Cyber Defense from a Criminal’s Point-Of-View

Yesterday I was listening to an episode of Intel Corporation’s excellent podcast, InTechnology, number 115. The hosts were joined by Bret Johnson, the former cybercriminal who was on the US Government’s most-wanted list. Quite an interesting character. He was the leader of a gang called shadow crew, a precursor to today’s darknet. After being arrested by the US Secret Service, he was convicted. Then they offered to get him out of prison early if he accepted a job—an offer he couldn’t refuse—so he became a consultant for law enforcement and an informant. While working for them, he continued to break the law from inside their offices, and after being caught again he was convicted and served time in federal prison. He escaped, was recaptured, and served out his sentence. Now he’s gone straight and runs the cyber defense consultancy Angler Phish Security. I think it’s safe to say that he’s an authority with first-person knowledge of the world of cybercrime. Mr. Johnson shared an insight that gave me food for thought:

“We have this perception…they paint the attacker as this hacker, this upper tier computer genius that is untouchable. That’s not really the truth. You have those types of attackers out there, but 98 percent of cyber criminals, they’re just good social engineers. They don’t really understand the dynamics of the security or anything else, but they don’t have to.”

So, this type of adversary is a clever confidence man, a kind of amateur psychologist. They don’t concern themselves with sophisticated coding, but with understanding and exploiting human nature: lax vigilance, and sloppy operational security discipline. They can buy all the bots and utilities they need on the dark marketplace Mr. Johnson describes.

The challenge to cyber defenders is that the numbers are on the criminals’ side. They only need to dupe one of your employees, one time, with a plausible looking phishing email or text message to gain access to your network. Your security team will tell you that no amount of employee training will insure one-hundred-percent compliance with security practices. And Mr. Johnson asserts that there are a lot of cyber criminals in this demographic:

“In 2017 alpha bay is the largest criminal network on the planet. 240,000 members when law enforcement shut it down. Two years later, 2019, a dark web marketplace called black market was shut down, 1.15 million members. All of that pre-pandemic. During the pandemic, the fraud numbers exploded because you had the stimulus package in place, there was no security, so you had massive amounts of fraudsters coming in committing fraud. Those people, now with the stimulus programs ended, they’re not really going to go and flip burgers, or go to school or anything else like that because they’ve gotten a taste of how profitable on-line crime is.”

Wow. I took statistics in college, but it’s beyond my skill how to figure out how many of the millions of criminals must attack to find one victim in the universe of companies who, in a moment of inattention, falls for a social engineering exploit. Intuitively, it seems like the odds are stacked against the defenders. And sooner or later it feels like one of those intrusions will land right in my or your lap.

So, given the nature of the battle space Mr. Johnson describes, one may ask what is a high probability way to mitigate the damage of social engineering that leads to a ransomware or malware attack? Perimeter firewalls and anti-virus scanning are not the answer in this mode of operation. We have to assume that because of the sheer numbers, and fallible human nature, inevitably the adversary will penetrate the network perimeter. Indeed, we should probably operate from the assumption that the barbarians are past the gate. They’re already inside the castle walls.

If that’s true, then organizations must have enough resilience in their systems so that they can continue to do business even in the face of a breach of the perimeter. That’s where zero-trust security comes in. NIST, in their special publication 800-207 describes the idea of least-privilege-needed access. No user or device is to be trusted by default, just because of its location, i.e., inside the network perimeter or intranet. Using a concept called microsegmentation, we can organize network assets into granular groups, with policies that only allow authorized traffic between them that’s part of a valid business process. This prevents the unhindered propagation of malware laterally within the network, shutting down the effect of any successful intrusion.

I’m happy to say that our company, ColorTokens, is part of the solution to this ongoing challenge. We’ve developed an approach that makes it practical to successfully deploy, manage, and enforce the network traffic polices that can stop the lateral movement of malware inside your perimeter. And we do it in a way that differs from others in that we have a unified approach to managing traffic policy for both internal network traffic as well as access for remote users. This is increasingly important in the growing business paradigm of “work anywhere.” A unified zero trust security software platform is crucial for centralized management of these policies. If separate point solutions are used, administrators would need to manually maintain coherence between policies defined in different tools and user consoles—one set of policies for traffic between microsegments in the enterprise network, and another for microsegment access for remote users. In addition to being more expensive and an administration headache, manually managing policies in separate point solutions can lead to errors, increasing risk. A unified platform allows for a comprehensive approach to zero trust policy definition and enforcement, so that the greatest reduction in attack surface is achieved.

We at ColorTokens are ready to help you chart your path to zero trust security. We can give you a firm basis for planning your way forward by starting with a cybersecurity posture assessment.