2020 marks the start of a new decade. But it’s also worth taking a look back at where we’ve come from and what has changed in infosec. For episode 36 of Cyber Security Sauna, F-Secure’s Christine Bejerasco joined the show to take a look at the highlights of the last decade – from nation state malware, to ransomware, to Snowden and more – and to talk about how far we have, or maybe haven’t, come.
How would you describe the past decade in cyber, Christine?
For me, Janne, the past decade in cyber seems like it’s all over the place. It’s actually not very surprising because technology during the past decade was also all over the place. There was a rise in IoT devices, and therefore whenever there’s new technology arising there’s always new threats trying to exploit that new technology. So there’s also more and more artificial intelligence and machine learning being used. And therefore there are proof of concepts trying to also exploit that area. And then there’s more and more breaches that are happening as well of the data that people have online, because there’s more and more online services being offered.
Yeah, some pretty big ones too.
Yeah. There were really big ones that were quite detrimental. Beyond the typical credential attacks, credential theft, credential dumping –
Yeah, DDoS and that.
Yes. There were even hacks, for instance the Equifax dump which included full names, birthdates, social security numbers. Those were quite detrimental data dumps that affected more than 150 million people.
Yeah, I thought you were talking about just credential harvesting attacks or password spraying and that. The attacks were more sophisticated than that as well. But also in the data dumps, we lost more information than before.
Even like credit card numbers in the clear, in amounts that we hadn’t seen before.
Yes. And the stuff in the past ten years looked a little bit scarier from that perspective. The good thing as well was that when GDPR started to be enforced in 2018, then it’s like the people who owned this data got a little bit of the control back. And even though GDPR today is only enforced for EU citizens, this has opened up the conversation in other places as well, for instance California, this year as well.
Absolutely. So how was the past decade different from pre-2010?
I’ve been in this industry for – should I tell my age? I’ve been in this industry for 17 years. I started in 2003, and what I saw then was mass mailing worms. They were very noisy. They were essentially going to almost everyone, like almost every email address that you can find, they spammed there. Network worms for instance, they were very common. They just tried to spread to everyone.
In the past decade, there was only one time we have seen this type of network worms, and that was the WannaCry, NotPetya, Bad Rabbit, because they managed to get the EternalBlue exploit that came from the NSA. But otherwise the past decade has been full of attacks that are trying to be as covert as possible. And nation state attacks – the first one we really discovered out in the open was in 2010, Stuxnet. And nation state attacks were unheard of before 2010.
Well let’s talk about Stuxnet a little bit. It really kicked the decade off in the summer of 2010, I think in June it broke. What was it about Stuxnet that set the stage for the whole decade?
It was about what it was supposedly for. At the start of the previous decade, there were still malware that were created for fun by script kiddies. And then it shifted very quickly to malware that was financially motivated. And from around 2004 to before 2010, it was one financially motivated malware after another. And then Stuxnet came. And Stuxnet was – well, it didn’t look financially motivated from the beginning, because why would you spend that many zero day vulnerabilities on one malware? And we were like, wait a minute, these things are expensive. It was a pretty big malware as well, on the binary size. And eventually it dawned on us what it was targeting, so it was targeting industrial control systems, and we were typically seeing malware that were targeting endpoint devices, so typically end users and even businesses, but endpoint devices. Not industrial control systems that control critical infrastructure.
And it set the tone for the decade because a few years later, or even a year later, we saw more and more of these types of attacks. And they were not only coming from a certain nation state, they were coming from other nation states as well. So apparently these things are happening all over the place. It’s just that we are not seeing them immediately because they are using pretty advanced techniques to hide themselves from the typical antivirus software.
Yeah, Stuxnet really opened that can of worms. Before that, with nation state actors, we knew that they were out there and they were active. But Stuxnet was a free-for-all, all of them just crawled out of the woodwork.
Yes. And we realized of course that Stuxnet was apparently installed well over a year before that. It was around a while before it was discovered.
Yeah, so the long game aspect of it. All right, what were some of the low points of the decade in your opinion? And what were some of the high points – what stood out of the decade?
Low points would be the breaches. They were quite bad. The impact was really massive. People who didn’t expect their data to be out there were affected. So although sometimes it doesn’t sound like the most sophisticated thing, but these things can sometimes have the most impact.
The high point is actually quite interesting, because it depends. If you’re talking about excitement, I guess, having malware that tries to mass propagate once again and then maybe people screaming all over the place that they were infected, et cetera, that was exciting in 2017 when WannaCry came.
You’re always happy when you see big worms or crazy malware.
I don’t know, maybe because I started working during the time when there was a lot of those. We even have these lights that turn on and make some siren sounds when there’s an outbreak. I haven’t seen outbreaks in a while, and in 2017 that was a real outbreak. So outbreaks are exciting. It’s quite bad, you know, but it’s exciting.
Sure. And we can’t talk about the decade without mentioning Snowden.
Snowden was an eye-opener. And the nice thing about that is that the conversations actually moved from people who only worked in this industry and started to see about nation state attacks to your parents, for instance. I mean, my mom never understood what I was doing, and then she said, “Oh, okay, there’s this Snowden guy.” Oh, so you finally understood about Snowden, mom.
So it’s a conversation starter with people who are not used to the business of cyber security. And privacy is something that it seems that they understand a little better than when you talk about security of your devices. And that opened conversation – of course, it got people a little bit afraid as well, because what’s going to happen to your data? Some people are passive and neutral because they have nothing to hide. Some people are very adamant about having their privacy protected. I believe that from Snowden coming out in 2013 to GDPR enforcement in 2018, all of those events, the breaches, Snowden, contributed to the data starting to be more and more going back to the control of the users who own it.
Yeah, I’m sure you’re right. To me the biggest thing about Snowden was that I remember back in high school days being interested in these things. I was reading about the NSA’s ECHELON program and how they’re listening in on everybody’s phone calls. And all my friends were like, “Man, you’re just being paranoid.” And then Snowden comes out and it turns out that it was even worse than we ever dreamed it was.
It was a validation, yeah.
And like you said, bringing the discussions out into the wider audience.
We did see the cyber world interact a lot more with the political world, like you were saying, in the past ten years. Do you want to talk a little about some of the ways that happened? You mentioned GDPR following pretty much directly from Snowden, and so forth.
I guess I can talk a little bit about what’s happening with some different nation states. So for instance, initially it was of course Stuxnet that was attributed to the US. And Israel as well. And then we saw Regin, which was a tool that was actually mentioned by Snowden in his revelations a year before, and those came out, and it was found that it was apparently used by the NSA and GCHQ. But then we saw as well APTs coming from Russia. So Turla, which actually used satellite downlinks. Which was quite cool.
That was pretty amazing.
Yeah, it was quite cool. So it’s amazing how they keep finding these new ways to try to circumvent being found out who they are. But at the end of the day, when you look at the purpose and you look at where binaries come from, et cetera, the attribution – I mean, we are not really police officers or official investigators where we can really say that that came from that location – but the attribution can be like, it seems very close to what it really is.
And then also there are some that are not very sophisticated, but for instance, there was also this – we called it NanHaiShu, when China created this attack against different organizations that were working with the Philippines when it comes to the South China Sea dispute. And it was interesting because when we were writing that paper, it followed different events that were happening between the US and the Philippines, and between the legal firm that was representing the country. And if you say that politics and cyber events are coinciding, that was the moment when we were like, there are coincidences, but maybe several things is too much of a coincidence.
Yeah. So we saw a lot of data breaches in the last ten years, that was one of the things of the decade. How do you think the next ten years will compare when it comes to the number and scale of data breaches?
That’s a very tricky question to answer. Because today, we can see companies that are increasingly being more concerned about their security. So they are also increasingly trying to protect the perimeter, for instance, how the bad guys who try to take and dump this data, how they will get in. So I would like to say that there should be less because of that.
But unfortunately there is also an increasing amount of new startups offering new web services, and whenever you’re starting out it’s always like security is not topmost in your concerns. You want to deliver a service. And rightfully so. But when you try to deliver online services without security in mind, at some point, with all the automated scanning that is out there happening day by day, there’s gonna be something that finds that you have a vulnerable network, something exposed online. And that could be an entry vector into getting to the system. So this is heavily hinging on how much security consciousness really penetrates, especially to those startup organizations that are offering web services, online services.
Absolutely, but at the same time, data travels. It gets sold and it gets transferred to third parties and so forth. So to me, one of the really upsetting things about Equifax was that nobody chose to give their information to Equifax. It was collected by everybody else, all the credit card companies.
That is true. But the one thing as well that’s going for people now in the next decade is that there are more and more of these privacy-centric rules that actually penalize companies that don’t have due diligence on user data. So the harder it is for companies to be relaxed when it comes to users’ data, the more they will spend on security of users’ data. So I would really like to say that there should be less of this happening.
So we’ve seen the worst of it.
I have a funny feeling that not really. But the laws are heading towards that place.
Oh, absolutely. And I know a lot of companies are really thinking about what sort of data they want to collect. Because then you have to store it, and it’s like – maybe you don’t need it that much.
Yes. And the mere fact that we try to avoid personally identifiable information nowadays means that the less personally identifiable information there is, the less value that data could be to a person if that is breached and dumped out there.
Yeah, I know. F-Secure as a company, we’re making very strict calls. We’re not collecting information because we don’t want to be in a position where our customers get compromised because of that.
It’s true. And it’s both good and bad for us as well, because of course it’s very good that customers are not exposed. But sometimes it also lessens our visibility on what’s out there.
Yeah, we’d like the analytics, but, like –
Not really the analytics, more like the visibility of what threats are happening on the users’ devices. But we do jump through several hoops, we try to say that we really want visibility of malware that we have perhaps not seen before, like threats that are getting into the users’ devices. And then we jump through several legal hoops in order to get there. So we’re very conscious about privacy.
Yeah. Well, one of the things of the last decade was ransomware. It was everywhere. It was what the 20-teens were all about. Where do you see that going?
Ransomware had an interesting evolution in the last decade, because it started as something that was spammed to everyone. And maybe this is how malware typically tries to work, like they spam it to everyone, and then they see how was the infection capability, how was the penetration of the infection out there. And towards 2018, it peaked, and then nowadays it looks like for the ordinary user they don’t see it too much anymore.
But an interesting bit there is that it looks like the ransomware authors have realized that whenever you go after individuals, they can pay maybe small sums of money. And sometimes they don’t really pay, they just say goodbye to their documents and then they let it go. But organizations, those were the ones who were paying ransom. Because sometimes it’s costlier to recover from a ransomware attack rather than just to pay the ransom. And then when they pay the ransom, they get this decryption tool, so it’s cheaper for them.
So today, there are malware, for instance, there’s this Emotet malware that has partnered with Trickbot malware, and then they provide the land layout, if you may. So what Emotet does is that it tries to spread the infection out there, and then it has amassed such a large botnet of infected devices that are just laying there dormant. And there’s another malware that partners with it, this Trickbot malware. And what they do is that in every device that’s infected by Emotet, they can actually profile what type of device that is, report that to the attacker, the attacker can perform lateral movement in the network and then profile another device again, until they create a full network profile. And then this is what they sell to the ransomware actors. And then the ransomware actors, they can actually see that, okay, this looks like the type of organization that could potentially pay, and then this is an organization that maybe wouldn’t pay. And then maybe they have a file server here, maybe the history of that is that they don’t have backups.
When you have this profile, then you can basically pick which ones you’re going to infect. And this is why nowadays we mostly see that okay, this organization was infected in the news, because the ransomware authors, all they have to do is just deploy the payload to the organizations.
Yeah, absolutely. That’s super interesting. But even that is semi-autonomous. But we’ve also seen attackers almost monetizing the foothold they get in an organization. Like typical hands-on keyboard attackers just breaching an organization, and then they’re just like, well, I have all these machines now, how can I monetize this? And maybe let me just drop ransomware everywhere and steal the data as well. So these days we’re seeing this artisanal ransomware that’s dropped in an environment, but that’s not all they’ve done. There’s also all these back doors in the systems, all the data’s been stolen and is getting extorted, all that’s happening and the ransomware is just the cherry on top.
Yeah, they can sometimes do that. Because when they go through the organization, the more they move in, the more they are able to get for instance to a domain administrator’s device. And if they manage to get domain admin rights on the network, I mean, you can pretty much do anything. You can create group policies that would say “I want to deploy this backdoor to those types of machines, and then this ransomware to those types of machines.” So you don’t have to spread the infection to the whole network, only to those areas that have the most value to an organization. So definitely as you’re saying, it’s become more of these combination attacks. And it’s also like geared a little bit to the organizations because of the money aspect. That mostly they are the ones who ended up paying.
Yeah. Do you think companies are thinking about ransomware too much in terms of malware? Because we had malware that was worming, so if we can just stop it from worming throughout our system, we can stop ransomware. Even though that’s not the case anymore.
Yeah, it’s not necessarily the case. Because worming is one aspect, and definitely you should protect from it because it’s so automated and you just need to get that out of the way. Of course, nowadays there are also these open remote desktop devices that are just out there. So if somebody could just close that when they don’t need it, that would help so much, because every possible entry point that an attacker can get into an organization – and well, for instance, even if you remove Emotet out of the picture, and then you got in via RDP, you can deploy Trickbot yourself. And it will still create the profile and then you still have those devices ready for you to install. So they will find multiple ways.
And we have seen in the past decade that this is really how threat actors historically have operated. If they see an opportunity, whether it’s a new technology, like something that’s insecure, something that they can use to exploit someone to make money from that, they will try it out.
Talking about RDP got me thinking like, what’s something preventable that you think we’re going to see in the next decade that you just wish we didn’t because it’s so easy to prevent? Is it like, people, stop using RDP?
Well, RDP is one thing of course. I’m thinking a little more about IoT devices now because they’re so prevalent. IoT devices with default credentials.
Oh, yeah. That’s a classic.
I mean, if we can just get rid of those, that would solve quite a few of the problems.
Yeah. But that’s one of the things. Some of the legislation we’ve been talking about actually revolves around that area, that you have to have a unique password for example, for each device. And from there it’s just a short hop into “Don’t use that development hard-coded backdoor password credential.”
Yes. I mean, if we can just get rid of that, then we can move our efforts into the next level of how do we secure these devices.
Yeah, yeah. We’re still going to have our work cut out for us, but not with that.
Yes. Hopefully not with that. Not with the things that we know.
Yeah. So when you think back to 2010 compared with where we are today, in 2020, what would you say are the main differences? Are we better or worse off?
When it comes to securing our users, I would say we are better off. The unfortunate thing as well is that a lot of our ways to secure our users have become a little bit more scattered. So let me explain a little about that.
Previously it was all about having one antivirus, that you put on your endpoint device. And then a lot of the nation state attacks came into the foreground. And then we’re thinking, okay, we really need to add some sort of monitoring, because it’s not enough anymore to just protect when something goes wrong, when a payload gets deployed. It’s better if you can see what the signs are when a system is infected through time. So this is when the detection and response product came into play, this is when we started to really look at what are the problems that we cannot monitor. And then of course data breaches came into the picture, more and more we need security consultants, offensive consulting to work with customers and ensure that there are areas that you can actually just basically protect in order to avoid those things. So today, we have a product that works with network threats, we have a product that’s a VPN, because you need to protect your traffic, we have the endpoint protection product still there, and now it has spawned to mobile devices and then general purpose computers, and I think we have identity protection also coming up, to protect your data and to warn you if there’s a breach, and then you can change your credentials so you don’t get affected.
So now it’s like there are so many things that you need to work with to protect yourself. And in the next decade, my hope is that these things start to converge back into one, because as ordinary user, if there’s too many things to think about, sometimes you’re going to miss some of this. So it would be good to get them converging again into one lane, and this is the one way to protect yourself and your data, and your online service accounts.
Yeah, I do like what you’re saying about users are more exposed, there are more attack vectors these days. But then again, I’m thinking like, back in the early 2000s, the 90s certainly, I had a bunch of viruses on my computer, because you know, I was going to dodgy websites. But like these days, you have a “virus,” air quotes, on your computer, and you’re done. You’re toast. It’s ransomware, and that’s it. So do you think that we’re seeing maybe fewer in number, these attacks against consumers, but that they’re more damaging at the same time? Or do you think that the attack vector will keep on growing, and we’re just going to see more and more attacks against users as well?
The attack vector has not really lowered through the years. It looks like they have congregated in certain areas because of what happens with different technologies. For instance, if we talk about iPhones, Apple is very strict when it comes to what types of apps you actually put into the store. And that not only includes automation for checking what type of app you are putting there – there are really people vetting that, looking into that, and making the system very much a closed ecosystem. So having devices like that would keep the typical attacker who targets end users away from the device.
So what do they then focus on? For instance, are there threats against the phone? Of course there are, because if you have a phishing website, that’s platform agnostic. It doesn’t really matter if you visit it on your iPhone or you visit it on your Windows device. You could still get infected. And for instance, phishing, that’s one threat that has been around for like two decades, and it hasn’t really gone away. Because as long as you have a browser, whether it’s Chromebook or you’re in an iPhone, you could get compromised if you input your account into that page.
So it really just follows the trend, and the amount of threats don’t really go down. The more technologies we introduce into the picture, the more different threats are going to try to come in.
Yeah. But would you agree that the attacks we’re seeing against individuals in particular are more damaging these days then they were ten years ago?
Well definitely when it comes to the fact that they are not just for fun anymore. They are not your typical malware that draws something on your command console.
A little ambulance driving back and forth.
No. When it’s financially motivated, it’s really after your money. So when it’s after your money, it’s of course damaging for you.
True, true. Yeah, maybe we didn’t realize how sort of – if it’s just a “harmless virus,” quotes again, maybe you don’t realize the damage that has happened.
Yeah. I guess what I can see now, that’s maybe “harmless” for individuals, are those that just end up as dormant on the individuals’ machines. So for instance, supply chain attacks. If you are part of a certain supply chain but that’s a targeted malware and you are not the intended target, the malware is on your device, dormant, just sitting there, but if you are the intended target, that’s when the payload of the malware activates. So in supply chain attacks, it’s like you’re infected but it didn’t really do any damage, unless you’re the target.
Hmm. So would you say the rise of cryptocurrencies in the 20-teens was a game changer for cyber crime?
Definitely, it was very much present in the threat landscape. In 2013, we saw the first ransomware, CryptoLocker, that started to use Bitcoin when it comes to payments. Before that, they were using different types of payment systems that you can buy credits at your local kiosk. And through the years as well, when ransomware was rising in popularity, they were accepting cryptocurrency payments. So it started with Bitcoins because Bitcoin was kind of like the one that was there.
Yeah, the first big one.
Yeah, exactly. And then eventually there were more and more, and today, Monero is actually quite a favorite because with Bitcoin, in order to stay anonymous, you still have to go through these underground organizations that provide some Bitcoin mixing functionalities.
Yes, tumblers. So that actually your Bitcoin cannot be tracked to you. But when it comes to Monero, that cryptocurrency is built to be private at the beginning. So there’s a lot of ransomware nowadays that are receiving Monero as payment.
And in addition to ransomware using cryptocurrency actually, there was the rise of cryptominers, I think it was between 2017, 2018, when the valuation of cryptocurrency was actually very high. So there was an organization that had a software called Coinhive, and what Coinhive did was they tried to provide an alternative for advertising. So when you have a website, instead of posting ads on the website, you can put this Coinhive cryptominer instead. And then when the user visits, they spend a little bit of their computing power to mine cryptocurrency for the website owner in lieu of clicking ads for money. And of course, was that ethical? We didn’t know, we were debating about it.
And then what happened was there was a bunch of attackers who compromised a lot of websites, and they planted Coinhive in those websites, and then used the processing power of the visitors to mine for cryptocurrency and then put it in the attackers’ wallets. And then that contributed to the rise of cryptominers.
That’s so interesting, because the Coinhive thing, that makes sense to me. I would rather donate my computing power than have to look at blinking ads. So that would make sense to me. But then from there, it was such a short hop to “Let’s just go crazy and do this in a criminal way.”
Exactly, and this is the nasty thing about cyber threats. Because whenever somebody offers an opportunity, and like all of these opportunities, all of these new technologies, they’re neutral. They’re really just out there and we can just use them for both good and bad. But whenever we can use them for good, it seems like attackers are just so brilliant, thinking of what could be something –
How can we exploit this, turn it into bad.
Yeah, I’m sure that Bitcoin has been used throughout the years to buy legal things.
Whereas, I’m pretty sure Monero hasn’t.
(Laughing) I don’t know about that.
We’re gonna get mail for this…Well, when you think forward to the next ten years, what are some of the things you’d like to see in infosec?
I have some hopes of what could be improved. For instance, today, if I look at my password manager, I probably have 200 usernames and passwords there already. Would somebody please figure out a way to consolidate these things and make them secure? So, the hope that I have is that there’s a better way to perform authentication rather than just usernames and passwords.
Yeah. But Facebook is offering that convenient single sign-on service, but you’re not using it.
(Laughing) I’m not using it because of the privacy implications as well, and in the past decade, Facebook and the Cambridge Analytica thing hasn’t been exactly the most popular.
So is there a company out there who’s in a position to do that, make a customer friendly single sign-on service that you would trust?
I haven’t actually seen it yet. That would be very interesting. But of course, if they can show that for instance, they use security consultants and see that, okay, how secure is it, really, their networks, their systems, what kind of authentications they are using, what are the layers that they’re using to protect that? Because I am a heavy believer of security in layers. The more expensive it is to breach you, the less you get breached – except if it’s a nation state attack, of course. But the less you get breached by typical attackers. So if they can actually show that there is the framework behind this type of authentication, then yes, I would trust them.
Do you think we might see something like, I don’t know, an international standard on how websites talk to your password manager directly? Like, currently we’re going through browser extensions, and that’s not ideal. We’ve seen some problems with that.
I think it’s a very interesting idea. I mean, if there would be a standard when it comes to authentication, and then, of course, this might take time, because you have to heavily define what types of security you have behind that standard, then yeah, that could work out.
Yeah. But we do need to get rid of passwords.
There’s just too many.
Well, thank you for coming on the show, Christine,
Thank you, Janne.
That was our show for today. I hope you enjoyed it. Make sure you subscribe to the podcast, and you can reach us with questions and comments on Twitter @CyberSauna. Thanks for listening.
Leave a comment