EXCLUSIVE: Rick McElroy shares how he’d breach an enterprise
Recently we were given the opportunity to sit down with Carbon Black security strategist Rick McElroy on the current issues and emerging trends in cybercrime.
In terms of emerging trends, McElroy says 2017 was the year of ransomware, but this year is all about cryptojacking.
“At the end of 2017 it really became more about cryptojacking with attackers moving from extorting a company, to taking over their endpoint and printing money by trading cryptocurrencies on it,” says McElroy.
“What we saw from an evolutionary perspective with ransomware, I believe we will continue to see with other ways to monetise endpoints. Cryptojacking-as-a-Service will rise to prominence, and probably some of the same dark web service providers are then going to just use that infrastructure for other purposes. Essentially, for around $10 I can go and buy an attack that goes after someone's cryptowallet. Too easy.
And there are no signs of cybercrime slowing, as McElroy believes there are a few caged lions due to be released.
“Some of the things that we haven't seen yet will emerge. The NSA had a set of tools that were released into the wild last year, two of those tools ended up in WannaCry, NotPetya and Bad Rabbit. There's about ten other ones that we haven't seen yet in the wild,” McElroy says.
“The CIA also had a tool leak and I haven't seen any of those being used in the wild so we'll almost definitely continue to see nation's states develop zero days, lose those zero days, and then everybody will have to deal with them.
McElroy believes the cyberwar between nations has already begun.
“From a nation state perspective, we're in the middle of cyberwarfare but I don't think anyone is ever going to officially call it that,” McElroy says.
“What we're witnessing is a cyber arms race in both the defensive side and offensive and that is not going to stop anytime soon because whoever has the upper hand and can gather the most intel is positioned well from a national security perspective.
Make no qualms about it, McElroy maintains the digital world is a dangerous place but at the end of the day, it's not about systems but rather humans vs humans – and that's how he would breach an enterprise.
“I'm a big fan of the path of less resistance. If you talk about ransomware, a lot of times it's not these big cartels behind it, it's literally like two people in an apartment in Romania with a server. People are effectively paying their bills with ransomware proceeds,” says McElroy.
“For me I would 100 percent go after the human. The human remains the weakest link as I don't have to turn on a vulnerability scanner or use an expensive piece of software to launch an attack. I can simply buy what I need on the Dark Web, weaponise a PDF, send it to a company and I'll see how many people will click on it. Again, the path of least resistance.
In terms of how companies can prevent this ‘targeting of the humans', McElroy says the key lies in agility.
“You need a playbook but you also have to be willing to throw those out in a heartbeat and go off-script because if you don't, cybercriminals are going to be interacting with your system faster than you are,” says McElroy.
“Attack chains are becoming more complex as cybercriminals seek bigger pay days. Most teams don't have that visibility into what we call the 'cyber kill chain'. Our philosophy is the further up that kill chain you can drive your visibility, the better chance you have of interrupting the attacker. Most companies focus on the tail end, so the execution of the malware attack. We focus upstream of that which gives us an advantage in early detection.
McElroy says at the end of the day, Carbon Black operates on a fundamental premise that other vendors don't, and that is unfiltered data recorded from the endpoint and centralised empowers teams to get the bad guys faster.
“Think of it very simply as CCTV cameras. If I'm going into a 7/11 they're always recording. When an attack happens, law enforcement comes in, they push a button to roll the tape back to determine all the things they need to know, and then they determine who it was and arrest the person,” says McElroy.
“The premise of unfiltered data, recorded and centralised, enables you to apply threat intel and data analytics. Previous to Carbon Black that type of technology didn't exist for endpoints.