the worst incidents we have are because of the networks were essentially flat and we watch bad guys cruise around the network. Supply chain risk, large majority, Target, Home Depot, etc., a different version of the supply chain but the same idea. Once you get your better practices in place, the risk can sometimes be down the supply chain or with a 3rd party vendor, but it’s your brand that suffers in the event of a breach.
Train employees. We talked about how access controls can help you target that training. And then have an incident response plan and exercise it. Some of them will be, you’ll go in and there will be an incident response plan, but it’s like hundreds of pages, and in an actual incident, nobody’s going to look at it. So it needs to be simple enough that people can use, accessible both on the IT, technical side of the house, and the business side of the house, and then exercise, which is, you start spotting issues that really are more corporate governance issues inside the company as you try to do table top exercises. And we’ve talked a lot about building relationships with law enforcement, and the idea is know by name and by face pre-crisis who it is that you trust in law enforcement, have that conversation with them. This is easier to do if you’re a Fortune 500 company to get their attention. If you’re smaller, you may have to do it in groups or through an association, but have a sense of who it is that’d you call, and then you need to understand who in your organization will make that call.