State of Cybercrime

Don't Breach Where You Eat

Episode Summary

Join Matt Radolec and David Gibson as they walk you through the multi-stage LastPass attack, revisiting the discussion of the initial intrusion and outlining how that stolen data was weaponized months later to breach the company’s vault. Matt and David will also spotlight recent vulnerabilities that you should keep an eye on and discuss the meteoric rise of wiperware.

Episode Notes

Still reeling from last year’s data breach, password manager LastPass recently shared that the same attacker who targeted the organization in August has struck again, this time using stolen data to hack an employee’s home computer.

Join Matt Radolec and David Gibson as they walk you through the multi-stage attack, revisiting the discussion of the initial intrusion and outlining how that stolen data was weaponized months later to breach the company’s vault.

Matt and David will also spotlight recent vulnerabilities that you should keep an eye on and discuss the meteoric rise of wiperware.

We cover:


Links mentioned in the show:

HardBit 2.0 Ransomware

LockBit ransomware, what you need to know

VMware ESXi in the Line of Ransomware Fire


Visit our website and sign up for emails to be notified of new live episodes.

Watch the podcast on our Youtube channel.

Episode Transcription

Matt Radolec: Hello everybody. Really excited to connect with you guys today. 

My name's Matt Radolec, your host of State of Cybercrime, joined by co-host David Gibson . We are gonna go through our usual segments today. We're gonna cover some good news cuz there is actually a lot of good news in cyber, some of which dropped this morning. 

We're gonna jump on the highway to the danger zone. Talk a little bit about some of the things that should be top of mind for all security practitioners as it relates specifically to a breach that might have bled over from [00:01:00] home. Work from home might have turned into breach from home. 

We'll talk about a couple of vulnerable vulnerabilities, things that should be important for everyone and that they're tracking.

And then as always, we want to engage with you, our audience. So we'll be picking out some questions and comments in the chat along the way, and even taking an opportunity to pause. But definitely at the end save some time to interact with David and myself. 

Now, for those of you that are joining us for the very first time, in cybersecurity, everybody often has a doom and gloom outlook. 

And we really like to make sure that we cover the fact that the good guys are doing good stuff and have an opportunity to do more every time that we air the show.

And who doesn't love a good strategy? I don't know if anyone, and this is hot off the press this morning, the administration, the United States, presidential administration, when I say, the administration talking about here in the States, the office of the president put out, this fact sheet regarding the new strategy from the Biden Harris administration around National Cybersecurity.

Now, there was some highlights in there, David, I have a couple that I wanted to share, but [00:02:00] I'll toss it at you first. Was there anything in there that really stuck out with you as far as positive notes from the strategy? 

David Gibson: I think, it's interesting calling out trying to make sure that the burden of cybersecurity doesn't fall just to individuals, right? Or the small companies trying to allocate the right resources to address this really big problem. So it calls out some stuff that probably high time to deal with it, about disrupting and dismantling the threat actors. We've got some stories about that.

But there have been a few stories that we will cover that really do affect end users, with Apple and LastPass and things like that. 

Matt Radolec: I want to call out something that you just said. You said that the administration wants to make it not so focused on the victims. , but try to move the security upstream from there.

So things like manufacturers having secure development in the applications that they release. Things like, as you stated, us going after attackers, which maybe we're gonna cover in just a second. 

It talks about, data security [00:03:00] and privacy as needing to be more paramount as needing to be a higher priority. Making that companies that store individuals information, more strict requirements around keeping it safe and keeping it private. 

Another thing that really stood out to me was calling out ransomware, like explicitly saying that we are going to invest more in taking down and stopping the proliferation of ransomware, which is a little bit of counter to what we're gonna tell our audience today, don't you think. 

We're gonna say ransomware this year is a little more prevalent than it has been in years past, and the actors are more successful. So this strategy couldn't come at a better time. 

David Gibson: One thing just to add it starts out with critical infrastructure, and obviously that's really with all the disruption going on, and we'll talk about the thing with the FAA in a little bit, but defending the critical infrastructure, I'm glad it starts there because, we all need that, to keep going about our day. But going beyond that to things like privacy and ransomware, I think that, I think that is good [00:04:00] news. 

Matt Radolec: I think so often as security practitioners, we can get laser focused on today, right? These are the incoming attacks to my network. These are phishing messages people are trying to get me with. These are the exploits they're trying to toss across my networks. These are the gateways they're trying to brute force. 

And the difference between that and zooming out and then going, okay, I gotta shift some resources though towards how do I build a more secure tomorrow, while still dealing with day-to-day operations. And one of the things that the strategy calls out is the need for a shift for that. That we do need to shift some resources towards building a more secure future and not only thwarting the threats that we have today.

David Gibson: Beyond quantum encryption too. 

Matt Radolec: Yeah. I think the exact words were post quantum encryption. That was a new term for me. 

David Gibson: Yeah, it's a post quantum encryption world. 

Matt Radolec: I guess that be 2023 PQE instead of AD It would be post quantum encryption. Was that how we would write dates now?

David Gibson: I think we oughta look into that. Maybe there'll be a new strategy around that. 

Matt Radolec: Sure. Now let's give the [00:05:00] Fed some credit. Justice Department put a lot towards disrupting the Hive ransomware network and they were successful.

So much so as having prevented over a hundred million dollars in ransomware payments having to have been made because they really got in. They got integrated into the ring, and they were able to seize control of the ransomware as a service software operation to be able to not have victims have to make payments.

This is huge. This is an offensive, right? We mounted an offensive against a cyber attack group and were successful in preventing the impact or the payments that people had to make.

I think another interesting angle on this though is really the global reach that this has while this was US, FBI, US Justice Department, the places that these ransomware actors carry out, these attacks have a global impact. So it wasn't even just US citizens, it benefited from, the Department of Justice's efforts. 

David Gibson: Yeah. And it's a little bit of whack-a-mole, because these groups do pop up again. But I'm glad [00:06:00]that the government is actually whacking the mole instead of, just leaving them. 

Matt Radolec: Cause if they just let 'em go, it wouldn't be whack-a-mole anymore. At least we're disappearing some, even though others popped back up. 

Now, David, in our last State of Cybercrime, that morning it was breaking that the contractors had deleted files that the FDA was having an outage. And there was question of whether or not it was a cyber attack. 

David Gibson: Yeah, I just wanted to follow up on this. So speaking of critical infrastructure, I think when we were talking about it, no planes were taking off. Luckily they could land, but the notice to airmen or notice to air mission, that was offline so no planes could take off. 

I guess the good news is that investigators so far found no evidence of malicious intent or a cyber attack. The IT staff had apparently noticed a synchronization issue between two databases and was trying to fix it, and that's what caused the outage. And it does remind me of the old adage in IT is the most dangerous you can thing you can do is try to fix something.

Matt Radolec: So I'd like to ask our audience too, cause I'm curious about this one. If an [00:07:00] outage happens like an incident unavailability, an outage happens, what do you call this? Was this a insider risk or an insider threat? Was this a mistake? What would your company call systems going down and there being impact because an IT admin hit the wrong button? I'd be curious to see what you guys say in the chat while we talk about our next topic. 

David Gibson: Yeah. And if we get some good answers, maybe we'll put 'em in a poll for the next one.

Matt Radolec: Let's talk about some of the things that should be top of mind for everyone in our segment of danger zone. And we like to talk about attacks, attackers, threat vectors, things that might be novel in the way that they were executed, that everybody seems to be buzzing about. 

Everybody is talking about this LastPast breach. Where we had the first incident and we mentioned that on a show last fall where attackers were able to get in and LastPast had shared though that the e files were safe. The attackers didn't get to the key file backups, the cloud [00:08:00] backups of the key files, but as it turns out, It seems though that there has actually been a second incident. The attackers showed their level of persistence in attempting to get privilege escalation and may have now been successful in actually getting those key files, but still protected, but unencrypted out of the cloud backups from LastPass. 

And I think this shows like a couple of things here, David. We've got a fact that a threat actor got in once, but you were always talking about time and motivation. How did that play here? 

David Gibson: It seems like it's been a, it's a lot of time that this breach was going on. Remember back last summer, I think it was, don't worry, the files are all encrypted and in order to get those files unencrypted, you would need to get not only these, encryption keys that are stored at someplace that's really hard to get to, but you'd also need somebody's password right, as well. And oops, again, it seemed like mission impossible, but it was only mission difficult. 

Matt Radolec: It's like a vault-ception as [00:09:00] well, right? If this happened to a company that didn't do password vaults, it would be not so many layers, but there's a lot of layers here, right?

An end user has a password vault that there is like a key file that they have a password for that then gets stored in the cloud, that's encrypted that LastPass has a password for. And then the person's account that would go into the password vault to retrieve the key, to decrypt the encrypted key files in the vault has, it's like a vault. We were gonna try and make a diagram. 

David Gibson: Yeah. 

Matt Radolec: We couldn't figure out how to show you the layers to the onion here. But the idea is. Sorry. Go ahead David. 

David Gibson: I know, I think one of the big things here is just so many people use LastPass and a lot of home users use LastPass to store a lot of secrets and credentials and things like that. 

And it turns out that one of the four DevOps engineers, there was a vulnerability in some media software, and the attackers installed a key logger to get their password to this [00:10:00] corporate LastPass vault that holds the decryption keys for all of the other LastPass stuff that was stolen in the previous breach. Did I get that right? 

Matt Radolec: Yeah. And I think the thing we want to call out is, and for our longtime audience members who have been watching the show, even before we called it State of Cybercrime in 2020, 2021, we talked about how when everyone shifted to work from home, we were seeing lateral movement from home networks like apartment wifis and condos to corporate networks.

This is an example of a very targeted attempt to use that home network to gain additional information and take advantage of the fact that people are working from home. 

And I really wanna challenge our audience here. What is your organization, if anything, do for people like your employees and their home computers that they might use to access corporate resources?

Do you have any security controls at all that you either recommend, encourage, or enforce [00:11:00] on these kind of home networks and home computers? Be really curious to see what, if anyone is doing anything in this regard, because I don't think you can point a finger at someone about a home computer leading to a corporate breach.

I saw someone in the audience say, wasn't there MFA? The important thing to note here is that the attacker has command line access to your computer and they have a key logger on it. They're intercepting the second thing that you put in post MFA. So you have authenticated, they're now grabbing this key to this vault that's after that. 

Now they're also on a computer that has MFA, so they've gotten this successful token, this, whether it's a kerberos ticket or a cookie. 

They are an authorized user from that box, which means they don't have to MFA again if the legitimate employee MFA the first time where they intercepted this key.

Anything good come in so far about what they're asking from home users? 

David Gibson: A lot of really great stuff. Combinations of, multifactor of [00:12:00] course. And then VDI, VPN, personal devices aren't allowed into the home network. 

One comment though, I gotta bring up from Ian. I wonder how many of the tabletop exercises included the scenario that actually occurred. 

It does seem like the bar is getting a little higher and I think that collectively is a good thing, that we're introducing enough speed bumps here and there, that the job is harder. 

Matt Radolec: And just to go back to what we opened with, that's actually the goal of this new strategy from the administration. We, the operators of technology, our systems become more resilient to attack and attacks are less likely. 

And in a way, this is evidence of that, that the attackers truly had to become very dedicated to find out number one, who these DevOps engineers were and pinpoint and actually get malware onto a home computer and then actually operate successfully that malware has a pathway back into the corporate environment. So there was a pretty high level of persistence observed here. 

David Gibson: Yeah. And the time and motivation was definitely apparent, [00:13:00] and it's to get to the data, right? That's when I feel like that's the thing you can't unbreak right now. All of those password vaults and key files right, are now, I really have to consider them compromised, right? The combination of all this stuff is just out. Am I getting anything wrong there?

Matt Radolec: Some people might argue that because the end user's password is that last step that they do still need the individual's password. But the challenge back to that is how many times have we sat here and talked about how successful bruteforce attacks are?

There is no multifactor on that key file. So the attackers got 'em, they have an unlimited amount of time to try to brute force those. The question, and this is what LastPass says, how strong was that password? 

If it's not that strong, you should probably change everything that it protected. If it was super strong, their opinion is maybe not. And you can read about that on their blog. 

Now, they had a bunch of hardening steps and you had called this out. It's just like general good security practice. And you, did you wanna share some of these? Go ahead, David. 

David Gibson: I think anytime you [00:14:00] have a breach, you have to treat it as a learning incident, right? Okay, how can we get better? And I thought it was good on the, LastPass site. It's hey, here's some hardening steps that we are taking in S3. And these are things that everybody that's using S3 or AWS can look for, and potentially say, okay, should we do any of this stuff too, right? So we can all get better with the tribal knowledge. 

Matt Radolec: I think just one thing I wanna personally call out, and for those of you, again, maybe it's your first time, my role in Varonis, I run our Incident Response Team. So we help our clients when they have data breaches or suspected data breach events, investigate detect, respond, contain, and recover and remediate those types of threats.

I want to call out this: we rotated production keys point. 

As one of the things I'm often advising clients on is don't let an incident be the first time you figure out how hard it is to do that. Know how to rotate your keys so that if something like this does happen, you can very quickly regain control without having to have there be great disruption.

The worst time to find out how hard it is to [00:15:00] rotate keys is when the sense of urgency is paramount. 

David Gibson: Yeah, that's also when you're most under stress and you're most likely to make a mistake and break stuff.

LastPass touches a lot of end users iPhones, probably more. And when you're asking yourself questions about, you don't want it to be the first time, like when a breach has happened. This was sort of a scary technique where, somebody shoulder surfs your iPhone pin code, right? Whether it's four or six digits or whatever it is to get in, steals your phone. I guess just ask yourself. Alright. What could they get to then. Is your bank account there? Cuz that's one of the first places they were going, but think about, okay, email, just lock out your phone, lock out your iCloud account. That was scary. 

Matt Radolec: I think the other thing to think about here is this passcode that kind of unlocks this treasure box of data, you could also protect with your face.

But that might also open up you to more risks, right? Like, how easy would it be then if someone really wanted to get in to just hold your stolen [00:16:00] phone right up against your face and open up your phone? 

It goes to this like whole security and usability triad. Something that's ultimately secure isn't usable or very effective, and we have to find that sweet spot in the middle of where we get good enough security without sacrificing too much, usability.

I think we've talked enough about kind of the big picture, these breaches that happened, or even the stuff that's going on with phones. There are a couple of, what do we call them? Up and coming, or even very prolific ransomware operators, malware operators, this MyloBot with the BHP proxy.

What exactly is that, David? 

David Gibson: Yeah, so apparently there's a linkage between these, but first, what are they? 

Matt Radolec: Yeah, I want to talk about that. Go ahead. 

David Gibson: MyloBot is a botnet, I think it's been around since 2014 or 15 or so. It uses a dropper called WillExec. It also has a lot of noisy DNS traffic. Looks like they use a DGA. But this is standard issue botnet, but really big. 

And then BH proxy is a service actually. So I think it stands for Black Hat. [00:17:00] And you can see it from like the, black hat world, right? Which I think I'm surprised is, not named evil villain supply site or something, but that leases residential IP addresses that you can then use to proxy your traffic, right? So you can disguise your traffic as one of these residential IP addresses and looks like there might be double dipping. 

Matt Radolec: Yeah, there's a huge movement across the planet right now to like recycle, to reuse, to not waste. And here we have that in the criminal sense. MyloBot, very successful botnet, malware operator, it takes the victims, the actual members of the botnet and leases like a proxy. Proxy your traffic through my botnet victim as a separate service. 

You gotta give them some credit. There's some ingenuity here. There's some savviness here. 

Granted a lot of these bots do actually get flagged as being a part of the botnet and the traffic ultimately ends up getting sink hold so the service might not [00:18:00] be reliable, but launching a separate service from the effectiveness of your first one, rather interesting.

The thing I also wanna point out when we think about Mylobot, like why is it working? Why are botnets still a thing in 2023? MyloBot does all the stuff they look for and disable local based security settings. They know how to run in memory and not on disk for antiviruses that are more intensive on files that get written to disk and only perform limited inspection, execution at runtime in memory. 

So here you've got a botnet actor that is a little savvy on security technologies that's got millions of victims and is realizing they can operate a secondary network inside of that. 

What a great target for some more takedowns or to bring down another ring

Varonis published pretty recently some blog post around both HardBit and as well as another ransomware group we're gonna talk about in a second. One thing we wanted to call out about HardBit is just how [00:19:00] blatantly they are willing to work with your insurance negotiator. And that even if you've got a 10 million cyber insurance policy, Please anonymously message us and tell us it's 10 million so we can ask for 10 million instead of 10 million in one dollars. But I think it goes without saying also instead of 9 million. 

The loss for words here, David, but just coming out and saying it, tell us what your policy is so we can ask for exactly that amount. It's pretty brazen from an attacker stand point. 

David Gibson: Yeah, it's, cutting to the chase, throw your insurance company under the bus. And so it's an interesting technique there.

Matt Radolec: If you guys haven't watched any of the content that comes out of like the Marsh Insurance Agency, they make a lot of great web content around the ever-changing, cyber insurance market. MMA is the name of the organization, and they talk about how some providers are actually dropping coverage for certain types of events like nation state events or ransomware events. And that's gonna reshape how these negotiations take place as well if the insurance provider isn't [00:20:00] even gonna pay up.

Now, quite possibly the biggest and most successful ransomware operation at current is LockBit. . 

David Gibson: Yeah, this is a ransomware as a service, most active ransomware group. By the way shout out to Tripwire for a really nice blog post on this. But, really interesting stuff that they've been doing. They actually, I think they're the first ever bug bounty program initiated by a ransomware group. 

Matt Radolec: They're looking for people to find vulnerabilities in their ransomware so they can make it more secure and less tamperable. 

David Gibson: That's right. So responsible security researchers can help make their ransomware better.

Matt Radolec: So like supply chain security on the criminal enterprise side to shout out one of our audience members. I like your use of that term, Chris. On the criminal enterprise side, following some of the same practices that a good enterprise would do, which is like secure development and bug bounty programs.

The other thing I thought was really interesting, and this is not so much like what a legitimate [00:21:00] corporation might do, is they're looking for information and you could collect this, a million dollars, not a penny more, not a penny, using their words. If you can dox the identity of LockBitSupp. 

LockBitSupp is like an attacker pseudonym. And if you guys remember when we talked a lot about like the BlackMatter ransomware gang, during our web show, we actually showed screenshots of their console. We also showed leaked chats between members of that community and talked about how there was a little bit of disagreement within the ransomware group about who they should target based on political alignment. 

There is conflict happening in a lot of the regions where this type of event is occurring, in Eastern Europe and in Russia. And that's driving conflict even between members of these cybercrime organizations. So today, LockBit is offering a million dollars for anyone who can dox or identify the legitimate and real identity of [00:22:00] LockBitSupp.

So I'll ask you guys who is LockBitSupp, and where are they? As one thing that was pointed out, this was an analysis done, this user on Twitter, just sharing their thoughts on it. The language used by LockBitSupp, clearly very fluent in English as well as Russian.

That's the only clue that's been shared on trying to dox the identity of LockBitSupp. 

David Gibson: And we're not saying you should go try to find 

Matt Radolec: Yeah, definitely don't encourage you, trying to collect the payment from them on that or getting involved in that ring. Definitely more of a criminal enterprise. Probably don't want to do that. Strongly recommend not doing that, but interesting to see that, that it's that important to them, that in addition to offering a bug bounty on finding vulnerabilities in their code, they're offering a bounty on figuring out who a person is. 

David Gibson: Yeah. And apparently there's a ransomware attack going on in a television network that, more details I guess we're waiting for and we can talk about it at some point.

Matt Radolec: Yeah. I wonder if anyone, any of our audience members haven't been able to tune in, recently due to [00:23:00] outages as it's associated with ransomware.

Now, we wanna jump into our next segment: Vulnerable Vulnerabilities, as we want to talk about a vulnerability in VMware ESXI. I think it's almost a year old at this point, David? I think it was maybe January of last year. February of last year. 

David Gibson: Yeah. It' s been around for a little while. We recently wrote about this vulnerability too in the ESXi servers.

Matt Radolec: We have a blog post around this. What it gets into is how our analysis of this ESXI vulnerability lead us to finding the Nevada Ransomware group who is leveraging this vulnerability and I think has over 5,000 victims so far. Now, one of the real interesting nuances of this is traditionally when we think about a ransomware attack, it's always, the file servers, the NAS arrays that are the target, right? 

I want to go and encrypt large volumes of data, largely unstructured data to be transparent. The difference here is they're going after the VM hosts. So I want to go and encrypt all of your servers, virtual [00:24:00] machines, which can be really impactful, I think. 

Even if the data that machine was using on a disc array didn't get encrypted, the actual host itself did and not many organizations are prepared for both types of ransomware attacks. 

I'm not gonna launch a poll, but just curious from our audience, when you guys do like your attack simulations or your breach simulations, do you account for both? Do you test for ransomware at all? And if you do, do you cover ransomware of VMs as opposed to just ransomware of data? 

David Gibson: And Matt, you and I talked about, the ESX hosts in and maybe segmentation there, jump boxes, right? Like treating them like you would treat a domain controller.

Matt Radolec: Especially if you have to operate it with a vulnerability, right? Like everyone always assumes you have to patch everything. Some organizations just can't, there's dependencies in an application, they can't push a patch out.

So if you are in that scenario, you can't patch this ESXI host, what compensating controls can you put in place to mitigate an attacker taking advantage of it, because again, it always comes back to time and motivation. If they get on your network, [00:25:00] they're gonna eventually find that you're running it. If you're running that vulnerable code and they're motivated enough to use that exploit against you, that's the pathway. That's the vector for that attacker to cause and wreck havoc. 

Now there's another zero day that dropped and I think there's already a patch for it. And that's related to, is it iPhones, some web kits. David, can you tell us more about that? 

David Gibson: Yeah, if I'm not confused, it's a type confusion vulnerability in web kit, that affects iOS, iPad OS, Mac OS. And safari and, so this has been patched. It looked like, when it was rolled out that there was some evidence that it had been but there wasn't a lot of detail about exactly how it was used. This came out around Valentine's Day, but important to patch against this one to indicate against that.

Matt Radolec: Update your Apple devices. 

I think, now is about the time that we're gonna launch our poll. We always like to look and seek, for feedback from the audience. We try to host these shows as often as possible. We want to make sure that they hit the target for you guys. 

While you guys take a chance and go through and take a look at that poll, we're gonna go through, come through the [00:26:00] chat, see if any interesting questions have come in that so far throughout the show, if you haven't had a chance to ask your question yet, now would be a great time.

David Gibson: Great activity in the chat when we talked, especially about how people were securing against home user vulnerabilities and things like that. Really appreciate everybody. 

Matt Radolec: I did also see one question come in during then David, and I'll have you, I'll have you try this one first. What could you do about that? So you got a home user? It's a personal computer. It's not corporate owned, so you're not gonna put corporate licensed software on it. 

What can you do or tell your employees to try to avoid a breach from home? 

David Gibson: It resonated with me when somebody says, we don't allow home users to connect our home machines or unauthorized machines to connect, onto sensitive resources.

I know that's not always practical. But I do think that there is a high chance of having an unpatched system, having another person that you don't expect. I don't know how often people rotate their wifi keys right at home. It does seem like it's a high burden [00:27:00] to ask a consumer to really protect their home network. 

Matt Radolec: It's expensive. It takes time, it takes skills. I don't know that it's even reasonable to do that, right? 

David Gibson: Yeah. 

Matt Radolec: Think of all the energy that goes into a corporate security department to try to replicate that at a small scale is definitely somewhere, and again, I give the administration credit.

This is a part of their strategy. They want to transfer the burden of security upstream to providers and people and infrastructure as opposed to individuals. 

I do think there is some practical advice though. It's security awareness. Tell your employees that the things that you're teaching them at work matter to their home computers. Help them understand that the decisions and the links that they click on, the software that they download, it could spill over. 

The second thing though, is a DevOps engineer, highly privileged, high power person, maybe should only access from a corporate computer with all the security controls. I think this is more of a risk-based approach cuz it [00:28:00] is all employees reasonable for that, it could be very expensive, but maybe these highly privileged actions do need to happen from corporate owned, managed, and secured devices. 

David Gibson: If you get a little looser funneling into some kind of a jump box. Did you just log into your jump box? It's like multifactor authentication there with good detective controls. There's always gonna be a way in, even in the tightest networks, on these loose networks where many problems exist between the chair and the keyboard. You just have to expect it and add in layers of mitigation. 

Matt Radolec: And I wanna call it two things from the chat on this too. One from Eric. Eric talks about how one risk is that, the home network's got other people on it, even potentially teenagers who are exploring their cybersecurity prowess. right? That could pose a risk to your corporate network. 

Another one that I like that came in from Andy in the uk, the Cybersecurity Essentials Plus certification prohibits home user kit from connecting to corporate networks. Only corporate controlled and issued [00:29:00] devices may have that in order to have that certification.

I'm gonna have to look up that governing body who created that, but it sounds like they, they actually thought about this attack vector and put some reasonable controls in place.

David Gibson: Yeah. That makes a lot of sense. 

Matt Radolec: What should we be looking for from our cloud password management providers to prevent a LastPass type incident from happening again?

David Gibson: It's definitely high value targets, right? I guess the first thing I would say is it shouldn't be a single point of failure, right? That password vault. And I'm afraid it is for a lot of folks. That's something that I worry about is, if somebody gets into your vault, right? How much damage are they able to do? So there are some strategies to not have it be so simplistic, like adding a pass phrase to the stored, obscure password, things like that as well. I don't know what your thoughts are there, Matt. 

Matt Radolec: I'll even try to maybe make this a little bit more practical too.

A lot of organizations that I work with around detection and response have a one size [00:30:00] fits all approach to detection and response and Varonis's methodology is different from that and I'm always trying to consult them away from that. There are accounts that need more monitoring than other accounts, service accounts, admin accounts. They contain very high levels of access. The impact or the blast radius of that account being breached is significantly greater. 

And for an admin, there's only so much you can do to limit what they can do without taking away their ability to be an admin. The same thing for a developer.

You can't take away all the powers a developer has, or they can't be a developer anymore, and these are the types of accounts you have to apply more scrutiny. You have to monitor them more closely. 

And I think that's what it boils down to is though, yes, as security practitioners, we have to monitor everything, all things, and we have to provide monitoring. It's where you spend those discretionary resources. 

I always encourage organizations to do targeted monitoring of higher privileged accounts, service accounts, admin accounts, executives, developers. These are the people that, the impact of them being breached, that blast radius is significantly higher just by the [00:31:00] nature of their role, let alone what they can actually do or what they can actually acess.

David Gibson: And especially putting that lens with the stuff that you really need to protect, right? Secrets, passwords, you know, things like that. And just sensitive data, that kind of prioritization. 

If we have to monitor every end user's home device and every user's account, the attack surface is just, it's almost immeasurable right now.

Matt Radolec: Yeah. And as I think about this, and we got asked this on our last call, just should we stop using cloud-based password managers? 

I don't know if that's the answer personally because there's a lot of security and convenience provided by it. And heck, if you had a strong password on your personal key file, none of this actually mattered to you.

LastPass had a good design. Your passwords are not at risk unless you have the easily guessed password to your key file and you use the cloud backup. 

That means that LastPass was designed well. So that if an attacker did get a decrypted copy of your last pass, key file backup, [00:32:00] they still couldn't get to your passwords.

Do we really want to tell people not to do that anymore because of the amount of convenience that it offers? The average person, I don't know. I couldn't sit here and say that. I'd say take a risk-based approach if you have your, let's use an example. If your passwords to your cloud environment that runs your customer facing production environment are sitting in a last pass key file on your personal computer with a weak password.

Are you using the right amount of risk to protect that? Are you applying the right amount of controls to that highly valuable token? Now, the password to my Gmail being in a Google passwords or in a LastPass, I'm not telling my relatives to change. I can't say what I would tell all you guys to do. This always comes up in our family group chat. 

Have a strong password and it doesn't matter. If you have a strong password, it makes it a lot harder if an attacker somewhere else is trying to get to it. It does come back to that until we find a better approach than passwords.

David Gibson: We got a question in from Corey: what are your thoughts on disabling network IDs for employees that have left the company, and not [00:33:00] stripping their access of their AD account? 

We see a lot of offboarding troubles, especially there are more cloud environments out there and everyone has a user repository and it's what do we have to disable when this user leaves? And sometimes people have multiple accounts. 

But, I guess do you disable or delete, get the orphan Sid there, right? What are some thoughts you might have there? 

Matt Radolec: I'm gonna say try to avoid off-boarding gaps. I know that obviously you have the risk of the person coming back, but a permission is a permission even though the account might be disabled, if the permission entry still exists, the only thing stopping an attacker from leveraging it is turning the account back on. 

And so the best thing that you can do is to get rid of the entitlements. Get rid of the account, get rid of the entitlements. You have eliminated the risk of that being used against you. And where we see this a lot, where people fail is with cloud and collaboration.

Perfect example: let's say you have a Google Drive or a 365, you have a OneDrive. I make a team site. I call it the State of Cybercrime team site, right? I invite you to it, [00:34:00]David. You invite me to it. I share it to my personal Gmail. Even though if you or I left, we would lose our access from our Varonis account to that State of Cybercrime team site, my Gmail's still there. 

You gotta make sure that you are purging the collaboration holes that your employees opened up with their legitimate access. That's an offboarding gap that people miss. 

I think probably more effective practically than potentially trying to get into some nuanced configurations of an account. Just in terms of what to do first.

David Gibson: It's just easy for people to get confused and forget what account they're authenticated with and open up, right? 

Matt Radolec: Yeah. Just open up a browser and start using the other one. 

David Gibson: Yeah. 

Matt Radolec: Now, I think we've gotten a ton of awesome questions.

So we always like to conclude with this, thank you guys. It's you, our audience that makes a show possible. We love it. We love getting to connect with you, talk to you about some of the latest things in cyber, give you some tips and tricks and, some things that should be top of mind for you. We had a lot of good news today, so I hope we have more good news to [00:35:00] share in our next episode. Thank you guys.