Five Ways Attackers Leave Ransomware Vulnerable to Detection

Five Ways Attackers Leave Ransomware Vulnerable to Detection

Ransomware has evolved and time may not be on your side. Once inside, adversaries are acting faster, moving laterally to accumulate enough data to ensure that you will pay—but intruders following the ransomware playbook have needs that cause them to risk detection. Every time they take a step, you have an opportunity to regain the advantage—if you know what to look for.

Intrusions are a terrifying thing to consider, but they don’t spell doom: Visibility and response inside the perimeter are your best hope to prevent crippling damage from the ransomware menace. In this demo-filled session, we’ll show you how to spot indicators that leave modern ransomware exposed, giving you the opportunity to shut down the extortionists before they do real damage:

  • Enumerating targets in your environment
  • Moving laterally toward your valuables
  • Escalating domain privileges inside encrypted channels
  • Phoning home over noisy DNS
  • Staging data exfiltration for second-phase extortion

Highlight Clip Text

What’s interesting. And there’s not much as a defender you can do because everything has to be right . But once the intruder lands into the environment things start to change. Very little flexibility comes into play. And a poly-com speaker all of a sudden is doing FTP file transfers.

Huh? That’s weird. Or your desktop. Yeah. It may do things like UPNP kind of things of scanning the environment, trying to figure out what it does when you plug it in. But all of a sudden it’s got a PS exec to a domain controller. Huh? That’s weird. I didn’t predict it to do that.

Full Session Text

Don’t we all love to talk about ransomware and what’s the conversation we have as security people, if they would just stop clicking that bait, if we could just get them to stop clicking that bait. And then it’s if we would just stop outsourcing so much, we could get control of it. And we have all of these ideas of ransomware.

But a lot of it feels pretty helpless. It feels like there’s not a whole bunch that we could do about it is the problem. What I want to talk about is ransomware, and how do we get here. , not so much from the attack perspective is, but it’s been around for such a long time.

And yet we can’t seem to slow it down. We can’t seem to lower its impact in some way. Let’s go step back a little bit. Let’s go back in time to where it all started. And I put 2016 year because these are pivotal change periods that sort of happened inside a ransomware.

In previous to 2016, most of ransomware wasn’t even a nuisance yet. Because it was primarily a consumer problem. It was a very automated Internet spraying strategies. And, I love the story of that. Chicago, Russian grandma got her grandchildren’s pictures were encrypted on her computer and the Russian guys were over there telling her how to go get a bit coin.

To pay them about 500 bucks. And it’s interesting how the grandson is tracking Bitcoin value too. And the conventional wisdom at that time, that everything was, Hey, you got to have backup. You got to have backup and you should put some EDR, let’s go spend a little bit money past the antivirus, put EDR onto that end system.

That was the conventional wisdom. Then we moved to 2018 in ransomware pivoted again. It became a business problem. They wanted a bigger pay day? This 500 bucks stuff. And it’s such a pain in the butt to try to teach the consumers how to go get a Bitcoin that they decide I’m going to go after businesses.

Because I can get a better pay day. And we see that the average ransomware payments starts to increase the $6,700 at that particular time. And the attacks become spirit. Conventional wisdom? When I met you convention with the analyst, all of the media and all your buddies are S saying these kinds of things, and it was, Hey, we’ve got to get MFA in place.

Let’s get MFA in place. Let’s do a whole bunch of Phishing training, we’ve got to get these people to stop clicking this bait. We come back to 2021? It ransomware pivots again. The attack gets much bigger? The average ransomware payout. This isn’t the demand. This is the payout.

After it’s been negotiated by, would it feel go our our consultant from the accounting firm that will help you negotiate that thing down? Becomes $170,000. The thing that’s changed that you need to recognize is that what happened was when they want this kind of a payment, they’ve got to create a lot more damage.

The strategy change from an automated Internet attack into a land and pivot, it’s got to get into the infrastructure in order to be able to get you to pay enough, because it has to be a denial of service at that particular point. Al. What’s the conventional wisdom that you’re reading about zero trust.

Let’s go get zero trust. We’ve got to get that perimeter much, much more secure? Let’s more backups? Cyber insurance. This is the conventional wisdom. It’s wise things that we all have to do, but the point here is that it hasn’t slowed down. We’re, perhaps we’re looking, we’re focusing a little bit in the wrong places and you can see that this is true because.

I think about those conversations that we have, I guess over the virtual cooler, because we don’t actually go into the water cooler and have conversations anymore, but it’s what do people say? There’s this myth about ransomware is, as I said, if I could just get them to stop clicking that bait.

Myth number one is. You got to stop it before it starts. Let’s look at a couple of interesting statistics. There’s this company. No. Before that produces this annual report there, if they’re a Phishing training company really interesting report, I just loved their report.

6.6 million users, 23,000 companies, Phishing training for one solid year, 4.8% of the people still click. Go figure. But they talk about that as a success because it used to be 38% of people would click. But after a full year, they got it down to 4.8%. That’s an important number to consider.

. The other thing. All , . Phishing’s the problem. . But what about vulnerabilities? What about all those other attack strategies that are out there about how do I stop them from the beginning? Pen testing, we all, because if we’re, if we have compliance, we bring pen testers in once or twice a year.

This company positive technologies, who’s a well-kn pen testing company. 93% of every engagement ends in an interim. Everyone. Because if they can’t get in, you’re not going to hire them back anyway. And what’s interesting about that also is that no social engineering, and pentesters have to follow rules. They got a time constraint. Don’t touch this, don’t touch this. Cause I k you’ll break that. There’s all those. I think, what does that mean? What does that mean for us? Our over-focus on the one bookend, the ransomware, which is the initial access side of it is to a certain degree feudal.

Is it’s we all kinda k this. We have a language in our industry about perimeters walls. I think about the movie Planet Z years ago when that movie that came out and who knew that zombies could climb on top of each other and go over the the Israeli wall. But anyway but that’s one of the things , the.

Portion of it when we, when I have conversations with customers and what not. And you’re probably thinking this too as well. You k what? I got backups, and I got cyber insurance. I’m resilient because I have cyber insurance in place. But the thing that we need to think about is we talked about that the ransomware demand is 107 or the ransomware payment is 170,000.

But the damage is 1.8 million on average? It’s after the fact? Your mediation is temporary. The backup is critical. No question about the cyber insurance is critical from a risk calculation perspective was, but it’s a temporary or it’s a partial relief.

And that’s where a lot of the business people missed. Is we got backups that just gives you an opportunity to negotiate the ransom portion of it. But you’re just after the fact waiting for the ramifications of ransomware. The thing that I want you to think about it, This is what’s happened to ransomware.

Ransomware has evolved. It is a land and pivot movement today? The one that we care about as businesses, because we can, all of us can within one to five assets being compromised over the Internet. And we as ITP, we were good at shaking fingers at people. ? Shame on you. I told you don’t click on that.

Stop going to those websites. We love blaming everybody else. And but the thing that I want you to think about is there’s something different about ransomware. We have to think about what is the motivation and what is it that they’re trying to accomplish. . We start on the beginning of the initial.

. Many different tactics to be able to use inside Azure. And you have to be ready for these. However, the thing that I think from looking at those statistics that we looked at is that where your battle where’s that where you skirmish did you put all your money all your time into that portion of it that you are inevitably doomed to fail?

And I’m going to go a little bit more into this, and I’m going to show you some math. We’re going to do some math, and do some statistical analysis. And then we talked about on the side, the other bookend? Let me get the backups in place. Let me get the ransomware protection and all that.

But this is the thing is the middle is we’re missing it? This is where most of the, this is where the damage actually happened. This is the land and pivot. They’ve got to get to a critical, massive damage that is going to make you. It’s all game theory . The thing that’s interesting about ransomware is they don’t really care what it is, .

It’s the quality isn’t so important. Yeah. There’s the double ransom. They want to steal it. They want to sell it and all that stuff, but the primary is denial of service. It’s quantity versus quality is the motivation behind ransomware. And when you think about what that means, Also is that they have a time constraint?

Ransomware on average is less than well, it’s less than four days . Of a dwell time. And that means they are in a rush. Because they don’t want to get discovered and get, get stopped, but mostly they just want to get to the end game, which is pay me. We, what is that in ransomware, you can treat it as a three-part playbook. And we k this is true because we’ve seen the, like the Conti ransomware playbooks, we’ve seen all of these postmortems that we see the behavior inside of it. And you see a very repeated pattern associated with ransomware, which is pretty similar to most land and pivot attacks, except it does it much more noisy.

And it does it super fast. What’s happening in the middle that we call the mid game, the ransom we’re mid game, just to give it a sort of a label is there’s these five things that are happening inside there. And you just, you sorta k this because an intruder lands blind into the environment.

What they got to figure it, they got to do intruder stuff. I gotta do intruder stuff. I’ve got to figure out where the heck am I what’s around me. And I’m going to land on something easy. But I got to move towards something valuable, like we’re showing over on this side.

That’s what I’ve got to get to in order to make you pay. We think about these five kinds of things that are happening inside of this this type of a workload. . All . Let’s go take a look at a couple of case studies? That is a true is this thing true.

Let’s go first, take a look at. , content is good because we’ve read through their playbooks. And they’ve done so much destruction inside of the environments that we k these things, but this is a post-mortem from Diefer reports. This was an actual incident responders report of all the things that, the content that, this particular one on.

It was a phishing attack. G no surprise there. 4.8% people are going to click. They’re spraying phishing attacks against here. And then on day one, we see them pull out all these tools, because why they got to figure out what the heck is wrong. Th these are just natural things that they must do.

Here’s all these scanning discovery, enumeration tools, the things that are naturally built into windows and to, into all of the ecosystem. And the other thing you also see, that’s very common with ransomware because they’re in a wickedly fast environment. They go after active directory because active directory commonly used and all of our infrastructures and active directory ask you to question. Sure. I’ll tell you where the other domain controllers are. You betcha. And it just, they both, I don’t k. You ever run bloodhound non-SEC on your network or something like that. I just look at that.

God, that’s amazing. That’s amazing. This thing is going to tell me all this stuff? Here’s all these types of things that are running inside here. Then they too, we’ve seen that it’s starting to move laterally and it’s using RDP and it’s figured out what other things that it can use inside of .

Day three to me is the most fascinating. . No action. You k what the attackers, they take their kids to the playground. They got to go take them out to the park and run with the dogs and all that stuff. And maybe they have meetings meeting day or something like that. And then we see all these actions until we get today five we’re encryption, it started.

And then the delivery of the note starts. , the point is that these skill sets on the attacker side have specialists. You were not attacking one guy. There’s all these teams that are just great at phishing they’re they’re code writers looking for exploits, they k how to do brute force, then there’s. The specialists that k how to move laterally through environments, the whole tool chains there. When we think about hobo strike, they use the Coldwell strike. If things like that? I These powerful tools that are constantly being used.

And do we want, do you think that the, these guys are using the same people to do the extortion cycle? That’s a specialization, that’s game theory. They’re doing all this specialization, but on our side, we think. I’ve been an IT guy I’ll defend all of it. And of course, what really happens.

We get bumped out. As soon as the note gets delivered legal financial consultants start jumping in per incident responders, parachute into and figure out root cause things like that. . All . There’s one example. Just keep that in mind. Here’s another. , this is against Darktrace, I’m sorry, against a dark side.

And remember dark side was Conti was colonial and just a ton of other attacks that they’ve done inside of it. And this particular one was one of our customers. Here, this is a north American retail company. And what happens is that this, they get this initial access from exploiting some virtual desktop, and then , from inside the network, we’re able to start firing alerts? That’s a, Hey, there’s this unusual interaction happening, or these things had never done this before, and it’s starting to read data and transfer data and it just looks weird. I think, because this is one of the things that machine learning can tell you that your policies let me come back to that. But anyway, here’s some, we can see that some some SMB file reads are being done, but the point here is the prediction portion of it is that it didn’t do it before. Why is it doing it ? Why is it using these particular sets of tools? Here’s an example of where we’re able to see this action of the mid game coming into play, and we can stop that.

When we go back to that three part portion of it is the first part. Is mostly security. Hygiene is probably your best hope. And then at the end, did you just is the recovery portion of it, but the goal is stop it before the encryption starts. And what I’m trying to get at here is that we need to think about how do we do this.

I thought I’d try to visualize what does this look like from an attacker’s perspective? . The there’s a shin Kaizen in Japan. I don’t k if anybody’s ever written on these things there. They’re fantastic. They’re always on time. You just walk into it exactly one time and they take off. But this is what it looks like from an attacker’s perspective is as a defendant, I have to have everything ready before I let the train take off. But as an attacker, I can, I, I can find any opening inside of it to be able to penetrate the particular perimeter defenses, and then on the what’s.

What’s interesting. And there’s not much as a defender you can do because everything has to be right . But once the intruder lands into the environment things start to change. Very little flexibility comes into play. And a poly-com speaker. All of a sudden is doing FTP file transfers.

Huh? That’s weird. Or your desktop. Yeah. It may do things like UPNP kind of things of scanning the environment, trying to figure out what it does when you plug it in. But all of a sudden it’s got a PS exec to a domain controller. Huh? That’s weird. I didn’t predict it to do that.

There’s all these things that happen inside of here that makes. Different the game changes. What we call that in the industry is one, we call it the defender’s dilemma. Has anybody heard that term before? No, this is a, this is, it’s not urban legend. It’s true. Defender’s dilemma, Rand corporation wrote a book about it back in 2015, I think is when it sorta took on.

And what it says is that. Out on the perimeter, you are at a disadvantage. The attacker has the upper hand. They control the cadence. They control where they’re going to attack how they’re going to attack. How frequently all of those things they’re under control. You have to have everything ready before the attack?

You don’t get to adjust during your time? It all has to be ready, but the narrative that’s less understood in the industry is that there’s another. The other dilemma is the intruders dilemma. And if you think about yourself as an attacker, or if you’ve ever done any hacking or whatnot, I land it’s dark.

I got to start shining flashlights all over the place to try to figure out where the heck I am. And I’m always on the wrong place. Because hopefully you’re not putting your domain controller out on the Internet. And or whatever, that would be those valuable resource. Are not directly accessible.

There’s this whole dilemma that comes into play. And in reality, isn’t and Rob Joyce, who I don’t k what his job in the holidays, but I think he’s doing something he’s some consulting work, but Rob Joyce used to be in charge of the NSA and he talks about that. The worst nightmare for attackers is people that are watching the inside of it because these, all these trip points come into place.

I think of it visually like gauntlets. All . The question becomes, can I prove it . Let’s prove it. All . I built this little calculator. All . The first one, the top half of the calculator is about the defenders. . What is the probability? Because in the world of intrusions, it’s really about the number of opportunities that you have.

We remember, we talked about the phishing attack? We said 4.8%? 4.8% of the people will click. The question becomes how many phishing emails do I need to send you before I get one of your people to click? If I only send 100 emails, that’s it just 100. I have a 99 point 26% chance that you’re going to click.

, let’s go make this a thousand? Because surely your business is more than a thousand? It’s the 9, 9 9 9 9 9 9 9. It’s rounding up to a hundred thousand? The question becomes, is this what you’re going to battle? Or is this where you do security hygiene and skirmish? The next one is the intruders dilemma is what is the probability that you’re going to be able to spot the intruder, moving laterally through your entire. If you can’t see it, the probability is doughnuts zero, zero. You are not going to catch it. The question becomes how many?

In our example, with the content thing, this is, there was actually 23. Individual non-repeating things that were in that five day period. But the reality is they use those tools over and over. You don’t do 85 once you do 85 commands, tons and tons of times. But let’s again, use 23%.

The question becomes what is the probability that you can catch it? Let’s just put an arbitrary number and say that let’s say that you have tooling in place. This kind of behavior. All . Let’s put a, let’s put 20, 20% in here. Hi. Oops. Why is this not working?

What’s going on here? . . That’s too many. Yeah. 2%. If we just plug in a number like that, I think that I do some sort of a weighted analysis to figure out that, Hey, I actually have some good tooling in place and I can catch these kinds of things. I put a number into it. It says that, Hey, I’ve got a really high probability. I can do this.

Catch it. The point being is that let’s fight where we have a better chance. , however boy, you say Don, that’s a bunch of bull. You’re you want me to feel comfortable with intruders in the mist? Hey, you k what? They’re already there. Tough . If they’re already there.

What do we do about it? How do you do this? Gartner coined this term, that’s called a SOC visibility triad? This is detection and response. This is the core detection and response is, they talk about the need for. There’s three sources of data in order to be able to have an effective response system.

And that has to do with one that we all probably have in place, which is EDR or something like that, where we need end point data. We need end point data. And then we use that. The other one is SIM . We get logged data. That’s. The high-level telemetry information about sort of everything that’s happening inside the environment.

And then the third one, which is less used, which is the network. . You need the network data, there’s things inside of it. If you combine these, you end up with the sock visibility triad that gives you this opportunity. All . Here’s the bad news. . Let’s think about what is it intended for?

And what is the data it’s looking at? . EDR is, looks at host files? It’s looking at registry, it’s looking at processes. It’s goal is don’t let this particular. Get compromised. SIM logs. What is it really for how many you don’t sit is I don’t k. What’s the word? SIM is like SIM as like a crappy boss.

You feed them all the information. You, it takes all the credit. I found that. It was something else that did all the work, it collects, it’s the real thing about SIM is it’s just reporting. And it’s compliance, that’s really what it is, but it’s the aggregation of all the other tools that give it the intelligence or the action for it to be able to do it.

And then NDR is a network portion of it. What are the objectives here ? The, my proposition here is. And the mid game as we define those five particular things that happened inside the mid game of target enumeration, lateral movement, command and control, data staging I missed one domain, escalation.

The, that those are the things that are happening on the network? It’s that lateral stuff that’s happening on the network. And these things are traditional security controls. And sin just can’t catch it. . And this is the problem. This is why this is why we’re in the state that we’re in is we’re looking at it in the wrong way.

. Let me give you, try to visualize what I mean by this. .

All if I am in the detection and response, I need to see everything . We call visibility. I sort of hate that word visibility, cause it doesn’t mean anything to a certain degree, but whatever let’s use it because but it’s just visibility. What? I need to see everything on the inside, everything on the outside.

And if I can get all of it, if I can really get that. I’m in great shape. I should be able to see this little bitty attacker over here, over here. What happens with network data is you get to see everything on the outside, but you can’t see anything on the inside. We get that .

EDR. It’s flips it around the complete opposite direction. You can see everything on the inside, but you can’t see anything on the outside. Here’s the dirty little secret about EDR. . Is this what everybody thinks? It looks like, but it actually looks like this? Is there so many blind spots?

I ask people this, I throw this many CSOs and it later they look at me say, that’s wrong. You don’t, we have 90% coverage on our end points. And then I, and then we talk about it and I said, but what about your third party? What about all that IOT? What about the OT? What about the server?

What about the Linux machines? What about this one? Oh yeah, because I, for my particular responsibility of all of these endpoints, Yeah, but this is really what it looks like. And what we see from looking at real networks, it’s about 60% of the end points don’t have anything on them. .

And but that’s where the threat comes in. This is really what it actually does look like as far as from there’s too many blind spots associated with , the last one I want to show is SIM this is what SIM looks like. It’s hazy, it’s logs. And there’s this it’s only noisy.

There’s very little actionable stuff inside of it. I, anyway, I just, something for you to consider from this perspective wise is that this is what would it looks like? We go back down to the, we’ll go back down to the those five things we talked about. Attackers have to land, they got to start discovering, figure out what are they enumerating for?

What are they going to actually exploit? How are they going to get there? Bloodhound. I just, it just baffles me. And then they’ve got to start moving laterally. And what does that mean? Moving laterally? That’s using all of the live off the land kind of tooling that’s out there. And you’re you, can’t very well blacklist, any of the Microsoft protocols that are inside of your environment or anything like that.

You’ve gotta be able to figure out which is. Which is not real . Which means you have to start inspecting those kinds of things inside of there. Then, as I said, is domain escalation. I, And I specifically say domain escalation rather than saying privilege escalation is because we all have windows in our darn infrastructure.

And it just so easy or there’s so much tooling out there to be able to exploit. Domain controllers. That’s the other portion, but then of course, command and control because they got to pull down new tools, talk, get orders on what are they going to do before they move it?

And then the third port, the last one is data staging? Is it, you have to stage the data before you. And you’re always trying to pull it. They’re always trying to pull it out. There’s this, all of these landed areas, there’s all these clues. And I don’t k if it’s breadcrumbs, I would say they’re rocks.

It’s easy, giant Boulder sitting out there punching you in the face. This thing is really noisy. It’s running 80 fine. It’s like, why? Oh, I don’t k. Whatever. And then this is, these are the things that are happening on network. Things to consider that’s not to say that these are not the tools because they absolutely have a critical portion to play inside of your infrastructure.

But when you keep on over reliant, like we’ve talked about before, over-reliance on perimeter defenses, over-reliance on backups? Is here is your over-reliance on your traditional security controls, trying to solve a problem that hasn’t even slowed down a little bit. It’s only gotten worse. It hasn’t gotten it.

And people are saying I’ve got an EDR program. I’m good. Or the SIM. We’re looking at the wrong kinds of things that are what the attackers are doing during these particular cycles. Extra hop. We obviously do network. We’re a little biased from that perspective wise, but this is the truth?

This it’s complicated network is always been a difficult and complicated area for security controls. But what we see is because of machine learning, cloud scale computing and things like that. It makes it very possible? It’s you have a difficult time writing policies for things that you don’t own.

And the thing that machine learning gives you is this ability to. That’s weird. I didn’t expect it to do that. It never did that before. And those are those telltale signs that there is intruder and miss. And anyway, that’s that’s the material. We, there’s a online demo.

You can try it yourself, but these are things to consider as you as you think about what your next set of strategies going to be for being able to mitigate against. Ransomware. Thank you.

Thank you, Don. How many questions do we have here? Yes, sir.

In the yard. the, the thing with ransomware has gotten so sophisticated that it seeps in one of the first things it does is it goes, and it messes up your backups. You think you’re protected and you go and you try to use the backups and the backup. Worthless. They don’t really do anything for you.

I’ll repeat it real quick. NDR. How does it apply to the fact that ransomware gets in completely destroys and messes up your backups? When you think you’re going to go and be able to restore, you’re not able to do that. And I just wondered, how does you k, what you offer help with that particular problem or does it.

Yeah we, those backups become so critical, but as an attacker, trying to get to a backup, I hope your backups are not sitting on the Internet, is they’ve got across quite, some perimeter domains and whatnot. What we, the thing about. Then what I said about Rob Joyce and the network the portion of it that’s really fascinating about the network is especially for security people is you don’t have to own that database.

But if you’re, if your network monitoring system is to understand database also the language inside the database to see what the unusual behavior that’s happening. And why this particular thing had never made these kinds of queries. There wasn’t another dark side, one way. One of our one of our, one of our customers in line with what you’re saying was that they saw this end point, which was a laptop actually was pulling down.

And it wasn’t a lot that it was, I think it wasn’t IP phone, but it was some other IOT device. And, but that’s what you’re going to land on. Are you going to land on something easy ? You’ve got to move towards that database. That’s the opportunity for you to be able to catch it. .

Is because intruder things tend to do we kinda like to think that we’ll, it gets it’s inside. The noise is hard for me to distinguish the good from the bad actions, but you there’s actually. Intruders have to do intruder things because otherwise they wouldn’t be an intruder. When they’re moving, the opportunity is what I said was the data staging is, as you can see these things going after data, and you can see the entropy patterns associated with how things normally read and write to data versus how, when you’re encrypted.

The spot, the sporadicness of how that repetition happens inside of it. There’s all these telltale signs of it. . And that’s the thing that I want you to think about is. Intruders have to do intruder things and that’s your opportunity to be able to catch it. If you can spot it and then through what we have through automated responses, what we call break glass responses and things like that, where we’ll talk to knack or to an EDR endpoint and say, dear, there’s something weird going here, raise a flag.

Isolated? That’s the actions you have to take, but then there’s automated ways to be able to do that, which I would consider more like break class kind of strategies rather than thinking automated response, because nobody really does automated responses.

Then we have more questions who had a question here.

You did, you’re going to make a question up. We’ll work. We can’t wait to hear her.

I have noticed a technology and techniques race in the development of ransomware techniques from 2016 to the present. What in the world could be next? If they already have gained this sophistication of being able to get in.

Get people to click lateral movement and extortion. Where are the push points? Is it going to be in the getting in? Is it going to be in the lateral movement or is it going to be extortion or is there something that they, that nobody’s thought of that they’re going to pursue? I just wonder what’s next in this world.

There’s as, as far as sophistication, I would what’s interesting about this restaurant, where is such a big problem, it’s crippling for us as a business. It’s a, it’s an existential threat? That’s the real word that’s commonly used. It’s existential?

Because it puts you out of business. And it has put many, some businesses out of business and the thing is. W we consider ransomware and advanced threat today because of the fact that it’s moved into a land and pivot strategy, but it’s probably the least sophisticated of advanced threats?

The ones that are really killers are supplied. Because it breaks all your trust models. It’s zero is a zero days because I k what’s going to happen. And the third one is insiders? That’s those are the killer. When in reality, ransomware is actually one of the easier ones to catch and we see a lot of our customers catching them because the motivation.

Hammers, sledgehammer motivations. They’re moving so fast that it’s, they’re super noisy. And the problem is we as defenders, we’re not accepting that we are ignoring it and saying I got my perimeter. I got MFA in place, and we’re not filling. The holes that exist that are the opportunity for us to catch it .

It is. Are there some, we, these other things that we talked about at our more sophisticated advanced threats as they adopt these things? Start moving slower, start office gating, turning off EDR, which we see them doing things like this today. Th it, they become more and more difficult just as those three that I mentioned before.

Supply chain. Zero day insiders? That’s if you can stop one of those, you can stop ransomware. There’s no question about that.

Follow up questions, anyone? Yes. A up question.

I see then an opportunity. And see if you agree that in any new field you’re going to have criminals, so different types break into the field. And what we have is that we have a new field. Stealing liquor, drugs, robbing banks, and other things. They had to start with small safes that locks the vaults and then cards, the taction and the whole bit.

I see it moving forward. What that means is that the ransom or gangs youth are merging within the sophisticated, slower and filter. Activities. So would you see a consolidation of that and maybe moving the time horizon out? if we do succeed in keeping the sledge hammers out, do you see the time horizon increasing so that they will be harder to detect and they’ll be able to be more patient in in succeeding?

I think that’s a good, that’s a good assessment. And we have to keep on upping our game because it is five versus five continuously. We, when we think about the the SolarWinds breach how did we figure it out? We had to see that movement on the. There was no other way.

And to a certain degree on a supply chain, what other options do you have? Because they just broke your whole trust model. Is, I didn’t k. I had no idea. I’ve got a thing. Yeah, we need to be much more sophisticated about it. And this is, hopefully you’ll take away what I said about the dilemmas.

Take that, give that a little bit of thought? Is that, are you thinking about it? Why are you battling. Math is math? That’s all there is to it. Anyway, thank you very much.

Let’s hear it for Don shin from ExtraHop corporation. Thank you, Don. Excellent brilliant presentation.

Your insight from many years of watching all of this and then putting it into this type of presentation is excellent. Don’t you think? Yeah. Yeah. Thank you so much. Appreciate it. Don Shen from extra hop corporation.

Leave a Comment

Your email address will not be published. Required fields are marked *

Scroll to Top