When most people think about West Virginia, the John Dever song likely springs to mind, with the timeless words "Take me home, country road." Cybersecurity was certainly not at the top of the list of topics I associated with the "Mountain State," but that has changed now that I have met the local security community at SecureWV 2022.
A Lucky Th1rt3en Years
This year's theme was Lucky Th1rt3en, as this was the thirteenth get-together of the region's top security experts, working diligently to keep us all safe on the internet. Anyone lucky enough to attend in person saw two full days of sessions covering multiple aspects of cybersecurity, from deep dives into ransomware, to very technical talks on how malware is built, to becoming an incident responder superstar. If you didn't get the chance to attend in person, you are still in luck as all the sessions were recorded and will be added to the SecureWV youtube channel.
Aside from the sessions, there was a lively capture the flag event, a physical security lab, an IT/tech book swap, roundtable discussions, and an awesome community networking event after the first day. There was also a resume workshop where students and professionals alike could get advice on getting hired in this rapidly evolving field.
Ransomware, Malware, and Threat Detection
While the talks covered a variety of subjects, there were a couple of major themes that stood out and overlapped a number of talks. While every talk is worth checking out, including the premiere of my newest talk, "App Security Does Not Need To Be Fun: Ignoring OWASP To Have A Terrible Time," for this article I am going to summarize just a few of the talks that featured the three most common themes.
Ransomware, More Organized Than You Might Think
The opening keynote from James McQuiggan, "Ransomware, Ransom-war & Ran-some-where" gave a quick history of ransomware attacks and how they shifted from targeting single users and demanding physical currency to very sophisticated attacks targeting very large organizations' data and asking for Bitcoin or other cryptocurrencies as payment. From his research he demonstrated how a single machine can become infected, locking out the user, in around 10 seconds. The most startling part of his presentation came from the deep dive of one extremely well-organized ransomware gang, Conti.
Conti was a malicious hacking organization that was able to steal $2.7 Billion in ransom from 2017 until they disbanded in 2022. Fortunately for the world, they have disbanded as a group. As they broke up, one member released a copy of all internal communications, which is rather illuminating on how these groups operate.
Rather than just some loose collaboration, their exposed chat and email logs revealed a highly structured organization complete with R&D, HR, training and onboarding, and most surprising to me, customer service departments. The customer service team would in some circumstances actually inform victims who paid the ransom how the attack happened and what steps they could do to prevent another incident. While they would give some bad advice that would leave them vulnerable, some of the advice included real security best practices, such as:
- Restrict access to servers for regular users
- Use different passwords for every service and machine
- Check Admin's activity on servers weekly
- Install XDR
- Set up more complex storage with better encryption
- Protect against Windows LSASS data dumping
The sophistication of malware gangs was reinforced by Daniel Faltisco in his talk "From Black Cat to Blue Hat" where he walked through an anonymous case study of an attack by Alphv, also known as Black Cat.
He read a real email sent after a ransom was paid by a large university. In it, Black Cat actually praised several security decisions and cited where and how tools could be used to prevent a similar attack in the future. Daniel made a point that however friendly they seem, these gangs are not on your side, providing data to back that up.
According to Daniel's research:
In 2022, only 4% of ransomware victims got all their data back and only 62% got any data back after paying the ransom. Compare this to the 2021 data, 8% got all their data back and 65% got some back. This is a troubling trend, but it is magnified by the number of attacks growing year over year.
A direct result of these trends is that cybersecurity insurance rates are rising and the technical prerequisites required to obtain it are becoming quite stringent. If there is a silver lining to this, Daniel says that raising standards to qualify for insurance are driving tool evolution and heightened security policies at many organizations, including the use of MFA and better password management.
Malware And Straightforward Security Processes
While ransomware was a major topic of discussion at SecureWV, It was just one of the types of threats that Mick Douglas covered during his keynote from day two, "Defending Against Advanced Adversaries." He started with an assessment of how inexpensive and how easily accessible malicious attacking tools have become. For example, his research uncovered a dark web service that offered an hour-long distributed denial of service attack, DDoS, at attack rates of up to 1GB per second, for as low as 20 USD.
By the end of his talk though, Mick had laid out a simple framework for monitoring and preventing malware, IMMA:
- Isolate - You can't attack what you can't reach - Enable firewalls
- Minimize - They can't attack what is not there - Harden scripts
- Monitor - Bypassed security usually looks strange - Look for enumeration & evasion
- Active Defense - Use canaries and many false certificates - Honeypot all the things
He also discussed one of the surprisingly best tools for any security research: Spreadsheets! He walked through an exercise listing components and added columns of potential security vulnerabilities. If he could not confidently check any box as covered, then he said those were the items that needed attention. While simple, this is an excellent way to ensure security is being implemented at any step in the software development lifecycle.
The checklist approach was echoed later in the day by full-time threat hunter, Nate Hicks in his talk "Threat Hunting For Dummies." He described threat hunting as "filling security control gaps, reducing dwell time, and keeping up to date on how your unique network setups are changing over time." The basic flow is not complex; for each identified potential vulnerability, you will
create hypotheses, collect data, investigate, and collect the output. Repeat the process again with the next identified vulnerability the data points to. It is a simple, repeatable process but just like using a spreadsheet, the data that the process produces will show how the maturity of your security posture.
Knowing Your Maturity Level
Maturity is not an indicator of the age of an organization. Instead, maturity is a measure of how advanced you are in protecting your assets. Maturity is more than just a gut feeling about how well you are doing, it is a standardized model, according to CISA Cybersecurity Advisor Jody W. Ogle, In his session "Cybersecurity and Privacy: How Mature Are You?" he laid out 6 Maturity Indicator Levels. :
0 - Incomplete - Nothing has been done
1 - Performed - A tool was purchased and a general plan is made
2 - Planned - All planned activities are carried out by stakeholders
3 - Managed - There is someone in charge of any plans, tools, and reporting
4 - Measured - The plans and tools are re-evaluated on a regular basis
5 - Defined - There is a process for continual improvement and knowledge sharing
The full explanation of the CISA MIL model can be found in CRR: Method Description and Self-Assessment User Guide. CISA provides more than just guides and definitions, they can also provide assessments, various tools, and all sorts of preparedness services at no charge. You can read more about their offerings at https://www.cisa.gov/.
A More Secure Future Together
SecureWV covered a lot of topics in two days; from how ransomware spreads malware, to AI Assurance, from how malware is built to defeat antivirus software, to how to more efficiently use Bash to perform forensics, this event had something for everyone, no matter what team they sit on day to day.
But beyond the sessions, a lot of the real learnings from the event came from the chance to talk to security professionals from all sorts of backgrounds and with different areas of focus. In fact, my favorite takeaway was from a conversation at the evening networking, where I heard "Security is too big to know everything. Keep focused on one thing at a time." I think that is some of the best advice for anyone feeling overwhelmed. It is dangerous to go it alone out there, fortunately, thanks to event organizers like the awesome SecureWV team, we don't need to be isolated in our fight for better security.
A Joke For The Road
During a rather serious session, James McQuiggan kept the energy positive by inserting a few dad jokes. Here is my favorite one:
How did the hackers get away from the FBI?
They ran somewhere