What We Can Learn from Cybersecurity Trashfires

May I have your attention please welcome Back TechCrunch editor at large Mike Butcher Hi everybody How are we going are we okay are you Still going to the last day did you have Lots of coffee I've had lots of coffee And as you can tell I have Um it's been fantastic today day today On the security stage and I'm going to Do the shortest of intros because the Next session is going to be a real must Watch it's all about cyber security Trash fires the nightmare things that Happen what you can do about them and to Introduce this panel is our fabulous Zach Whitaker Round of Applause Everybody Hello good afternoon good to see you all Here it's not every day that you're on Stage with three of the sharpest Security Experts in their fields to talk About when things go wrong in cyber Security and so I thought we'd start This panel with a bit of fun I asked Each of our panelists to discuss an item Related to cyber security that Represents a situation where something Went wrong or a near miss and what we Can learn from it after all what we Learned from yesteryear can help us Understand and be more secure in the Future Leslie I'd like to start with you Could you introduce yourself and the

Item that you've brought hi everyone my Name is Leslie card I'm a director of Incident response at an industrial cyber Security company called dragos I've been Doing industrial cyber security for About 15 years professionally full-time And prior to that I was in the United States Air Force and I am an incident Responder by trade I walk into trash Fires and I figure out ways to deal with Them and help organizations recover so What I had brought today is a first aid Kit and the reason why I brought that is Because The most sad thing that I see in my work Is companies and organizations that have Not prepared to have a cyber security Incident because they thought they Couldn't be victims they were too big Too small too uninteresting and they Never made any preparation for something Going catastrophically wrong and that's Why I have a first aid kit because you Don't want to go out and buy one of These when you've cut your hand cooking That would be very unfortunate day we Buy these in advance and we put them in Our closet and hopefully make sure They're maintained so that if we Goodness forbid cut our hand cooking we Can just go grab this and put things Back together so we don't think the same Way though unfortunately in cyber Security and I see that perpetually and

It costs people a lot of time and grief And money thank you sure it's what have You brought I have brought gift cards Because the gift card economy is Fascinating and if you've ever gotten a Text message that says it's from your CEO and they need you to go buy gift Cards or are you still interested in Selling that property This Is Where It All Leads and the gift card economy is Incredible Uh and I've seen some really wild things Happen Um including victims being socially Engineered by gift card fraud and Employees at retail establishments Begging them not to spend a thousand Dollars or three thousand dollars on Buying gift card after gift card and Watching as these victims go from Retailer to retailer to retailer buying The maximum amount of gift cards they Can get because they think that their Employer has told them to do that so my Name is Sharon degrippo I'm director of Threat intelligence strategy at a Software company called Microsoft and This is one of the worst trash fires I've seen thank you Rachel those are Live gift cards right those are live Gift cards they will be available after The panel and you can see how much might Be on them All you have to do is give us your

Password hi my name is Rachel tobac I am The CEO of social proof security we are A social engineering prevention company And I'm an ethical hacker this is my Item it's a security key it's pretty Small so probably look up on the screen Specifically it's Zach's security key he Gave it to me so I could use it for the Show and tell here and the reason why I Selected this Is because this little item is the one Thing that I would recommend to make it Much harder for me to hack into your Company in fact the stories that we've Seen in the news recently from companies Getting breached because they're Multi-factor authentication token was Stolen social engineered oftentimes out Of them by somebody over the phone or Text message This would have protected them right There it cannot be fished out of you so This leveling up your multi-factor Authentication I'm sure we're going to Be talking about this today is my item Thank you so Leslie instant response and When you have a plan how important is it To have a plan ahead of an incident and To plan and to ensure that you have an Idea of what to do when you respond to An incident So I tell My sales people at my organization I am The worst person to go out and sell

Things for a company because I'm trying To save people money when I come in to See people doing incident response I'm Seeing them on their worst day ever it's Really really sad they are in a crisis People are screaming they're stressed Out they're yelling at each other people Are swearing about stuff because they're Losing a bunch of money and they didn't Think that this was ever going to happen To them and in most cases they didn't Adequately prepare for it and if I could Tell organizations small or large Something in advance it's you do not Want to pay me at my hourly rate my Organization's hourly rate to do things Like build a basic plan for who to call And what Regulatory Compliance you need To have planned for if you have a cyber Security incident or a data breach you Don't want to have me build your network Map or your asset inventory and I Exclusively do incident response in Industrial environments like power Plants manufacturing facilities water Treatment plants trains like really Critical stuff and I'm coming in there And having to do those fundamentals Because nobody's ever planned for those Problems nobody's ever done that and now It's not the intern doing that it's me At my hourly incident response rate Because it has to be done before I can Start doing the detective work and

Figure out what happened and figure out How The Intruders got in and how to Clean it up I need to know like what Computers you have and what laws you Need to comply with I need answers to Those questions and if you haven't Written them down somewhere if you Haven't spent the time and the resources And built a project around that Somebody has to do it it's going to be Me and you don't you don't want to pay For that I promise you want to pay me to Do the stuff that I need to do which is The forensics and the the Nifty CSI Stuff So with gift cards How does that work I recall some years Ago getting a phishing email from Someone who's looked like my CEO at the Time But can you tell us a little bit more About how this kind of scam works and How it affects people sure gift card Fraud is really fascinating to me Because it goes after both consumers but It also hits Enterprise users if your CEO is in the news you're highly likely To have your employees be under one of These gift card fraud attacks very Quickly because they can go see who that CEO is What their name is and start Sending text messages to your employees Saying I need you to go buy gift cards You can expense them later it's really

Important so they instill that sense of Urgency which That's the basis of social Engineering is instilling an emotional State where you start doing things you Wouldn't normally do and I've seen Instances where We're watching as someone's going from Retailer to retailer trying to buy more And more gift cards because they think Their CEO is asking them to and pushing Them to get it done we've even seen Employees at the retailers send emails To their boss saying I know this Person's being scammed but they're Demanding I buy them the gift cards and Props to the large retailers because Many of them have said don't sell them Tell them to go somewhere else we don't Want to be involved in this person being Defrauded Something that's always interesting to Me as well is Why why do these threat actors want gift Cards at all Do they want to use them to buy things No gift cards are a currency store you Can go on the gift card trading sites And see who gets the closest to one to One dollars so if I buy a hundred Dollars in certain gift cards I can Resell those for 90 or 95 of their value And different kinds of gift cards have Different value Apple iTunes is usually Number one all right and so security

Keys now I I obviously have one that is My security key Um tell me and the folks in the audience Why they're so important and especially As to as they pertain to to fishing as Well absolutely oftentimes folks are Tricked into giving up their password And then right after on the next screen They get tricked into giving up their Multi-factor authentication code that Second step you use when you log in a Lot of times people think we have single Sign-on we have multi-factor Authentication isn't that enough to Protect us and in some cases for some Attacks maybe but for many attackers and They're they're getting really good at This they're able to siphon out that Multi-factor authentication code from You and so the security key and now we Have passkeys which I'm sure we'll get Into as well which is essentially a Biometric that you use to unlock your Device can now also get you access to The websites and services that you use These pass keys and these Fido security Keys make it so that this second step Can't be stolen from you it's essential Well thank you that's uh thanks thank You so much for bringing these in Um it's a great selection and the uh Each one of these items has real Security value There seems to be this never-ending list

Of cyber threats and the information Deluge can be really quite a lot Um what recent Trends should the Security community and the starter Community really be focusing on uh could We start with you Well I think um Part about that question is when we talk About Trends I think most of us Generally go back to security Basics We're typically still singing the Praises of you know some of the original Foundational things I think that's Really important but I think from the Attacker's perspective what we're seeing Especially in crime right now is this Use of all kinds of different tactic Tactics and combining them I think that Social engineering combined with Technology allows threat actors to Social engineer at scale so what might Have been a one-to-one conversation they Were having they can leverage great Technology to make that a one to Hundreds tens of thousands millions of Victims at once and I think that that's What we're going to see especially with Things like with AI it's not necessarily About fully generative it's about the Scalability that threat actors have Available to them now Rachel when it Comes to you know social engineering as The expert in this this area Um can you speak a little bit um in

Terms of the tactics that are being kind Of used these days against organizations And companies yeah absolutely so as an Ethical hacker I have to have my tactics Match what we're actually seeing the Criminals do and the big thing that We're seeing a huge increase in 2022 and 2023 is text message and phone calls Being the very start of the attack and This is something that I'm sure we're Going to get into in detail today For instance what we're seeing in Vegas Right now we're not going to name names Of companies but I'm sure we're all Aware of what's going on in Vegas right Now has been brought to its knees from a Ransomware attack we know from the SEC Filing that it started with a social Engineering call Now oftentimes we're seeing these start With phone calls to a service desk a Help desk or just you know a client Facing employee who gets this call from I.T support of course it's the bad actor And they're attempting to gain access to Their password and MFA or they're Attempting to reset access to an admin Account that's what happened in Vegas And so this type of issue these attacks Coming in through phone calls and text Messages have always been around but We've seen a massive increase recently Because the technical tools that we use For spam and phishing filtering you know

Through email have gotten so strong that The attackers are now going back to Basic saying hey I guess we'll just do This over the phone or text message now Try and circumvent some of those Technical tools Leslie in your world you know you work a Lot with Um Really critical infrastructure Organizations that Supply electricity Water and and so on and other public Services Are you seeing an increase or decrease Or change in how threat actors are Targeting these systems especially as it Pertains to Um fishing and so on as well there are As you know there are I.T networks and OT networks I'm sure we'll get into this More Um can you tell us about how how these Are affecting those those critical Infrastructures certainly and my Colleagues have really nailed it I mean We mostly agree and a lot of these Things they're very smart people so I'll Reiterate some of these facts because They apply to the industrial the OT Space as well hackers have been taking The path of least resistance it's not All whiz bang malware exploits things Like that they are still exploiting Exposed systems they're still

Taking advantage of stolen accounts Where there's no multi-factor they're Still doing social engineering all of Those things are still effective because People miss the basics when they're They're drawn into the Allure of Whiz-bang sales pitches about next Generation AIML products which they Don't have the humans to implement and They're not doing those foundational Things and the attackers are still Hackers are lazy they they are efficient They are part of organizations that Exist most of the time to either do a Geopolitical thing or make money in a Very very efficient way They have small margins too and those Have gotten worse for them as the Economy has had trouble over the last Year so we see less haphazard attacks And much more targeted attacks We're seeing more attacks against Critical infrastructure because It's generally less mature in a cyber Security stance and also those are Organizations that have to function for Society so they are more likely to pay Up if they're ransomed or extorted so We're seeing potentially less overall Attacks but much more efficient use of Tools as you mentioned and much more Effective Mass attacks and sale sale of Credentials on the black market because Again

Path of least resistance most efficient Attacks possible we're seeing it too I want to bring up a tweet by Heather Adkins one of Google's top security Engineers who was responding to a Question about unpopular cyber security Opinions not so long ago Adkins said and I have to quote this verbatim it's too Good frankly the cyber security industry Shouldn't exist we built the internet Wrong and we can solve most of our cyber Security problems at their Roots by Re-architecting technology platforms to Be safe by default instead of buying Security problems with the products that Was an unfortunate internal phrase Do you agree Leslie do you do you agree With that I mean I think all of us wish we could Put ourselves out of a job it's never Going to happen because In OT and it the internet has to exist For society to exist as we've grown to Expect these these tools need to be Connected to networks to function at the Efficient way our society are just in Time in economy and our our society with Our modern conveniences and efficiencies Demands that we are interconnected so we Can't just take it all away and rebuild It we can't do that but where we can Build insecurity into the new things we Are developing that's critical going Forward to not have that Tech debt that

We're dealing with now we will be Dealing with that Tech debt forever in Terms of the broader internet and Technologies that we've built upon and Built upon over the last several decades But Yeah we can't go back and tear it all Down I I understand Heather is wonderful And I concur I mean we all would like to To work ourselves out of a job What do you think Jared oh I strongly Disagree Um I think that's just not operating Within reality that also includes humans I think that when there's human Failability in The world in a system that those humans Will always be targets for things and Um You know I I do strongly believe that we Have a really big responsibility in Enterprise to take care of things before They get to the level where we need to Call government I think that if we're Really really doing our job that a lot Of that actually won't be as necessary Because in Enterprise and in product we Should make secure products that can Stop these things but I just don't think That any system that involves humans is Ever going to be fully secure it's just Not a real way of seeing the way that People operate their they're human That's why I like them

To your point Rachel I earlier you know There are so many companies doing all The right things they're using single Sign-on they're using multi-factor Authentication And yet we have seen as you mentioned Some really big companies get hacked in Recent weeks Hotel Giants casinos What can we learn from those particular Incidents Sure I think the thing is that people Get into this mindset and I think we've Talked about this here they have the Products and tools in place and so they Believe we're good we should be good to Go right we've invested the money we've Invested the time but unfortunately Just because you have single sign-on it Doesn't mean that every service every Tool is using single sign-on to help log Your users in think of all the websites That they go to in a workday that don't Work with single sign-on and then think About the multi-factor authentication Tool that they have does it match their Threat model if they have admin access I Recommend that we move away from SMS two Factor away from even app-based and Towards something like a small group of Folks who have security keys or pass Keys if you have admin access now that's Not a match for everybody's digital Literacy or everybody's budget and so we Can only do so much sometimes with the

Budget that we have available and the Thing that's really missing the Crux is The human based protocols Ask yourself internally at think about Your company When somebody calls you and says their I.T support how are you supposed to Verify that person is who they say they Are What if they say they're someone from Finance and they're supposed to wire Something and they need some details About a bank what if they say that They're an internal employee and they Need to reset their account because Their phone fell in the toilet and now They don't have their multi-factor Authentication we have to really Penetration test and think through what Are the questions that our team is going To be asked from a human perspective and What protocols can we bake in to their Experience because humans are allergic To feeling awkward we will do everything We can to just do our job nicely and Well without making it frustrating for The person we're talking to so we have To give people the protocols to actually Use at work and that's missing from Almost every organization and groups Like lapsis and Alpha sometimes called Scattered spiders I guess they know that They know that that's a soft spot for Many organizations can I mention

Something about that too please do yeah I think that that's important and I also Think that we have to understand who's Actually being attacked within our Organization stations I've seen a lot of Organizations simply VIP their execs and They're done and that is the worst way To go about that just because someone Has a high up title in the company Doesn't mean that they're your biggest Risk individual and so I think the Reality is how often are those people Being attacked and that's where you have To prioritize your additional training Extra security measures buying the full Packages for those employees and it's Not necessarily CEO CFO it's an admin of Finance that's been with the company for Nine months we're a very senior Executive assistant who has access to All the calendars exactly customer Support tier one yes so we have to think About who's being attacked in the Organization the threat actor groups That are attacking them and how often They're getting those attacks in Addition to understanding that they need Further protections I think there is Something to be said about how much Technology that we rely on I think That's a given in this day and age but We also rely on so much on other People's technology open source code Even Hardware how can companies trust

The technologies that they buy and use Shared I think a big part of it is having the Relationships Um I am in a technical career but I Think that people are ultimately the Thing that are most important there you Have to be able to look someone in the Eye who's responsible for it and you Have to say you have a relationship with The engineering teams or the management Teams or an account team that you really Trust that will be there for you when There is an issue I think that the way That you trust your technology is you Vet it with other technology you Understand the supply chain of the Software that you've got in your Environment that's something that a few Years ago I wouldn't have worried so much about That but I think software supply chain Is one of the biggest issues we face now Understanding is this software being Tampered with outside of the vendor even So thinking about things about the Personal relationship and then the Technology relationship that's what's Going to help give you some confidence Yeah there's a point in there of trust But verify as well trust the code to Some extent but verify that it does do The things that it's meant to do Um Leslie I mean you've obviously worked

With you know so you've seen so many Incidents over the years Um you know is there something that you Can say to the technology that you've Seen over the years is there a way that You can vet that technology better to Make sure that it's not going to Collapse break up or be hacked so two Points on that the first one is if You're not familiar with s-bomb yet Software bill of material you should be If you're developing a software product The concept therapy and you understand The components that go into your code Because you borrow code and repositories From other places and then you Understand what goes into those and into Those we are all now dependent on code Bases that came from other people all Over the place and if one of those is Tampered with it can have huge Implications for our own products so That's a really important concept that's Up and coming and the other one again I'll reiterate the trust but verify in Terms of architecting your environment I see overly permissive trust in a lot Of applications and partners and Suppliers which can lead to the type of Supply chain compromises we're talking About if you're going to bring in Something that you cannot trust Implicitly then you need to build Monitoring around it you need to

Architect least privilege and Segmentation around it understand that There's something you're bringing into Your environment that could be a point Of entry for an attacker We're still two or three weeks on from Some of the major cyber attacks we've Seen in recent weeks targeting hotels And casinos we're still none the wiser About what has happened you know we have Some ideas we've seen some reporting Some of it from us a TechCrunch but for A question for all of you how does Transparency about security events help Security help future security efforts Can we start Rachel sure yeah We can't know how to defend if we don't Know what the attack methodology was That's why I think it's so important That we're really clear about exactly What went down during the hack how it Happened with the initial point of entry Look like how they pivoted we need to Know exactly what happened during that Attack and I actually want to give some Positive shout outs the only thing the Only companies I'm going to name are the Companies that I'm really saying that Are doing a great job here today In 2020 Twitter was hit with a really Interesting social engineering attack You probably remember They called up customer support Pretending to vit support and they ended

Up getting access to the admin panel and They wreaked havoc on you know a million Different accounts that were high Profile and Twitter in 2020 was so Forthcoming about what went down they Told us exactly day by day what they Were catching the remediation steps how To notice these exact steps and then we See other companies following suit and Doing a great job on their blog too Notably I want to say cloudflare did a Fantastic job saying hey by the way we Got hit but you know the Yuba key Stopped it in the moment and knowing Exactly what prevented the hack from Moving forward is so essential so kudos To those teams for being so transparent In a hard moment I feel like this like There's such a stigma around security Incidents and breaches and you know Transparency is so important you know Because it does help set the groundwork For future uh security efforts but uh it Doesn't have to be embarrassing it Doesn't have to be a shameful experience It can we can learn from these Experiences is that something you would Agree with Sherwood absolutely I think That um You have lessons learned from a breach And those lessons generally are Surrounded by incredibly heightened Emotions and those emotions stay with You in the rest of your career hiring

People who've been through big breaches Don't look at that as a failure look at That as somebody who has been on the Front lines and Been Under Fire they Know what to do and they've been through It and I guarantee they have learned From it I also think that we it's very Important that we have empathy for Victims in terms of those I.T teams the Customer support person that answered The phone and they're just doing their Job like we've mentioned having empathy For these victims and especially The I.T people who are trying to figure It out that was kind of their house Right they see that as their Responsibility to protect when you're in Security operations and now they're Dealing with something they may have Slightly missed could be some tiny Little thing could have been some little Accident and now they have to clean up After it security takes a village it Takes a lot of work to to do this we Actually started looking at the incident Response to begin with how much of the Aftermath of an incident is is what's Remembered it seems like that's the case But you know how much can an incident Response actually feed into a positive Outcome in terms of being able to Disclose transparently what happened and What can be done in the future Yeah so it's not just a matter of threat

Intelligence when people have this Stigma that keeps them from talking About the cyber security incidents They've had there's also this pragmatic Answer of there are so many incidents Going on that most of this audience Isn't aware of and again I work in Really critical infrastructure like Stuff that keeps the light on and clean Drinking water and the trains running And Manufacturing operating there's Incidents going on all the time that you Don't hear about and the problem is is That since the executives who fund cyber Security Programs don't hear about them And they aren't in the newspaper That prevents other organizations from Getting the resources they need if People were more forthcoming about Talking about everybody can be a victim I started with that it can happen to Anyone you are not too big or too small Or too wrong of a vertical it can happen To anyone if we talked about them more Not only would we know more about what The adversaries are doing but Organizations would be able to prepare Prepare prepare for these incidents they Would have adequate people and funding And Technology but since we aren't Talking about it since it's all hush Hush because we're embarrassed These things are going on and people are Not adequately getting the resources

They need to be ready for them to happen To anyone so with just a couple of Minutes left on the clock Um what areas of cyber security defense Are currently underserved Rachel This is a fun one for me Um people often think because I have Security awareness training as a part of A product that I offer that I'm going to Say that that's the solution and Actually that's not the solution so That's kind of a funny thing for me to Say training is one important piece of The puzzle a lot of times when we see These attacks happen we see folks talk About it in the news they say oh we Really need to train our people better And sure we should train people better That's great we should definitely do That that's why I spend time doing that But that's not the end of what we need To be doing with the people people need The protocols how do they respond to the People who text them if they get a text And it looks like it's from their Identity access manager what should they Do next should it be slack somebody Should they call somebody should they Email somebody they don't know and That's why they end up clicking and they End up going through and giving their Password and their multi-factor Authentication code away they need the Protocols not just training they need

Both and I think that's really severely Lacking in the communication out you Know when we see these giant breaches It's not just train them train them Train them it's train them upgrade their Technical tools do they have a password Manager many companies still don't do They have a good multi-factor Authentication method for their threat Model most don't and we need to make Sure that they're ready to go with who Do I talk to in this in these situations The edge cases well look thank you so Much for being here it's just shows that A cyber security transfer doesn't have To be if we're prepared for it and we Can learn from instance of yesteryear so Thank you folks so much for being here Thanks Zach thank you Thank you