Lured To The Dark Side The Criminal Hacker Journey Pt. 2

Mitch: How did the FBI, CIA, and private sector combine forces to stop relentless cyber criminals? Well, today we talked to Nick Rossmann. Nick is the former leader of IBM Security X- Force Threat Intelligence, and has a background working with both agencies. He helps us understand how threat intelligence is evolving to out- maneuver the booming cybercrime industry and how cyber criminals are actually taking pages from the playbooks of legitimate business and creating their own service economies and service providers. I am Mitch Mayne, and you are listening to Into the Breach. We want to take a look at the cybercrime industry, specifically from the lens of threat intelligence, how the landscape is evolving, what threat actors are doing out there. I will give you a little spoiler alert. Working in cybersecurity, threat intelligence has become one of my favorite areas to focus on just because it's so interesting. It gives you so much, well, intelligence, to use a word to describe a word. Just give me a brief overview of what threat intelligence is, how it's gathered, and what it can be used for?

Nick: So threat intelligence really starts at the indicator level and for us, it's gathering indicators of compromise to be able to better understand the threat actor. And that means modeling how they conduct their attacks against our clients, against other partners, against the rest of the cybersecurity community so that we can better understand how they work, how to stop them, and ways to detect and prevent them from responding. But at its highest level, it's understanding their motivations as well. And when it comes to cyber criminals, the motivations are pretty simple, right? They want to find a way to monetize their access to your enterprise systems to be able to make money. And that could be stealing from you and your accounts directly. It could be using compromised credentials on your cloud platforms to be able to run crypto miners. And it's essentially taking computing power that you've paid for from one of your cloud providers. Or it could be extortion like a ransomware attack. So it starts at that level, the micro level of indicators of compromise to understanding their TTPs, but ultimately, how do we prevent them and then better understand their motivations?

Mitch: So is it fair to say this is a little bit like spying on the spies?

Nick: It's a little bit like spying on the spies. I think too, what makes threat intelligence or cyber threat intelligence different from conventional espionage is that we're not stealing information per se. There's no private companies in the United States, we're not allowed to conduct operations like the CIA is or the FBI. So we're trying to pull together what's essentially publicly available information, all the signals that are out there, a compromised server, what has happened on another enterprise network, to be able to figure the bad guys out. So it's a little bit more detective work, right? You're going in afterwards into the crime to figure out how you can then prevent it the next time around.

Mitch: So it's centered around digital fingerprints and digital footprints then?

Nick: Yeah, that's probably a better analogy for it.

Mitch: Tell me a little bit about what the industry is like now, the cybercrime industry as a whole and what the ROI is there?

Nick: I think over the past several years, Mitch, we've seen the industry evolve from really trying to work on credit cards. And when I say work on credit cards, I use that is in the most malicious terms. They were trying to steal credit card information, whether that was from a company that had it like a retailer or from an individual to be able to sell those credit card numbers online and be able to conduct some lower scale money laundering essentially, right? Use your credit card to buy some stuff that they could have access to or auction that credit card off for a fast buck so that someone else could do that same thing.

Mitch: This is like just basically getting your pocket picked, only having it done virtually?

Nick: Yeah, exactly. And that's what cybercrime was. And there were other forms of that. So it could have been unique ways to get credit cards, whether that was, " I'll infect a chatbot that's widely used by a whole slew of companies," or" I will try to attack a particular type of software that's used by a slew of companies who process credit card information before it enters the big credit card networks to be able to be used." That game wasn't scalable, like those kind of business operations because you've got to have constantly going after credit cards. So what we've seen these cyber criminals switch to or in the last several years is that a lot of these credit card incidents would start with something like a botnet where they're trying to steal as much account credential information from you, from corporate users all over the world. And these botnets are running constantly on different command and control systems, basically other computers that they've stolen resources from to be able to go and get more credentials. So essentially, those credentials could get the bad guys access to your bank account where they could conduct some kind of fraud or it could give them access to a corporate network where they could potentially rummage around in it and then look for credit cards. But where we've seen this shift in the past several years is to ransomware. It's much more scalable if you combine a botnet conventional backdoor like that alongside ransomware because now you're not just looking for a credit card that you might sell for a dollar on the dark web. You're going into a company, getting compromised credentials perhaps. If I'm trying to attack MitchCo, I might get, Mitch, one of your employee's credentials. I go and log on like I'm that employee, and then I'm going to start rummaging around the network, try to figure out how I can move laterally within the network using tools like PowerShell, move in the networks to say, " Hey, where can I deploy this ransomware in a maximum effect?" And then bam, I start deploying the ransomware. But just before that, I've stolen a whole slew of data from your environment. And that data isn't just credit card information, it might be. Could be personal health records, could be schematics, could be information about your employees, but all of this is to get ransomware into your environment, put as much leverage on you to pay the ransom. So that there's a high cost to get your data back and recover so that you say, " I give up. I just want to pay the bad guy for the key to get my data back and get back to work."

Mitch: Not only are the threat actors going in to drop ransomware, but they're also taking data in the process. I also wanted to talk a little bit about something that I've heard you speak extensively about, and that's this model of ransomware as a service, and that's like its own little business model, right? It's like this isn't just picking pockets any longer. This is actually taking pages out of legitimate business models and applying them to cybercrime. Is that correct?

Nick: Yeah, that's right. So you think of it as ransomware as a service where I'm a ransomware operator and now I want to scale the delivery of my ransomware in particular. So I can only conduct so many different operations a day with my own business, my own operators, they call themselves penetration testers, but they're essentially penetrating the companies. They're the victims of the potential attacks. So what I do then, I say, " I'm going to rent out some computing space in my ransomware." And another affiliate group, someone comes to me and say, " Hey, I've got a way to deliver the ransomware myself. Could be email hijacking, could be a social engineering ploy, and I'll give you a cut of the ransom that I get back." I might play an upfront fee on top of that for every time I get the ransom deployed, but now I'm really scaling my operations because I'm renting the computing power of my ransomware. And just like a cloud company would be renting their computing power to be able to provide that resource to other companies to be able to run their operations. So now if you're a ransomware operator, you've got all of these different techniques that you're able to use. You've offloaded some of the responsibility for getting into the victim networks to these affiliates. You're running at a ransomware as a service operation, making some money there. You might be conducting your own attacks and on top of that, we also see these bad guys, they're not just sticking to one business. They might be using those botnet in particular to steal credentials and conduct money laundering. So it all adds up into the various ways that they're able to scale their operations.

Mitch: So this is an entire economy. This isn't just an independent actor. Back a few years ago, we were still using images for advertising that had the lone guy in the hoodies working from a coffee shop. This sounds like a brick and mortar business where folks get recruited from LinkedIn and then go sign up and an orientation day and get dental benefits. Is that a little closer to what the reality is now?

Nick: It is a little closer to it, and you might not show up for work at a beautiful office that looks like a WeWork, but you might show up to someone else's house or apartment where the servers are kept to be able to do this work or log in remotely during the pandemic to do your work as one of these operators as well and they're advertising too. Now, they don't go on LinkedIn to say, " Hey, we're looking for customer service reps." They go onto the dark web and put posts out there asking for folks who have a record of developing malware or breaking into companies. So they're using a lot of those same recruitment techniques.

Mitch: I'm glad you brought that out. In the previous episode, we talked to a journalist who had done a deep dive profile on two youth. They were very young, I think 12 and 16 years old or something in that range. They had been involved in sort of accidental cybercrime, just sort of seeing what they could actually accomplish on the web and they ended up in the hands of law enforcement. But part of the background in that story was talking about how these kids at 12 and 16 years old were actually making connections through the dark web into cyber, the cybercrime industry. Do you know how these folks are cultivated into this?

Nick: We don't have many insights into what that cultivation process looks like. I think a lot of times, what we assume is happening, and based on some of the indictments that we've seen from the US government occasionally for people that they've been able to arrest or indict from the US is that they're trained in computer science or engineering somewhere in their home country and then they eventually go down a road that leads to this. And they might have been in the military, they might have been in a white hat hacker working for a private company and then shifted to that overall. But whatever the way that they get there, they're ending up on the dark side, going after accounts, going after the good guys and their data.

Mitch: Well, it did seem like from my previous interview with Chris inaudible, that's sort of what happened here with these two youth. He said there was something like the kids were actually on the dark web and he said it was a little bit like a gang initiation that in order for you to be friends with the folks on the dark web, you had to prove your worth and by hacking into some large bank. So it does sound like there's definitely a community, there's definitely connections and there's definitely a cultivation path, whether it's formal or informal.

Nick: I think that's right. And certainly we see that with the affiliate groups. Oftentimes, they're not just going up and knocking on the door with their resume and saying, " This is what we've done." They've had a relationship going back some point in time between some of the key operators in the ransomware as a service team, or they're known within the community in some way. Whether it's that recruitment like that you're talking about, or they've built a reputation, they're connecting with each other to be able to further cybercrime.

Mitch: You have a background with both the CIA and the FBI prior to joining private industry. Tell me a little bit about your career in those agencies and how that has shaped what you do today.

Nick: Yeah, Mitch. So I started out as really a classical threat intelligence analyst broadly. So looking at geopolitical issues, social economic, political problems out there, and counter- terrorism when I was in the FBI and then in the Middle East in particular when I was at the agency. So the things I got from those programs are really to understand that we got to be able to convey complex information to a variety of audiences at the executive level for them to make decisions. And that means we're not going to be able to present them all the information that we have about a piece of malware that we've ripped apart. But it's really conveying, " Hey, why is this encryption unique and different? And what does it say about the bad guys that we know and understand this?"

Mitch: Your team has also been involved in uncovering some pretty high profile crime groups. I'm thinking specifically of something that we call ITG18 and some information on Trick bot. Tell me a little bit about both of those and how it was uncovered and how we partnered with law enforcement to actually help close it down. Yeah,

Nick: Anytime that we're seeing something major or new technique within the community, we're working with law enforcement directly, and that could be the Department of Homeland Security, the FBI, depending on the type of incident that we see. Always aware though that there are equities with our clients as well, and we're providing that to law enforcement so that they're able to better understand, hey, what's net new here? What are the insights that we're seeing off of this? And does law enforcement have a plan to potentially disrupt them? We don't want any information that we release to potentially get out there and prevent law enforcement from bringing in indictment or trying to arrest someone. In the case of I G G 18, we were able to work with law enforcement to show them this is the type of activity that we saw from this particular Iranian group that was trying to steal credentials to be able to conduct phish campaigns against individuals of interest within Europe in the Middle East, particularly from Western militaries. So they would go on and try to figure out, Hey, how do I get access to your personal emails? Try to gather as much data about you, send emails out to your friends to then get access to their emails and then hopefully work their way up the chain to more senior individuals within the militaries in the region to be able to gather insights for basic espionage. Now in the case of the Trick Bott gang, we've been lucky to work with a partners and we have worked together to kind of better understand what that group is doing, and we're constantly working with law enforcement to say, Hey, what are these new techniques that we're seeing, these new affiliate campaigns that are out there potentially related to what trick bot's doing?

Mitch: So ITG18, and by the way, that sense for IBM threat group is that? That's correct. Right?

Nick: That's

Mitch: Right. All right. So with ITG 18, I understand that we actually were able to find training videos that they were using to train the gang right to go after these folks?

Nick: That's exactly right. So we were able to go back and see a particular server, and they essentially left the door open. With the doors open, you're essentially saying, " Hey, just come and take a look at our data." So in that door, when we went through, we saw that they had videos, hours long of how they conduct their spear fishing operation. So they'd use a commercial tool to be able to track all of the various personas or individuals that they've already hacked to be able to go through their emails and send emails. You don't want to have to go through 30 different tabs from Gmail to be able to access other email addresses that you're trying to manage or have stolen from. So they've used a commercial piece of software to be able to do that. And in these videos we saw them going through to get as much data about these individuals as they possibly could. So in one case, the victim used Google. So Google has a service called Google Takeout which says, " Hey, let me just extract all of the information about myself from Google." This could be login information, photos, everything down the line. Great service to help preserve your privacy and understand what Google has about you. But also really helpful for attackers if they are able to get into your email so they can understand, " Hey, what are the credentials that I'm potentially using? Or where am I shopping? Where am I getting my DoorDash from? How often does that get delivered? What phone numbers do I use? Who are my friends? How do I potentially set up a persona about an individual that looks like them on a social media site to be able to attract other attention from friends that might be beneficial for them down the line?" So all of this just takes a long time for the attackers we think, to understand and be able to set up. So they created these training videos, basically just those screenshots running time for them again and again setting all this up. And it's not just Gmail, they were using Yahoo and Hotmail as well for these various services they were running.

Mitch: So wow, that's sort of darkly impressive that it's that organized and that smartly put together all for malicious purposes. Kind of spooky stuff. I wanted to talk a little bit, since we have obviously active recruitment going on in the cybercrime industry, and we also at the same time have a legitimate cybersecurity industry that is just clamoring for talent. I mean, there's tons of stats out there on how short we are of talent, and all of them are some form of dismal. Is there something that you think business can do differently to help make the legitimate cyber career more interesting than a darker web cyber career?

Nick: Yeah, Mitch, I think there are a couple of things. One of those is that recognizing just in your HR organization that your security talent is likely to be poached quickly. And how do you adopt new performance measures, create unique ways to incentivize those team members to stay with you once you have them? The other thing I think if you're a smaller company is to try to figure out, " Hey, we may not be able to incentivize someone to stay with us for a long time in our security operations team or our security group generally. They may be able to get compensated much faster at a larger technology company, at one of the big cybersecurity vendors." So as a part of your cybersecurity strategy, recognizing the human capital side of that and saying, " Hey, that's got to factor in how we're going to obtain services from other third parties." And that's where it can be beneficial to say, " Hey, what's the calculus of going to a managed security services provider to be able to get some of your security services, whether it's incident response or running your SOC operations?" Because that MSSP, that instant response company, that threat intelligence firm is going to be better able to scale to attract talent over the long term than you as a small business or a medium size organization are going to be able to keep that talent. And also as a manager of entertainment too, and understanding what keeps a lot of folks excited in the cybersecurity industry. If you're hitting the same problems again and again and solving them, you're going to likely see those people go. And that's great for a company that has a really strong maturity level, but attackers are going to continue to evolve just like your own people are going to want to evolve their career and work on more high profile problems. But all of that adds up into saying, " Hey, how does human capital and that strategy relate to my cybersecurity strategy? Do I have the ability to attract and retain that talent, or is it more valuable for us to shift that to a managed security provider or another operations group to be able to keep that talent long term?"

Mitch: Well, speaking of keeping talent or actually even getting talent, one of the things that we were able to talk about in the prior episode was this notion that these kids, they had this sense of, quote, unquote, I don't fit in. And that was true in an academic setting, and they couldn't envision themselves sitting in an office nine to five, Monday through Friday. There was a level of creativity and individuality, I think, that's kind of missing in today's corporate world. Tell me a little bit about your thoughts on that. Is there a way for the business world to adopt a more creative approach of how you work, where you work, what you do when you're there that might help cultivate and keep talent?

Nick: I think when it comes down to cybersecurity talent, you've got to be willing to let them work where they want to work. And it's a whole change even for a company like IBM running a security operation center to say, " Hey, we're going to let some of this talent work remotely all of the time because we're not going to be able to attract and retain them." If you're in a smaller city, it might be incredibly hard for you to find cybersecurity talent who's willing to work there and come to the office. So you've got to have that flexibility of having remote work for those particular individuals, those particular teams, because it's going to undermine your recruitment. So that's one side of it. I think, too, is just recognizing as a part of it, what is going to make the cybersecurity career exciting? Those folks that are in it are going to want to try to tackle new problems all the time. So it's okay to expect that churn, but if you can, bring them those new problems as quickly as possible to keep them involved in what the security process looks like.

Mitch: So now that we're on that point, if one of our listeners were interested in becoming sort of the superhero cyber sleuth like you have on your team, what advice would you give them?

Nick: Well, Mitch, that's a great question. When I get asked this by different folks who are going to college right now, I always say there's a lot of paths to get to the major leagues. It's kind of unlike the NFL and the NFL, you've basically got one path in to become a top tier talent. You've got to go to a big college and then get drafted. Cybersecurity is almost like the NBA and so much that there's a lot of pathways to get to the NBA. It could be a US college, could be major European basketball or the NBA Developmental League. So there's a lot of ways to come up. I think it depends on really what you're interested. It's not a monolithic field. So starting to understand, " Hey, how do I research that particular area that I want to be in or the type of people or person that I want to be?" If you want to be on the defensive side, oftentimes those certs can be of most value to use. So starting with security plus and trying to work your way up to a CISSP. With more companies working on hybrid cloud or cloud based platforms, having an understanding in some of the certifications from companies like IBM, AWS, Google Cloud, and Azure, from Microsoft can really be helpful, understanding how the network architecture's done on the cloud side, how security protocols are written. And also if you're mid- career, taking a look at those same security certification programs that are out there from Google or Microsoft, to be able to switch careers midway and having an understanding of cloud deployed applications is key to be able to do that shift. I think too, some of the cybersecurity degrees that are out there at the graduate level programs can be great for people who've got degrees in other fields that are looking to shift over after a couple years in the workforce. You just have to be careful to make sure that you're getting enough technical analysis out of that. Are you learning Python? Are you learning how... some of the basics on malware analysis and how that's done, some basics around incident response, or are you really just talking about security policy and some of the legal frameworks that are out there? So that's a matter of how you judge those degrees. I think, again, there's multiple pathways to it. It also can be... We've seen other folks within our X- Force Red team certainly that just got started hacking, hacking in the best way, Mitch, I say. But some of the basics of the different virtual environments that are out there that you're able to work on and contests as well. So there's a lot of pathways to get into security. When we talk about Iran and the ITG18 group, how I've learned to communicate about that at the executive level, I think got honed at working in some of those other public sector agencies that you talked about and some of the training there. And it's not just about briefing and bringing it up to an executive with a slide deck, it's also how you write about it. Everything from how you write an email to writing a 15- page report on the content that you're trying to get out there and people to understand are all some of the unique things I learned on that side on the government sector. And I think that's also where there can be a lot of incredible value if you are interested in going into cybersecurity, but want to go on the government side as well. Those programs at the Bureau and the CIA and NSA as well, they can help teach a lot of the core things you need to know about cybersecurity, about security issues writ large. But a lot of what they're going to do is also teach you how to communicate to senior leaders about what you're seeing in the field so that you're able to better communicate about what the bad guys are doing and why the hell it's important to the executive or the CISO that you're talking to at that moment.

Mitch: I hear a subtle cry for communication expertise woven throughout there, which the technology industry probably could use as a whole. But this one in particular given both the complexity and the importance.

Nick: Yeah, absolutely. And we're trying to communicate these complex findings all the time, whether it's in text and in email or in a report to someone or a pretty looking PDF or a slide deck. You got to be able to boil it down simply so that in my case, a security seller is able to understand it and apply it. Or in the other case, what a CISO needs to do and tell their board on what investment that they need to make. So understanding how to communicate it's just important as the analysis itself. But I'm pretty biased in that regard because I've got a background in liberal arts and public administration, international relations, so I wasn't steeped in the ones and zeros and the bits and bytes, but ultimately the flowery language that we use to convey what the security problems are out there.

Mitch: Tell me what keeps you awake at night? What's the monster under Nick's bed?

Nick: When it comes to the current threat landscape, there's two big things for me. What is the evolving ransomware landscape going to look like? I think we're going to continue to see an evolution towards triple extortion. So earlier you briefly mentioned things like double extortion. So I take data from you and then I conduct a ransomware attack. In a triple extortion, what I might do is if say MitchCo is a primary supplier of the Nick Rossmann organization, I will steal data from MitchCo, conduct a ransomware attack, demand money from MitchCo, but also go to the Nick Rossmann Corporation and say, " Hey, you want MitchCo back online? You too owe me$ 35 million in Bitcoin to be able to get them operational." I think we're going to start to see that expansion of the ransomware market writ large, trying to hit key suppliers. Now that could be on the physical side where you say, " Hey, you're not going to get this shipment of a key chemical unless you pay us and allow us to be able to get your supplier back online to be able to get access to this particular additive you might need," if you're a biopharmaceutical company for instance or a big manufacturer. Or a core technology that you've got implemented within your tech stack that you're using to instrument how your network works. So that's one thing that really keeps me up. The other is just the persistent information that we have out there about espionage attacks against critical infrastructure, everything ranging from power to dams, things like that. That keeps me up at night and how an adversary might be able to potentially use those insecure networks to be able to conduct a cyber operation against the United States or against Western governments in an attempt at leverage or in combination potentially with some kind of kinetic operation that they're conducting around the world. And the difficulty there, Mitch, is that a lot of the ways that we make our dams run, they are old software and they're not going to be retrofit for the future for cybersecurity proofing. So it's going to be very hard to detect attacks against them to understand what the adversary's doing. And also, particularly in the US, we've got lots and lots of different companies of various sizes that are involved in protecting and running that infrastructure as well. So it's just an incredibly difficult attack surface from the political side as you think about, " Well, how do we understand what the hell's going on when we've got so many operators out there of various sizes?" So those are the two things that keep me up, the evolving ransomware landscape and potential disruptive or destructive attacks against critical infrastructure.

Mitch: I can see why they would keep you awake and now they will be keeping me awake.

Nick: I mean, just think about some of the other things with how it could converge with things like climate change. Imagine if you're in New York City in the middle of the summer and the power goes out, or there's not enough power to be able to run air conditioners. It's going to get pretty unbearable there pretty fast. So you're going to be clearing out all kinds of operations, whether you're a bank or a small business, potentially just grinding life to a halt in a particular city, let alone all the terrible things that could be happening if you're a hospital and you can't run a ventilator.

Mitch: Wow, Nick, thank you. That's great food for thought. Like I said, little preview to upcoming episodes, so stay tuned. Any final words that we should know about?

Nick: This field is so big and enjoyable. Look for the mentors out there, the types of people that you want to be or work for, and take a look at how they got there. There's a lot of paths to get into cybersecurity. What I found also in this field that people are willing to talk if you reach out to them.

Mitch: Thank you very much, Nick.

Nick: Thanks, Mitch. Thanks for having me.

Mitch: A special thanks to our guest, Nick Rossmann for his time and insight for today's episode. If you want to hear more stories like this, make sure to subscribe to Into the Breach on Apple Podcasts, Google Podcasts, and Spotify. You've been listening to Into the Breach, an IBM production. This episode was produced by Zach Ortega and Clara Shannon. Our music was composed by Jordain Wallace with audio production by Kieron Banerji. Thanks for venturing Into the Breach.