EP 13 - Cyber Fundamentals: Where Things Fall Apart

[00:00:00.120] - David Puner You're listening to the Trust Issues podcast. I'm David Puner, a senior editorial manager at CyberArk, the global leader in identity security. [00:00:18.210] - David Puner Believe it or not, humans are trusting by nature. Google it. If you don't believe me, you can trust at least some of those results, which is at least in large part to blame for our reflex to, among other practices, click on that link or scan that QR code. To be socially engineered, to be phished. And that's why even when looking at layered enterprise security solutions designed to thwart attacks and contain them, we must always go back to cybersecurity basics at the individual level. Cyber hygiene as an inherent part of identity security as a part of a defense in-depth strategy. [00:01:00.500] - David Puner At their core, the basics are about practicing distrust. Practice scrutiny. Think before you put yourself or your organization on the brink of cyber apparel. Despite attacker innovation and evolving threats, cyber attackers often play from an album of well-worn greatest hits. Sometimes they're incorporated into a new medley, and sometimes they inspire a new material, but the refrain is the same. And if we're individually familiar with the first notes of those hits, we can collectively stop them before they play through, because these are hits nobody from the trusting realm should have to endure. [00:01:38.480] - David Puner On today's episode, I talk with Bryan Murphy who's the director of architecture services at CyberArk and the leader of our remediation services team, and he'll talk about what that means and what he does. Bryan's always fun to check in with and we do so regularly for the CyberArk blog, because he can talk about enterprise-level cybersecurity initiatives and solutions at a level that's simple to consume. [00:02:02.750] - David Puner The complex cyber topics are inherently tied to basics, and in our conversation, the first of our October episodes, October happens to be Cybersecurity Awareness Month, he makes the connection. If Bryan was a musician performing live, he'd continuously find ways to keep his greatest hits fresh through evolution. Stay on to hear why. [00:02:39.070] - David Puner You're the director of architecture services here at CyberArk and leader of our remediation services team. Remediation and response teams, like the one you lead at CyberArk, are one of the first few calls companies make after a breach. How does that work? What's that call look like? What happens in your world? [00:03:00.310] - Bryan Murphy First off, let me say thanks for having me. The call can go two ways. Number one is they could call us before they've called a forensics firm. I want to be a little transparent here that we do not want to do the forensics on these as the IR lead. We want to be like you introed it with the first few calls. What happens is that we can help them start to contain, start to understand what credentials were used. But normally we like to work with the forensics teams because what you find is the forensics teams are good at what they're good at. They're good at discovering where they were, what accounts are used, closing the doors the attackers were using to get in, but they're not fully versed in identity. [00:03:48.050] - Bryan Murphy Those recommendations and solutions they have, they want to lean on the experts in the industry. What we do is we bring that experience, that blueprint, the framework we have, so that as they recover from these breaches and incidents they have, the remediation team we offer to our customers fast tracks anything the full IR team is doing. It allows them to shift their resources to other places because they already have a plan on how they're going to control their identities going forward. [00:04:20.200] - David Puner So are you about helping to come up with the plan for the plan, or are you about being like the Harvey Keitel character in Pulp Fiction where you're cleaning up the mess, or is it a little bit of both or a little bit of neither? [00:04:33.400] - Bryan Murphy I would say it's a little bit of both because it depends on the attack. Of course, not every attack is the same, but I like to say these attacks are very consistent, they have a lot of similarities to them. So as we start to draw from all of our experience, the framework becomes a little more consistent is what we can recommend. So now at a high level, if you're facing an incident and you call CyberArk for help, we already have a high level template to say this is what we're going to do, and then we can provide that to the forensics company, we can provide that to the customer to get a baseline, and then we tweak the baseline based on the actual events that happen. So instead of going in and having to build from scratch, we're building from that template or framework and we're just making tweaks to it so that we can control identities quickly and it doesn't become a discussion point, it doesn't become this big conversation before any identities can be managed within your organization. [00:05:31.220] - David Puner You say "we". How big is your team and how often are you actually the one receiving that call? [00:05:37.580] - Bryan Murphy Our team right now is very small. It's under five, but we have others within my architectural team that have experience in this field and have been doing this for years as well, they're just not fully dedicated. From the rotation standpoint, the on call, 24 by 7 support, you can call CyberArk just to our standard 24 by 7 number for support. They have a procedure for engaging us, nothing special, that a customer has to do or a prospect on their side. We do run the globe, we do run 24 by 7. One point I wanted to make on the "we". For us, the "we" is the forensics team, customer or client, and CyberArk. So when I say we make a decision, we're not trying to come into these incidents and replace anyone's opinion or anyone's decision making powers on how to do things. We really want to be there to provide the best guidance possible. [00:06:31.810] - David Puner What would the first question you would ask be when you pick up that call? [00:06:36.730] - Bryan Murphy I would ask, where are we at now, and I would start specifically with asking, was this a domain based attack? Did they take over active directory? Because right away there's a few very prescriptive things we would do if it's related to active directory. If it's not related to active directory, we may start at a different phase than we would have for our standard blueprint. [00:07:01.490] - David Puner October when this episode releases is Cybersecurity Awareness Month. This year's Cybersecurity Awareness Month theme is about seeing yourself in cyber, which is all about the people part of cybersecurity. Inspired by that theme, how did you get into the cybersecurity field and when did you first see or envision yourself in cybersecurity? What led you here? [00:07:24.220] - Bryan Murphy We're going to go in the Wayback Machine, Dave. [00:07:27.020] - David Puner All right, I like that. Let's do it. [00:07:29.100] - Bryan Murphy Almost 17, 18 years ago. It started out at my previous job before I came to work at CyberArk. I worked in, let's call it IT operations, maintaining a platform doing these type of things. I was brought into a tabletop exercise for an incident and they were practicing how they would respond if they were compromised in any way. We went through this and I said, "Wow, this is amazing. This is great." It led me down the career path with them to move into security and start to lead some of these and be part of the actual incidents that happened within that organization. Once I left there and came to work for CyberArk, I did the normal deployment, standard things that we would do, but because I already had some experience and interest in these type of engagements, as customers would call us and say, "We had an incident happen, how can you help?" my team knew that I was the one with experience. [00:08:26.710] - Bryan Murphy I got brought into each one of those or I'd be providing guidance to the larger team on what we can do. Now you fast forward 7-10 years, let's say that process kept growing little by little. It wasn't a business we wanted to have here at CyberArk. But what we realized is it's not about what we want to do, it's about what do our customers need? We figured out that we were getting more and more calls for customers saying, "Help me recover from this. Help me figure out how to do this better." And because of that, we decided to form a team. That's why the team is small right now, we're not pushing to be that forensics company. We're pushing to really service our customers in their time of need. If the need becomes larger, we'll make the team larger. [00:09:16.550] - Bryan Murphy In a real short way, that's how I got involved in this, it was purely out of inquiry, interest on my side and then just the fact that I was fortunate enough to put myself in a position to work on these early on in my career, that I was able to turn that into a full-fledged team here at CyberArk. [00:09:37.990] - David Puner What kind of attacks are you seeing a lot of or more of these days? We know attacks are happening everywhere and often, but what particular kinds are you seeing now that are potentially sophisticated or different than what we've seen in months or years past? [00:09:55.260] - Bryan Murphy I would say one of the biggest differences we're seeing now is the MFA bypass. I've been saying this for four years. Other vendors have as well. MFA everything and you'll be secure. That was the mantra we were living on there for a while. Now since the majority of organizations are MFAing, we'll say everything, the majority of their solutions, we're now seeing the threat actors being able to bypass MFA. They're finding ways to do this, so now, we were looking at it from a strategy before we were doing Zero Trust, Least Privilege, and those were the big buzzwords, we were saying MFA. Now the attackers are finding ways around this. That becomes interesting because that's that first line of defense into the organization. [00:10:47.240] - Bryan Murphy I think the other trend I'm seeing is, back in the day, you would hear this person, John, obviously keeping the names anonymous here, John attacked this company or this group of people did this attack. Any more with the dark web and with crypto, you're starting to see organizations form and share more information. Maybe in the past they had the skill set to bypass MFA, they couldn't do anything else. They'll sell that access they have to a different group, and now that different group that doesn't know how to bypass MFA is already in and then they can do the next step. Our adversaries are aligning to attack and work against us, and this is making it difficult because they don't have to be experienced in everything. They're specializing in getting into our organizations. We as security practitioners and experts need to make sure we're doing what we can to have that defense. [00:11:46.970] - David Puner What does MFA bypass look like and is that similar to MFA bombing, MFA fatigue? All these things that we're hearing a lot about these days? [00:11:59.090] - Bryan Murphy It's similar but an MFA bypass could be, let's say, a vulnerability or a weakness in a configuration that they found where they can truly just bypass MFA. Maybe they find a way to take the cash credential and move it through without ever being prompted for MFA, but you also have those attacks as well. We've seen recently where they're saying MFA bypass has happened in some of the organizations, but really, you do the MFA bombing, these type of things. It's more about getting the user to be socially engineered, to trick them into approving it. Humans are trusting by nature. This is shifting a little away from security for a moment but we're human by nature and we're very trusting by nature. It's very difficult to get people to flip that mindset to say, "I shouldn't click on it. I shouldn't do this." [00:12:49.480] - Bryan Murphy We genuinely want to help in whatever we do. This is where the fatigue comes in, this is where the bypass comes in that they can just click on something and accidentally let somebody else in because they want to help make the message go away. This is where security training and everything we're doing is teaching them that, no, it's okay if you get a hundred of these messages. That means that you really need to rotate your credentials so you stop getting the messages, not clicking on it to make it go away. This is the educational point that we have to train people on just because of the way the human mind is built. [00:13:24.060] - David Puner MFA is still important, right? [00:13:27.180] - Bryan Murphy Absolutely, without a doubt. It still needs to be one of the number one controls we deploy, but the mindset needs to shift from some of the messaging that's been out there. I think we've all seen it in the security industry where they'll say, "MFA blocks 99% of these type of attacks that happen." And that number, I think, is going down a little bit because MFA does block, but it also relies on the human user. If the human user accidentally clicks yes, we're seeing this more and more, they push someone through, we have to understand that we need to work on that next layer as well and have that defensive down. [00:14:04.270] - David Puner Let's say I'm on the receiving end of an MFA bombing. What should I do in that case? [00:14:11.310] - Bryan Murphy I can give you a personal real world example here that may be fun for the audience. I was at Black Hat of all places. Super scary. I say super scary from the standpoint that someone could be hacking your phone, hacking your account, we've all heard the horror stories. They have the wall of shame over there of people who are giving their credentials up inside the Black Hat Networks. I'm out to dinner with my team and I receive an MFA push on my phone. I went, "Huh, that's odd. I didn't log into that site. What's going on?" I didn't know what it was, it only happened once. I didn't get a bomb, I didn't get multiple attempts. But right away there, I went ahead and I rotated my password. [00:14:52.840] - Bryan Murphy The reason I rotated the password was if somebody had my password and tried to MFA in, they would have to then know the new password to try to MFA in again. I don't want to leave the story there and say this is just what I did. The root cause of this was, it was a site that I share with my wife and my wife is trying to log in, but my device was the only MFA device. She didn't tell me she was logging in but this is why the prompt came to my phone. Completely legitimate prompt that came through, because we didn't communicate that that happened, I went ahead and immediately changed the password just to be safe to make sure that the account wasn't compromised. [00:15:28.420] - David Puner What other kinds of attack trends are you seeing these days? [00:15:32.060] - Bryan Murphy I think the biggest we're seeing is a shift from trying to deploy malicious code and having…They're executable, running on your systems to living off the land. This is not a new trend as in it just started, but this is a trend we're seeing gain momentum. What the attackers are doing is they're trying to masquerade as the identities you already have in the organization. They're trying to masquerade as standard users. So when you look at traffic, you threat hunt, you do these things, it becomes increasingly difficult to figure out who's the attacker and who's the trusted user on your network. [00:16:16.430] - Bryan Murphy As they do this, what you find is they could use their own specific tools to do work. But instead, once they're living off the land, if you have a tool in place and they have access to it, they will go read the guide and figure out how to use your tool, and they'll start using your tools against you. This becomes imperative for the defense in-depth that we don't just look at, we're deploying security tools to secure our environment. We need to look at, we're deploying security tools that we need to secure as well, because if the bad guy gets it, they're going to use that tool against us. [00:16:54.340] - David Puner You mentioned defense in-depth earlier. How does Least Privilege and Zero Trust fit into this equation? [00:17:01.580] - Bryan Murphy Glad you asked that question, Dave. Zero Trust fits in because in the conversation we were just having, we said we can't tell who is our attacker and who is our trusted user on the network, and they're masquerading as each other. But if we have Zero Trust, what that means is that users are not going to have access to anything additional once they're in the environment. If we never trust them, they constantly have to reauthenticate or conditionally authenticate to gain access to different assets. This is a balancing act and I tell all of my customers, the goal is obviously Zero Trust, but Zero Trust may not be 100% attainable on all your applications that you have. What we should do is we should be doing Least Privilege as far as we can, and take Least Privilege as close as we can to Zero Trust, with Zero Trust being the North Star, but understanding we may not get 100% there with all of our applications in our environment. [00:18:07.030] - Bryan Murphy But if we practice this and we think of it as tightening a screw and we keep turning down the privileges, we remove them slowly but surely, we'll eventually get to a point where, when an account is compromised, they bypass their MFA, they do an MFA bombing attempt, they have some way to get on our network, they'll have very little access. It puts another control in that defense in-depth where they can't get further within the organization to get to the actual data that they're looking for. This is where everything ties together, this is why you're seeing Just-In-Time access. I know you didn't ask about that one, but Just-In-Time, Zero Trust and Least Privilege and why it's so important for everyone to really start looking at this holistically within their environment and where they can deploy these controls. [00:18:52.600] - David Puner Yes, I think that's an important point you brought up about the balancing act, and I know we've talked a little bit about this in other places. Do you want to elaborate a little bit on that metaphor? Because I know you like to go deep on it and I think it's a really interesting area. [00:19:08.940] - Bryan Murphy Absolutely, and I'll end it with a story of an actual incident I worked years ago on trying to do exactly this. But yes, the problem I see is that we get excited. We like these new controls and we say, "Yes, this is going to make our environment safer. It's going to keep our business safe. We should do this." But what we don't understand initially is either the technical debt that we have to work through, technical debt being legacy configurations, certain user accounts, the way the business functions, and not disrupting that, because security needs to make sure they enable the business still to get their job done. [00:19:51.190] - Bryan Murphy This is where the balancing comes in. An example of this I can give you is I had a customer years ago that wanted to do shared accounts. A shared account would be an administrative account instead of being personally tied to Bryan, or personally tied to you, David, it would be a generic account, say, server admin, server admin 1, server admin 2. They wanted to go this route and they were in the middle of just recovering from an incident. They said, "Now's the time. We need to do this." Told them, "Don't do it, don't do it" I said keep everything the same and slowly start turning on these permissions and gradually move people over to these accounts. [00:20:30.490] - Bryan Murphy They just wanted to capitalize on it because of internal corporate reasons. They hadn't had funding, they weren't able to move on. Just to help you with the justification as to why they chose to do this right away. As they did that, what they found a year later was they ran into a singular roadblock, they couldn't figure out how to get a file share access or if I remember correctly, something along these lines to the shared accounts, and it ended up stopping the whole process. What my message here is to everyone who's listening is that if you just make that absolute change and you move over, the technical debt may come back to stall the North Star you're heading towards because you don't know how to solve one problem or you don't have time to invest in this part that you weren't planning for, and then it never takes off. [00:21:20.650] - Bryan Murphy Whereas if we would have done it originally where we said, "Okay, we're still using personal accounts, personal admin accounts, let's remove who doesn't need it, let's start removing permissions from those." We could have slowly ratcheted this back and then migrated to those shared accounts. Little technical example, but this is where it can be a trap, where we try to make this big shift and then we end up not benefiting from any of the security features we wanted to deploy. [00:21:46.860] - David Puner I wanted to get back to tax again, briefly. Leveraging hard coded credentials. What's been going on with hard coded credentials and how are they being used to unlock high risk access? [00:21:59.890] - Bryan Murphy I'm going to start, David, by saying it's nothing new. This is where many people who know me will say…In the world of attacks that come, unless it's a nation-state targeted attack, these type of things, many organizations are hitting it where the attackers are just playing the hits. They're playing the greatest hits of the records they have. They're using the same types of attacks, so when you look at this, they know to scan the environment. They know to look for certain places where credentials will be embedded. For example, you may have software that needs a configuration file, and that configuration file may hold the credential to something. They're going to know this. They're going to look for it or they're going to say you're using this piece of software, look at that software and see if it contains this in the online documentation. [00:22:48.420] - Bryan Murphy This is part of that living off the land and finding what they have access to. It's really important that we make sure we remove those credentials from our scripts, from our applications, config files and places where they live. It's not just enough to encrypt them. Encrypting helps so they can't see the password in clear text, but it's just an extra step. The idea here is not to minimize the extra step, the idea here is to have so many steps in the process that our threat actor or attackers here, let's say, give up or can't get any further in the environment. Not give up that they don't get what they want, they give up because we detect. They give up because we found they were on our network. [00:23:37.250] - Bryan Murphy This is really the goal. The goal is not to say don't encrypt. The goal is not to say don't have credentials in your scripts. If you have it hard coded in there, that's making the path easier for them to retrieve the credential, this is why CyberArk recommends using our solution and our capabilities to remove those embedded credentials because it adds a step in the process, making you more secure. [00:24:03.270] - David Puner They rotate the embedded credential, but do you see customers doing that? [00:24:10.390] - Bryan Murphy We don't, and I'm glad you brought this up, David. You reminded me of a great point, which is customers should take their service accounts and, forget about all the automation we can put in place for a moment and do this. They should at least rotate their credentials once. Please don't go in your organization and rotate them all at the same time. We should methodically do this one by one. [00:24:34.970] - David Puner What happens if you do try to do it all at the same time? [00:24:38.930] - Bryan Murphy You may inadvertently take down applications you weren't aware of. We've seen this firsthand from customers where they'll use CyberArk, they'll bring in service accounts and they just say password change. Next thing you know, there's five, 10 P1 tickets that applications are down. A lot of times it's because the developer had access to a credential. They went ahead and built application A, but now they took over application B, they needed the same access. They leveraged the same credential, but nobody else knew that they did this, the application just worked. [00:25:15.510] - Bryan Murphy What I hear from all of our customers at CyberArk is, "How do I discover where my service accounts are used at?" We have detection tools, there's tools out there to detect a lot of places it's used, but we can only detect the places we know. It becomes very tricky when they embed it into an executable, they put it into a script somewhere that you're not scanning for and looking for the password field, or they call it in a very unfamiliar way, for how the credential is embedded. If you just do that manual rotation once, what happens is, let's say you think it works for one application, you go to rotate the credential for that one application, you schedule the change and you take down 10. All of a sudden we've created this major P1 incident. [00:26:02.090] - Bryan Murphy What you can do is go back in and reset the credential back to what it was before. This goes on the notion, you know what the credential is ahead of time. Sometimes there's cases where you don't, but this helps minimize the damage because we can restore back quickly so we don't have to touch and find every application. Now we know that when we change this one credential, it doesn't impact one application, it impacts, in this example, 10. We can start to break those apart slowly through the process, and that identification and inventory of what you have is very helpful, but it also helps from the security side by at least rotating those service confidentials once, to start to expire all the hashes and everything that's out there in the environment that the attackers would use to move laterally with those accounts. [00:26:50.340] - David Puner Moving on back to Cybersecurity Awareness Month. Your appearance on the podcast happens to coincide with Cybersecurity Awareness Month, as we mentioned at the top of the podcast, and that seems apropos considering you live and breathe cyber awareness 365, 24/7, or at least it seems like you do to us. What's something simple you're seeing that both cybersecurity professionals and regular civilians might benefit from, as far as a little cyber hygiene brush up? [00:27:19.990] - Bryan Murphy I would say go look at your passwords. I think every one of us has a specific password that they like to use or a combination of it in most of the things we do, and we have to set that first password or passwords to generic sites that we go to. What I try to recommend people do is use a password manager solution. CyberArk has workforce password management as an example. Anything that's out there that can help you randomize those. Because what you have to assume is that when you put that password into a website, that website, that back end, you're trusting will not be impacted, compromised in any way. Once you put the password into that tool, it's out of your control, where it lives at, it's on the company or the website you're working on's control. So as you see recent breaches where they compromise websites and different web applications that are out there, credentials are being exposed. [00:28:19.600] - Bryan Murphy What I try to do is, I don't want to say it's impossible, it's something I do, but a unique password for every single site you go to, it's not for everyone. What I'll say is I try to keep what I do for enjoyment, such as looking at fantasy football, reading blog posts, those type of things, separate from what may financially impact me. This is the line I draw between the two. I don't use anything the same between the two of those because they're held to different security standards on the back end, but for me, it's more impactful if I lose money versus somebody is able to hack into my CNN account. [00:29:04.770] - David Puner What's your advice for someone considering a role in cybersecurity? [00:29:09.010] - Bryan Murphy My advice to those looking for the role is start following cybersecurity groups online. Start following the blog posts, start following the industry as to what's happening first. That's going to help tee up- [00:29:25.100] - David Puner Like the CyberArk blog, right? [00:29:27.740] - Bryan Murphy Yes, this blog, exactly. That'd be perfect. Start here and start to understand the trends, start to understand the mindset. I think that the hardest thing to do is to flip the mindset that we have as security practitioners. Once you start to do that, now you dip your toe into the certifications and understand the concepts. I think one of the biggest challenges we have in cybersecurity is, you can't secure something if you don't know how it works. You can't say this is how you have to secure it without understanding how Windows or Linux or the web browser is working that you're working within. It requires a little bit of knowledge about the underlying system that you want to secure or the password or credential you want to secure. [00:30:13.670] - Bryan Murphy Then you can start to see ways to control that. You can read through the settings of the tool to see what controls they offer. A lot of times some of them will say, this is good, this is better, this is best. This will help you to get that mindset and to figure out how to secure things further. Then beyond that, you want to start dipping into an IT role or position. [00:30:38.130] - Bryan Murphy As you start in the IT side, you want to align with the security team. Now you'll start seeing how internally the security team operates and functions and what controls they have, and that's how you can start to make that move into security. It's not to say you can't find a security role out the gate, you absolutely can, but I really feel the balance is making sure you understand the tech before you go into implementing security controls on top of the tech. [00:31:04.120] - David Puner Bryan, thanks so much for coming on the podcast. Appreciate it. [00:31:07.880] - Bryan Murphy David, thank you for having me. [00:31:09.920] - David Puner Appreciate it. Thanks for listening to today's episode of Trust Issues. We'd love to hear from you. If you have a question, comment, constructive comment preferably, but you know, it's up to you, or an episode suggestion, please drop us an email at trustissues@cyberark.com. And make sure you're following us wherever you listen to podcasts.