- Zero Trust
December 16, 2020
Hosted by JD Sherry, Chief Strategy Officer, Remediant
Join us for a brief chat with our guest cybersecurity expert, Tom Kellermann, as we discuss the importance and meaning of Zero Trust/Intrinsic Security, the challenges of addressing the spread of Ransomware cases and some 2021 cybersecurity predictions.
All right everybody. Welcome again to our weekly installment here of Cyber Whiskey, Water, Wine Wednesdays. In this case, my esteemed guest Tom Kellermann, who is Head of Cybersecurity Strategy at VMware, has chosen to, in his typical form and fashion, divert from the norm and go with a beer tonight. So Tom, thanks for joining us. I am having a little bit of wine tonight. Cheers to you. Thanks for joining the program this week, representing the local Avery IPA.
I am. Salute.
Salute. So, thanks Tom for joining us. Tom and I, for those of you that don't know, we go way back, nearly a decade now in the industry and first started working together at Trend Micro and ever since then become fast friends, and I lean on Tom a lot around his expertise in the industry and exchanging different kinds of stories and customer anecdotal stories that we can riff off each other with and learn from one another.
So Tom, it's good to have you on, I know you're busy wrapping up year end activities. So, I'd love to chat a little bit about a couple of things that... It's actually a pivot off of our last show that we had here on Cyber Whiskey, Water, Wine Wednesdays, and that's really the concept of Zero Trust. I don't necessarily want to talk in its entirety about Zero Trust, but I do want to get your opinion on what it means to you. Where is this thing going? I have people that are really laser locked in when I mentioned it and they get excited about it, and then I get eye rolls from people sometimes when I talk about it because maybe they're just fatigued by it. So, where do you think this concept of Zero Trust is going, And what's it mean to you?
I believed in Zero Trust, but it shouldn't be limited to the endpoint and identity. It should expand across an entire infrastructure and it should manifest in a way that it's Zero Trust but then what? And I think the then what is, it will allow the architecture or the infrastructure itself from clouds, to apps, to containers, to endpoints, to identities, to defend themselves against an adversary, unbeknownst to an adversary so really, the construct of intrusion suppression that you've heard me speak of over the years.
Really that architectural model of more like a supermax prison than that of a fortified castle, and how do you force the adversary to become resource constrained, inhibit their capacity to move laterally and hunt them unbeknownst to them in the environment? Which is a critical function because if you think about how adversaries have escalated their campaigns over the past year, we are seeing a counter incident response occur 82% of the time, which means they're deleting logs, manipulating timestamps, leveraging ransomware in a destructive fashion, not Petya style on an environment to punish the defender in real time. So we need to do a better job as a community of not actually letting the adversary know that we're onto them. As the burglary has transitioned to a home invasion, let's not turn on the lights, let's have a silent alarm, let's make sure that our dogs don't bark when we react to the adversary metaphorically.
Yeah. I mean, you and I have gone through our fair share of incidents, and I always remember when you're going through an incident for the integrity and the sanctity of what is going on with that adversary in your environment, to understand exactly what they're trying to do and the breadcrumbs that they're leaving. Many times you left things running. You didn't want to necessarily blow things up because you could lose the trace of attribution to the adversary, right? And I think in many cases, we've kind of gone away from that, whether that's blowing away infrastructure and assuming that you're compromised and not really caring about if you're compromised. I hear a lot of people with that kind of philosophy. I do think that you're spot on with regard to understanding what they're doing, while they're inside your virtual halls.
I always loved the panic room analogy that you've kicked around too, and really trying to assume that you are compromised, and that's the whole premise of Zero Trust is, assume you're compromised, whether it's at the endpoint, it's at the network. How are you going to incorporate the Failure Mode Effects Analysis, for lack of a better term, of where they can really do serious harm so you can keep an incident as a minor incident before it becomes a major breach, and I think that's the whole goal of it, right? Is really to minimize the damage.
It is, and also we need to come to Jesus with the fact that they've become more punitive and they've become more calculating, and what I mean by that is, the end goal now is not as burglary of your environment or controlling or owning your environment, it's the commandeering of digital transformation to use it to attack your constituency. It's a takeover that what you've built and use it to island-hop, to attack everyone who trusts that environment. That's the name of the game now.
So, what happens when an attack escalates? Well, beyond counter incident response and destructive attacks to clean up the mess or to burn the evidence, they will then use your environment to attack your constituency. This will be the year in '21 where we will see someone's infrastructure be used to leverage destructive malware attacks against their constituencies, and God forbid the ambulance chasing lawyers and the shareholder lawsuits that will come thereafter.
Yeah. I mean, the issue around brand reputation, brand integrity is, it could not be more at the forefront around that with island-hopping, and I read your recent blog post you and... By the way, go out and check it on a VMware site. It's looking at kind of where we've been this year but more importantly, forecasting where we're going with the threat landscape. And you and Greg Foss did a really good job on that, and a couple of key things that I thought was interesting that I'd like for you to maybe touch on, you see this shift from island-hopping and really into cloud-hopping with still the emphasis of brand damage, brand reputation, but leveraging what I would call, the soft underbelly of clouds that maybe aren't hardened like our normal environments, to be used as a weapon. Talk a little bit more about that.
Yeah. I mean, cloud-jacking is already happening, but it's coming worse and worse. If so many people migrate to public clouds, they don't realize that not all clouds are equal. They have to really perceive a cloud in a public cloud environment, to be much like moving into an apartment building in a really tough neighborhood, and you need to be assured that there are a certain amount of security provided to the front door, to the elevators, to the fire alarms, to the alarm systems, to the camera systems, plus you still need to protect your own apartment and your neighbor could still invite a sociopath over at a dinner party. I mean, these things are compounded, and so the level of attention you must pay to application security, to endpoint security, and the demands that you should put upon those providers to provide you with the workload security that goes beyond just config management and vulnerability management, are extreme.
And at the same time, the systemic nature modern cloud environments and then utility of containers, is that you're going to see things like container packing and container jacking that can become systemic events through environments, and that's already being done as you see nuanced attacks like the Doki malware against Docker environments that came out about five months ago. I sin on the board of the Secret Service for Cybercrime Investigations, and recently we put out an advisory three months ago, to all the major financial institutions in the U.S. saying, "Your managed service providers, particularly your cloud providers are being successfully targeted by a specific nation state to get into your environments." So, this is already happening. It wasn't some one-off, the Cloud Hopper campaign that hits Silicon Valley back in the day. This is becoming part and parcel for not just the cybercrime cartels, but for the cyber espionage groups who in many cases are the true benefactors of the activities of cybercrime cartels. There is this Pax Mafiosa that exists.
Oh 100%. I mean, the thing that Greg called out in that report, I think speaks directly to that is, we all know, we've talked at length about Bulletproof hosting and things of that nature, but as you see that underground moved to ransomware as a service, and we couldn't go through this chat without talking a little bit about that. I know people are sick of hearing it. I mean, you can get Google Alerts every single day about the next ransomware attack, but I think what you guys are forecasting and I agree wholeheartedly is really in the form of, they're going to come out at several fold. I mean, they're going to come at it with a monetary component but now, nation states are dramatically leveling up their destructive capabilities, whether it's ICS or financial systems. So with that, where do you see ransomware as a service evolving to, with that cartel kind of mentality, right?
Yeah. I mean, if you look at the major ransomware groups from REvil, to Maze, to Ragnar Locker, they're all Russian speaking number one, and they all pay homage to Putin, and it is a protection racket, and they are allowed untouchable status because of it. But more importantly, what do we learn from ransomware this year? Not, "It will be used to ransom things," but we should of learned really three takeaways. Number one, they will re ransom you, they will monetize the situation. Again, you will see a secondary extortion campaign specific to the dumping of your data and more so they actually know what industry you're in, so they will dump the data to your regulator to punish you again. They're doing this very often in Europe via vZvgDPR. So, that's a very interesting twist.
Secondarily is, they will assure that they will compromise you first through your backup so they will keep coming back in. I don't give two blanks that you got backup. They know you're using backup to save yourself from this scourge, and that's why they're going after your backup systems, they're exporting the software in those systems, and they're using your backups to promulgate secondary infections.
And then finally, in terms of evasion techniques, if you just look at the MITRE TTPs associated with modern ransomware, over 14 different defensive evasion techniques are employed in the average piece of ransomware and most importantly, rootkits are being widely deployed. We're seeing a Renaissance of rootkits that you and I haven't seen since our days at Trend Micro when it became a unique thing to see a rootkit.
Yeah, no doubt. I mean, I think when you look at the, I think the verticals or the industries that are in the cross hairs, I mean, they're actually doing a very fine job of targeting where I think folks have weak cybersecurity challenges in lack of investment, and I think healthcare is really getting hit. I mean with Ryuk in the news, the FBI warning, we've seen a-
My God. If I may on that one?
Oh my God, that was a red line that was crossed and under a different administration, it would have been retaliated against. When the U.S. government did the unprecedented thing of collaborating with the private sector between the Cyber Command, DHS, Microsoft, and other companies to take down Trickbot because Trickbot was widely being used to infiltrate and manipulate electoral systems and disenfranchise voters, et cetera, et cetera, okay? Plus Trickbot by the way, would never activate on a Russian keyboard. It specifically does not activate on any DLLs associated with Russians, just to give you that. Unprecedented take-down Trickbot. Bravo, bravo, and immediately a payback. The payback was a distribution of [inaudible 00:11:48], targeting U.S. hospitals during a pandemic from the same group. That is unbelievable. It's unbelievable that that hasn't been covered, and it's unbelievable that that type of retaliation was tolerated.
Yeah, without question. I mean my fear, as I talked to some of our healthcare customers and prospects is, they're scrambling on a number of fronts. One they're understaffed because of the COVID and pandemic, right? They've got a lot of things going on and the attackers are taking advantage of that. I mean ultimately they understand people are stretched. They're going to continue to be challenged by, "Hey, we got remote workforce set up, but we took our eye off the ball when it comes to cybersecurity," right? And now I think with that, let's call it six months timeframe to get people remote and function, I think you're going to have a reckoning in Q4. It is upon us, where they've been in the environment and they've been hibernating, and people haven't been seeing that, and now once people have come back to do security, they're going to see that people are already in their environments and it could be ransomware, it could be generic... Yeah. I mean it's-
I mean, Amen. The number one thing we're going to have to do as a technology community and the cyber security community, is conduct prolific cyber threat hunting to root out what has been infesting us over this pandemic. I would add to the ransomware bit, one of our predictions for next year is this is going to be the year of significant iOS attacks as illustrated just yesterday with the Zero-Day for iOS, one that was very, very unique. But more importantly, this is going to be the year of ransomware for iOS, which will become incredibly problematic and you'll see more and more individuals paying out those ransoms on an individual basis to unlock their phones because of how dependent we are in this world on those devices.
No, that's a great point. A couple of things I want to kind of hit on before we wrap and again Tom, thanks for joining, The issue around what I would call and quite frankly I'm stealing it from where I see VMware going with regard to Zero Trust is, where is Zero Trust going with the concept of intrinsic security? What does that phrase mean to you, and then how has that attached to a Zero-Trust architecture, for lack of a better term?
So Carbon Black, where I came from, is now the security division of VMware, and now we are streamlining and inserting and integrating our detection and response and behavioral nominally detection capabilities throughout the existing IT control points that were developed and pioneered by VMware, whether it's through vSphere, where now you can deploy agentlessly detection and response capabilities for those types of environments, whether it's through Horizon where you can actually protect a VDIs and non-persistent clones as well, whether it's through Workspace ONE where you now have a dynamic MDM that can defend itself against the attacks it hasn't seen before because MDMs inherently are static. For us, it's transforming the IT infrastructure to allow it to defend itself, to use existing control points for greater telemetry and control, and to empower CIS admins of all sorts to become watchers on the wall.
So, that is really what our intrinsic security strategy is, but really inherently, it's an extrapolation of Zero Trust across the entire infrastructure, and it needs to relate to workloads, workspaces, and containers as well, which is where we're putting a ton of investment currently, and it's just constantly evolving because we have to be informed first by the attack landscape. Offense must inform defense. We can't just build things because that's great. Hardening is incredibly important, but the text and response will be based on the fact that you have an understanding of where the threat landscape is going, which is why we're making a significant investment in threat research, obviously with the acquisition of Lastline or the acquisition of Okta [inaudible 00:16:02]. We're trying to make sure that we don't get stuck flat-footed. No longer will we focus on the munitions associated with cyber crime, the malware payloads, but we'll focus far more on how did we get shot? How did they know we were going to be there? Are they alone? What's coming next? And more importantly, is that the end or the beginning?
Yeah. Right. And the other thing that comes into that is DAI and the ML components to think through all of those forensics and ballistics associated with that, I agree. A couple more things before we wrap, I think with regard to intrinsic security and something that's very near and dear to you and I, and that's digital transformation, we've seen this really since 2009 when cloud started to become prevalent in environments and people started to become early adopters, that was the start of digital transformation. I think you bring up an excellent point, how within those larger cloud ecosystems, containers is the next form of how we're doing digital transformation and how we're enabling businesses. So, I think when you look at that resource level, intrinsic security, what we can't subscribe to that I think we've always been in this scenario of kind of reactive in the security business is, we're jumping the bolt on the next thing to the transformation, right?
So, if we can, I think, become lockstep with those cloud-based ecosystems, the Kubernetes, the Dockers, those folks that are out on the forefront of transformation, and we can embed our security best practices into that. I think that's what intrinsic security is all about, essentially. So, we got to continue to get away from the bolt on security because by the time we're doing that, the attackers are already six standard deviations ahead of us, essentially. Right?
Truly and again, we need to replicate what was accomplished under Chris Krebs, which is the public private partnership. We need to expand upon that, and we as competitors need to realize that our true competition is the dark web, and we need to get together and operationalize, because the total addressable market of the dark web is $6 trillion. The total addressable market of the cybersecurity business is $200 billion so who are we really competing with?
Yeah. No, excellent point. And I think that's where we should end it. It's things that make you go home, right? So Tom, I appreciate it my friend. Thanks so much.
Happy holiday season and appreciate you joining the video podcast. Thanks my brother.
Good seeing you brother. Take care of yourself.