The following is an interview with Derek Manky, Chief Security Strategist & VP Global Threat Intelligence at FortiGuard Labs, in conjunction with their latest semiannual Global Threat Landscape Report released in February 2022.
Derek Manky leads FortiGuard Labs’ Global Threat Intelligence Team at Fortinet, bringing over 20 years of cybersecurity experience. He has established frameworks in the security industry including responsible vulnerability disclosure, which has exercised the responsible reporting of over 1000 zero-day vulnerabilities. Manky has been with the Cyber Threat Alliance since it was founded in May 2014. For more than 15 years he has been highly engaged with collaborative industry efforts including the CTA, FIRST.org, NATO NICP, MITRE CTID, INTERPOL Expert Group, and the World Economic Forum Partnership Against Cybercrime (PAC). His vision is applied to help shape the future of proactive cybersecurity, with the ultimate goal to make a positive impact towards the global war on cybercrime.
In the following interview, Derek discusses the Log4J vulnerabilities, continued rises in ransomware and malware, threat sophistication, and much more. To download a copy of the report, please follow the link at the bottom of this interview.
One of the things mentioned in the report was the Log4J vulnerabilities, which hit in December 2021. Why do you think it's important for companies to be more aware of the vulnerability, and how can companies best protect themselves?
I think this is not just about Log4J. Log4J is a good reminder, and actually unprecedented in the way that it unfolded. However, it's important that when we sort of tee this up for, “Do you know how to respond to this?” we understand that there's going to be more of these in the future. If we look at what happened with Log4J, it was a combination of a couple of things.
We typically see when there's a larger scale, what we call a tier one breaking vulnerability, it has a couple of attributes to it. One, a very wide deployment base or attack surface, and that obviously applies to Apache, Log4J, and the Java naming directory interface (JNDI). The second is that it was relatively easy to exploit. There's an exploitability measure on this and that's why it was assigned the common vulnerability scoring system (CVSS) 10. Anything over nine means that you should definitely pay attention to this.
If you have both of those combined, it's going to be capitalized and rolled out much more quickly by attackers, which is exactly what we saw. History has taught us that a lot of these other big breaking vulnerabilities in the past (e.g., SolarWinds) were not made up of just one vulnerability. Yes, there was the big one that broke at first, but there were three other ones that followed in the span of two to three weeks. This was the same thing that occurred with the ProxyLogon from the Microsoft Exchange vulnerabilities a year ago.
So, when you have these groups of vulnerabilities, there's so many eyes that start looking at this and picking away at the code, and inevitably more issues are unearthed. That's what we saw a lot for Log4J. That's what we saw with the other ones. There's a pattern here.
There’s also a pattern of that when these come out, they're becoming more and more commoditized. So, they're being put into attack toolkits. There are copycat attacks; it's not just one ransomware campaign. There are multiple campaigns, and in fact we saw over 10 logged for a day: Everything from crypto miners to remote access trojans (RATs). So, that's another problem from a defender’s perspective, that there's more than one adversary with skin in the game.
The last one that we called out in the Threat Landscape Report is speed. This is one of the biggest concerns to me. This is something that's really important when we talk about what we can do about this. In terms of the measure of speed, we put a rate of exploit measure on to Log4J and how quickly it was rising. It was 50 times faster (as a 10-day benchmark) than that of a ProxyLogon, which was part of the Exchange group of vulnerabilities a year ago. That's concerning.
Switching gears to what companies can do to protect, that means needing actionable intelligence and being able to react to what we call Tier One events, or outbreaks. It used to be common practice, if we look back to 10 to 12 years ago with Stuxnet or some of the other big issues of the past, that those attacks were premeditated but they took a long time to unfold. That is not the case with the newer ones.
Now, the ripple effect is spreading really quickly, so the time to react is shrinking. That's a really important point. In the past, we were taught and used to talk in days or weeks in terms of patch management, updates, following security advisories, and just keeping track of all the new vulnerabilities.
Now, if we look at Log4J, we cannot talk in weeks. We're really talking about a 24- to 48-hour window. For companies, that might all sound very scary, but it doesn't have to be daunting or complicated. Again, a lot of the things that we talked about, such as patch management strategies and having integrated threat intelligence services, are really important.
The use of Intrusion Prevention System (IPS) technology is especially important because it can act as a virtual patch and provide protection against a vulnerability before a vendor even rolls out a patch, as well as mitigation advice. There's a lot of things in security advisories that we post that are simple measures, such as segmenting and blocking access. There's a big checklist we put together when it comes to these attacks: Zero trust, network access, intrusion prevention and control, etc. In a nutshell, these checklists are really about the ability to be able to respond to these attacks in a fast and timely manner.
In relation to the malware and ransomware situations brought up in the report, why do you think the Linux malware detections have doubled during the course of last year, and why are ransomware levels continuing to be elevated?
We'll start with Linux first. This is, to me, a path of lesser resistance to cybercriminals, because there's a lot more targets. If you're thinking as an attacker, there's a cost associated on their side with what they do with their time, resources, etc. They want to have a higher chance of success when targeting platforms and depending on their purpose, what they want to do.
When we talk about Linux, we're talking about a wider adoption of Internet of Things (IoT) devices and operational technology (OT) devices, sensors, etc. These sorts of things are deployed in various systems that are high-risk environments. Today, we're talking about manufacturing plants, critical infrastructure, general OT environments, and IoT devices that are sitting on the information technology (IT) network that can be compromised; to leapfrog into these converged and connected OT networks, as an example.
So, they're perfect targets. That's what we're seeing now; ransom with cyber criminals has shifted. It's gone from targeting end-users and PCs and asking for a relatively small amount of crypto, to ransom demanded from high-profile targets such as large enterprise critical infrastructure, targeting ransom for seven figure payments.
Linux is really a key to a lot of that, because a lot of these platforms are running on Linux. What we're seeing is a capability aspect on the attacker side that they're developing. We've observed that there was a doubling overall of Linux malware and, if we look quarter over quarter, it's quadrupled, from Q4 to Q1. So, it's ramping up.
What we're seeing is more code development focusing on Linux since it's obviously different than compiling code on Windows. These are being used for botnets. Mirai botnet is a very famous example of that. We still see a lot of that, but we're also seeing much more variety and flavor with Linux. I expect that to continue. There's also wider adoption, which we call out in the report, on Windows Subsystem for Linux (WSL) and Windows, too. Even on the Windows Open Hub Service (OHS) there is a subsystem for Linux. You can run Linux binaries such as executable and linkable format (ELF) binaries on Windows, which becomes a wider attack surface for cyber criminals.
With ransomware, what we've observed is what we call a relentless surge. We saw in the first half of 2021, a very sharp rise in ransomware; it was up almost 1,100%, 10.7x over the previous year. While we didn't see that kind of spike again, what we did see was that it hasn't subsided. Throughout the whole second half of 2021, it was a relentless surge. That high watermark that was set in the first half of 2021 has continued every day throughout the second half of 2021, which we're still seeing. What that indicates to us is that ransomware is not going away.
In my point of view, it's actually worse, contextually. What I mean by that is, there's different ways to measure risk. Volume is one of them. The other is the targets that are being gone after. What we're seeing is a convergence of what I call advanced persistent cybercrime. Ransomware operators, again, are targeting high-risk environments. We're seeing that scale up now. We're seeing higher risk, combined with that same relentless surge. In effect, if you multiply those two together, the net risk is actually higher. That's very concerning.
On that note, one of the points brought up in the report is the overall increased sophistication of attack methods. How do you think that cybercriminals continue to evolve their methods? Is it just an issue of company’s cybersecurity strategies not being up to par with where they should be? Or are there other issues that you've been seeing?
It's a combination of both. We are still seeing the “low-hanging fruit” problems, I would say, but that's getting better. A lot of that is cyber hygiene, employee education, and patch management strategies. That's all fundamental, and I would say that has been getting better, but as that gets better, that low hanging fruit gradually starts dissipating and cybercriminals need to do something to shift their tactics. We are seeing a bit of a shift on the sophistication front.
This is going back to that advanced persistent cybercrime concept. There are generally two categories of threat actors. There is the more high-level, nation state threat actors, such as the advanced persistent threat (APT) groups that really focus on reconnaissance and weaponization-targeted attacks. That is a lot more of the well-funded capability developments and being able to create zero-day exploits to compromise and hack into systems. However, most cybercrime typically doesn't focus on that, because criminals enjoy that low-hanging fruit going after the wider swath of non-governmental and large enterprise organizations.
Now, that base-level cyber hygiene bar gets raised higher as cybercriminals continue to adapt and shift more to the left of the attack chain, meaning that they're focusing more on zero days to uplevel their sophistication. This allows them to be able to find new vulnerabilities to break into systems, do reconnaissance, blueprint systems, and understand who their targets are so they are able to craft cleverly made social engineering emails and lures, for example.
A lot of the stuff that is typically done by the nation states and APT groups is now being done by those ransomware cybercrime gangs. That's what's driving that rise and sophistication; understanding their targets and trying to make their weapons more effective.
It seems like trends are forming of attacks related to remote or “hybrid” working environments. With the pandemic and other factors causing more of these work settings, what sorts of things can both employees and employers keep in mind to maintain a healthy cybersecurity mindset?
Yeah, so I think first, it's important to really address the “anywhere” concept. There's going to be a lot of these hybrid workstations, roaming effectively into different environments. Every environment you go into, whether it's a hotel, a coffee shop, an airport, or your home, is going to be different. So having a broader strategy is important.
Everything we just talked about, like cyber hygiene and employee education, is still critically important because at the end of the day, it doesn't matter where you are. If you're getting hit with a cleverly crafted email, or social engineering, it doesn't matter what environment you're in. At the end of the day, it still is important to continue to do education campaigns. There are even phishing tests that can be regularly done with employees to uplevel their awareness. We always talk about the “people” part of people, process, procedure, and technology. There's a lot here that can be done.
There's a lot of great, simple security measures to be put in place. Multi-factor authentication is one of those, for sure, to avoid compromised credentials. Implementation of the zero trust network access (ZTNA) concept is also really important; only allowing what should be allowed in terms of traffic applications. The other thing is security services. The things I talked about before regarding application control, intrusion prevention, antivirus web filtering, adequate security on (corporate) mail, and being able to do the appropriate content inspection on all that is important, too.
In the report, it's mentioned that using methods such as the ATT&CK framework can help stop cyber criminals faster. Would you be able to go into more detail about why this framework is a good method to implement as part of an overall cybersecurity strategy?
Stepping back a little bit, if we look at any given attack, there's no silver bullet. Every attack has multiple layers and components to it. In fact, it's very much the same in the physical world with crime. If you need to penetrate a network or a home or a building, you have to find a weakness or vulnerability; you have to move into different segments or areas within that building or that network, and you have to find the asset that you're after to exfiltrate it. Then, you have to apply an action on it, which is usually monetizing it in the world of cybercrime.
So, the cyber kill chain describes this at a high-level. That's the reconnaissance, weaponization, code delivery, lateral movement, exfiltration, and so forth. The ATT&CK framework is really just looking at that same concept, but in much more detail. I call this high-resolution intelligence, which is much more strategic and is unfortunately not widely adopted right now.
First, you need visibility. So, at any given time of the threats that are hitting your network, if you have visibility into what those attacks are, you can translate that into the ATT&CK framework and you're able to see and better understand that, okay, these are relevant threats to my networks. Then we can look at tactics, techniques, and procedures (TTP) (similar to what the MITRE ATT&CK framework does).
Let’s talk about code delivery and execution as an example. So that's the tactic, but there's multiple ways to actually do that. If we map that to threats, then we're able to see how many different ways they're trying to do a certain tactic like code execution or defense evasion, because they're always trying to get around security controls, too.
So that's the really important part, I think, is being able to first have visibility, which is a threat intelligence angle. Do I have a proper defensive posture against it? There are relevant solutions, some will help with the reconnaissance blueprinting part from a defense standpoint, and some will help with the code delivery, like Endpoint Detection and Response (EDR) because that's being able to inspect malicious code on a system.
The other important part about this, too, is that what we're doing and what we show in the report is that we're highlighting different verticals and the most active techniques and tactics that we're seeing against those verticals. If you look at the MITRE ATT&CK framework, there's over 370 of these attack techniques. That's going to continue to grow because attackers are just getting more clever. There are new techniques they're discovering to get into systems that's going to continue to grow. That's overwhelming.
So, what we're doing to make this more intelligent and beneficial, which we highlight in the report, is that we're only showing 15 attack techniques as opposed to 400. Then, it becomes a much easier conversation for organizations in terms of how to defend.