Assume A Hostile Environment
Informal security chat with Beyond Identity's CTO Jasson Casey, Founding Engineer Nelson Melo, and VP of Global Sales Engineering Husnain Bajwa and our host Marketing Empress Reece Guida about how most MFA can be hacked.
Transcription
Reece
Hello, everyone, welcome to "Hot Takes." I'm Reece, your host, and today I'm joined by Jasson, our CTO, HB, our global sales engineering guru, and Nelson, our founding engineer. Today's hot take during this very interesting week with a lot of news headlines happening is that you need to always assume that you're operating in a hostile environment, especially if you're a trillion-dollar company named Microsoft. What do you guys think about that framework and approach?
HB
I think everyone is kind of on the same page these days that zero trust is the direction that we need to head in. I think this week just reinforces the importance of moving there as quickly as possible and having a responsible plan that takes into account the speed at which these threat actors are moving.
Jasson
Every company has third-party risk. Not every company understands their third-party risk. You can have third-party risk through operations partners, right, people that help offload technical support, you can have operational risk from finance partners, people that help with accounting, you can have operational risk from marketing and design consultants and partners. Every modern company has partnership in some way, shape, or form, or fashion, which basically means environments share data between companies and when we say between companies that might create a false narrative of, like, two equally-sized organizations.
But we all know that's not the case, right? Companies can have little boutique consultancies of one or two people, they can work with really focused support shops that may just be 100 people, or it could be with a company that's focused on building and servicing certain types of MSSP products, where it's thousands of people, and maybe they're even more sophisticated than you are.
But the point is everybody has third-party risk. It comes in all shapes, forms, and sizes. And it comes from the fact that you share and interconnect data, you share and interconnect with services. So that fundamentally just kind of begs the question or at least puts the spotlight on the assumption that everyone kind of has to assume that there really aren't any perimeters and you are operating in a hostile environment. So what are you going to do about it? How are you going to protect your data? How are you going to protect your customers? And how are you going to maintain operations?
Nelson
Trust is shared too because at the end of the day you're bringing in some of these resources and assigning them trust based on whatever role they're having in the operations of your company.
Reece
And earlier, we were talking about how understanding the history of identity platform and operations comes into play here. So how can companies adopt and use that framework to help with third-party risk and the assumption that you're always operating in a hostile environment?
Jasson
Well, I think there's a couple of things there like the number one, I think it starts with just recognizing you have third parties and recognizing you have risk and then recognizing that those two things kind of go hand in hand, right, when you run a security operation, whether it's designing the architecture or running the operational side of things. If it does not include and encompass third parties, you're not doing your job period, right? So what does that mean? Well, number one, it means kind of an executive understanding that this is the larger picture, these are the assets, these are the processes and bits of data that you're going to protect across this boundary that you don't completely control. So how do you establish visibility and controls in that kind of hybrid environment?
If you do assume you're operating in a hostile environment, like how do you maybe focus not in this top-down, boundary establishment way of thinking, but is there a way to think more bottom-up in terms of like, what are the critical pieces of data? What are the critical processes and services and transactions I want to run? And at least for those can I always know who is the person? Where are they? What are they working from? And what's the criticality of what they're trying to do with fresh data in the moment of time and really kind of make that choice or that decision in the moment of time?
Reece
It just dawned on me that us talking about always assuming you're operating in a hostile environment, it kind of sounds a little bit like zero trust, but I think there's some nuance there. I don't know if you want to speak to that, HB, because it looks like you're about to talk but just had that epiphany.
HB
No, I think it's definitely about the zero trust that building all of your production infrastructure and critical applications to require explicit trust is super important. And I think what we really see is that where we upgrade our corporate environments and the stuff that we feel we directly control via our IT organizations, the behavior and speed can be considerably different than what we do with these third parties. So I think when you look at the third-party risk and think about people's conventional approach that use VPNs, like, you know, we see multiple VPN clients in the compromised screenshots from this past week. And the reality is that the VPN is a coarse network-based tool from an era when bits per second mattered and could be used to meaningfully assess inflows and outflows of data.
Today's ex-fill is 30 terabytes, 20 gigabytes, you know, it can be as little as 10 gigabytes and be hugely impactful. So you can't rely on these like extremely coarse macro observation tools. And you have to encompass the entire chain, including the endpoint in your consideration. So, you know, person compromises the endpoint using RDP or some sort of remote access vulnerability in an endpoint. How do you protect against that? And how do you create sort of a strong identity binding with unclonable credentials and principled focus on eliminating or limiting lateral movement? I think these are the pressing questions for organizations.
Reece
Why is it always the teenagers with stuff like this? I don't know.
Jasson
And just woofed in the background.
Reece
Standing up for the teenagers, I guess.
HB
I think it's the fact that we do truly have an environment where information is disseminated quickly. I think we've had a culture of wanting to be open about TTPs and vulnerabilities. And there's an enormous amount of information out there for a dedicated and interested curious party to learn about vulnerabilities and exploit new techniques and compromise. But the other thing is that we sometimes have a poor attention span. You know, the types of TTPs that we're seeing are not something new. RDP vulnerability, I mean, if you go back and take a look at ransomware and RDP, you'll see people talking about Conti group, you'll see every major threat actor of the last five years cataloged with using RDP.
Reece
And yet here we are.
HB
Yet in 2022 we're still looking at RDP and now like possibly kids out of Oxford, England.
Jasson
And passwords. Purchased passwords, purchased access tokens.
HB
Yeah, credential marketplaces are...
Jasson
People don't necessarily break in, right?
Reece
They log in.
HB
And sometimes using very weak protocols.
Reece
Nelson, as an engineer, does this kind of stuff just frustrate you, does it surprise you, or not at all, you're just like this is par for the course?
Nelson
As a former teenager who was very bored so many times...
Reece
As a recovery teenager.
Nelson
I totally get it. What's cooler than breaking into some big company's data center or operations or whatever and making your mark?
Jasson
I mean, he also made a fair amount of coin too.
HB
Yeah, being able to buy a major Doc's website and being able to accrue 14 million in Bitcoin and prior to the most recent activities with...
Reece
I think my favorite detail was when the police came to his home. His mom would not let them in and she talked to them through the door. I can only hope we all have moms like that.
Nelson
Didn't his dad promise that he was going to try to make sure that he stayed away from the computer?
Jasson
It was something like that. They just thought he was playing video games. Well, also we don't really know all the details yet. At some point we'll get both the technical report and some sort of investigative journalist to write up on actually what went down.
Reece
Okay. So let's say we get that next week, right, let's say all the information comes in, we're able to synthesize it quickly, hypothetically, yeah, back to HB's point like about us not learning from years and years of RDP as an attack vector, like even if we had the luxury of all the information, do you think there would be like a big catalyst for change to come out of that?
Jasson
So a couple of things, right, the catalyst for change is usually a perceived threat of loss, right? If you don't actually believe you're going to lose something, if you're not going to impact your business, you're not necessarily going to make something a priority. And that's where security products and security leaders honestly have kind of fallen down a bit because we all know that some things we have to pay for just because we have to pay for, but we try and minimize those spends as much as we can.
Because from a business perspective, the goal is to grow revenue, right? The goal isn't to have the best financial accounting system back office ever, it's to grow revenue. And I do think a place where people can help themselves, both product companies as well as security leaders, is figuring out how to actually empower the business, how to help the business, at best, grow top line revenue, and at worst, like avoid or transfer categorical risk that actually is a threat to a business.
And more practically speaking, I think we're gonna see more and more legislation around disclosure specifically, like time limits for that. Like it's already the case, if you work in health. Depending on the number of records that get breached, you have to either release a summary report within a certain period of time or a detailed report under a longer period of time. I think that's only in health care. It doesn't necessarily...or I think that came out of HIPAA. I wouldn't be surprised if we just see more and more data legislation and breach notification in general. This past week was nothing new in that regards. So compulsory or compliance is certainly going to be a driver, I think.
The other thing that's kind of interesting or maybe it was the unsaid question is like why are we still having these things that have been ever present for years and years if not decades and decades? And the reality is security is hard. And I think one of the things that makes it hard is this very much kind of top-down model where I have to try and hold all the variables in my head simultaneously to ever really kind of make any sort of progress.
Which is why I do think, you know, a more principled approach, a more bottoms-up approach, if you assume the environment is hostile and you really just kind of focus on building up around the things that you know to be true and how to kind of branch out from there, you're not going to solve all of your problems but perhaps you could buy down some of your biggest risk in a relatively quick fashion.
HB
Totally agree. I think the other interesting part of this is that investment and risk usually is associated to a threshold of threat, plus adequate amounts of outrage. And if nothing else, this week's activities have kind of a bingo card level of embarrassing outrage-inducing sort of components. You know, a kid or a set of kids were able to remotely infiltrate and confuse organizations for six-plus months, culminating in compromises of giants like Microsoft and Nvidia and were able to demonstrably clear potentially hundreds of millions in Bitcoin ransom payments while evading detection from all but their own sort of Doc's community. And at the end of the day, the initial access vector that they used was RDP.
Reece
Bingo.
HB
I'm buying these things in and it was a third-party providing tech support, outsourced tech support services. And there were components of social engineering that may have been involved. All of these things combined I think are the kinds of things that fuel that outrage that drives people to really be like committed to not being embarrassed again.
Reece
Yeah. Outrage is another good catalyst for change. Well, hopefully the next few weeks ahead have a lighter news cycle but I always think that these moments are a good time for everyone to reflect. And I do feel that the assumption that you're always operating in a hostile environment is very helpful. So we'll see what there is to talk about next week, guys. Thank you.