Cybercrime , Fraud Management & Cybercrime , Video
ISMG Editors: Lessons Learned From the Lapsus$ Crime Group
Also: Highlights from BlackHat 2023; Latest Cybersecurity M&A Activity Anna Delaney (annamadeline) • August 18, 2023In the latest weekly update, four editors at Information Security Media Group discuss important cybersecurity and privacy issues including highlights of interviews at Black Hat 2023, lessons learned from the success of the Lapsus$ cybercrime group's attacks and why Check Point is buying startup Perimeter 81 for $490 million.
See Also: A Strategic Roadmap for Zero Trust Security Implementation
The panelists - Anna Delaney, director, productions; Mathew Schwartz, executive editor of DataBreachToday and Europe; Michael Novinson, managing editor, ISMG business; and Tom Field, senior vice president, editorial - discuss:
- Key takeaways from conversations and interviews at the summer's most popular cybersecurity conference, BlackHat 2023;
- Highlights from the public-private U.S. Cyber Safety Review Board, which recently issued its second-ever after-action report, this time focused on lessons to be learned from the success of the Lapsus$ group's attacks;
- The proposed purchase of Perimeter 81 by Check Point for $490 million and why the company had to slash its valuation by more than half to seal the deal.
The ISMG Editors' Panel runs weekly. Don't miss our previous installments, including the Aug. 4 financial services special edition and the Aug. 11 edition on the White House's drive to secure code with AI.
Read Transcript
Anna Delaney: Hello, and thanks for joining us for the ISMG Editors' Panel. I'm Anna Delaney. And this is a weekly spot where we discuss and analyze the highlights of what's happening in cybersecurity right now. I'm joined by a stellar team today: Tom Field - with his aviators - senior vice president of editorial; Mathew Schwartz, executive editor of DataBreachToday and Europe; and Michael Novinson, managing editor for ISMG Business. Hello, wonderful to see you all. Tom, started us off fresh from Las Vegas.
Tom Field: Viva Las Vegas as they say. And yes, that is the sky that you see behind you. It's the sunset of Las Vegas last Wednesday. We had a chance after our grueling day in the video studio to grab a bite to eat and after dinner, looked up at the sky and quite liked it.
Delaney: Michael, were there also dinosaurs in Vegas? I know you were there.
Michael Novinson: There were not dinosaurs in Vegas. I hear they're extinct now, but there are a actually a couple hours away from Vegas. This is Cabazon, California, quintessentially American, just a roadside attraction. It's a bunch of dinosaur statues, including some that are 30-feet tall right off the interstate standard feeder featuring Pee-wee Herman's video from the mid-1980s. We get there - where my parents spend the winters in Palm Springs - we get there in the winter, my daughter loves seeing the dinosaurs, they're so quintessentially tacky that they're actually kind of cool.
Field: As I understand, they actually dress one of those as Pee-wee.
Novinson: I think they do, we normally get there on Christmas. So the main dinosaur's always dressed as Santa Claus. And then we can climb inside it and take a look out at the parking lot. It's one of the kind.
Delaney: That's a seat tribute, if that's true. And Mathew, RT as ever?
Mathew Schwartz: I wasn't in Vegas, I was in Glasgow, this is a view out of the Glasgow University Union. It's the Gilmore Hall, used to be a church and then the university bought it. And now it's some kind of an audio visual facility. But this was the view out the window. I was at a music festival a few weeks back in Glasgow.
Field: Very good on your own wall.
Delaney: I stumbled upon this rather magical garden recently near where I live in London. And it's part of the best Treehouse Museum. So it was originally constructed in 1730s, a parish workhouse, but became a museum of local history in the 1930s. And I just think it's lovely to discover these pockets of calm in a busy city like London.
Field: So for you that's new construction. For us, it's history.
Delaney: Yes, exactly. Very modern. Speaking of busyness and business, Michael, as we've mentioned, you were both in Vegas for Black Hat, the most popular summer cybersecurity event. From what I gather, many of the conversations revolved around the emergence of AI and how cybersecurity products can evolve with this new technology. How was the event for you, Tom? What are some of the highlights you can share?
Field: That was terrific! Between the two of us, Michael and I conducted 46 interviews over the course of two days. So you could say that was a typical morning at RSA, and yet, it was so distinct from RSA. We look back at the discussions that the four of us had with attendees there and with our speakers, there was a lot of strategy. There was a lot of trends, it was a lot of "this is the way that the cybersecurity industry is headed." I think at Black Hat, it was a lot more heads down. "This is what we're working on. This is the latest research. This is what we're finding." A lot more hands-on discussion as opposed to trends. Topics I really enjoyed and heard a lot about were AI. Michael said earlier that it came up and in X percentage of his conversation that they were specifically focused on that. I would say that generative AI at least was mentioned in 20 out of the 24 discussions that I had, and it was getting beyond the discussions we had at RSA that were, "Is this a good thing? Is this a bad thing? Should you have a policy?" It was more. "What are some of the use cases, particularly automated incident response and remediation? How is this being used? What are the skills you need to have internally now?" So a lot more hands-on as organizations get a grasp on this. A lot of talk about ransomware. And I think getting into more of the specifics about some of the big ransomware groups that Matt was writing about even two years ago: How they've split up and decentralized, in some ways they're stronger in the smaller units that they're in now. And then a recurring theme of the summer has been DDoS is back and bigger than ever. We keep seeing record-setting DDoS attacks every month or so. And what we have is an attack surface larger than it's ever been in DDoS attacks. As more as a service than they've ever been before, and are often being used not just for disruption of organizations, but often as precursors to ransomware attacks, or DDoS, for the sake of DDoS. But I had a great discussion with Michael Smith, who used to be with Akamai and is now with Vercara. And, you know, just 10 years ago, he and I were exchanging points on the DDoS trends when we still had U.S. financial institutions being shut down. And it was fun to sit down after 10 years and see how things have changed, but how they haven't, as well. So some terrific discussion, some highlights from me, were talking with Michael Smith, certainly, talking with Erik Decker, the VP and CISO of Intermountain Health; he was at Black Hat to make a presentation on renewing cyber insurance and what you need to do to qualify today, and made some excellent points about forest See, so what are the five critical controls you have to have including multifactor authentication. What you do to make your case to your insurance broker to show the strength of your program, and how you leverage the strength of your program, not to get a discount, because insurance discounts don't necessarily happen, but how you can get more value from your investment. And then some terrific discussions as well on quantum computing on what our speaker was calling the quantum divide: the haves and the have nots. And, Michael, you take it away as well, between the two of us, I think we had every conversation that could be had. That's an excellent insight that we look forward to sharing with our audience.
Novinson: I can take it from here. And I'm going to double click on a couple of the items you brought up, Tom. So in terms of generative AI, one particularly interesting conversation I had was with Jeff Pollard of Forrester; was really talking about this idea of shadow AI. So if you think about shadow IT, it's those BYOD devices that an employee brings in that the central IT department doesn't have visibility into what's going on here is that a lot of technology companies are embedding generative AI into existing tools, in hopes of eventually getting customers to pay for them. So they embed it now at maybe a more basic level. And as the technology improves, and as they make more investment, over 18 months from now, they can start charging these customers for a premium version once they've gotten used to using generative AI in the product, and they like it. The challenge for the security department is that since these are tools that the company already out, they have no idea where the generative AI is being embedded. And since it's not a new piece of technology, they have very little visibility into where this is happening, and how to wrap their arms around it and to put your organization's policies around generative AI in place for these technologies. So that's a big challenge that he sees emerging. Some other interesting conversations about bringing generative AI earlier in the life cycle, taking it from the security operations center and remediation, incident response and applying it to preventing and detecting threats, as well as the conversation about constructing large language models and the benefits of a private language model and how to train it with sensitive data that organizations have, that PII, that IP, while at the same time keeping it secure. Outside of the generative AI space, a lot of conversations on my end about ransomware - an interesting divide almost like that cyber poverty line that at the large enterprise space, the most sophisticated ransomware actors are moving away from the traditional encrypting and ransomware, that many are moving toward encryption listed hacks to evade detection by law enforcement, to stay off, to help victims also avoid publicity if that's something they want. And it found that they're able to get the payoffs that they want without the time complexity of having to lock down all the systems across the organization below that poverty line. Small and midsize businesses are getting increasingly targeted, that the barriers to entry for small ransomware actors are pretty low. A lot of this stuff is just out there. And given that the cost is low, that even hitting these hitting up dentist offices or law firms for a couple $100 to pop is so worth it. Since there's not much upfront expense for these groups. In the DDoS world, I had a really interesting conversation with Kevin Schroeder, who oversees cyber enforcement in the US Attorney's Office, who's going into DDoS for hire, which is really the services that some financially motivated doctors are using, but it's a lot of teenagers who are just tapping into them, trying them for gaming purposes, trying to stifle their opponents. And she was talking about the challenges of just trying to arrest your way out of this, and ways that they can partner with law enforcement, with the private sector, with academia to try to deter this behavior because the fear is that if you have teenagers who are doing DDoS and what types of cybercrime are they involved in their 20s or 30s? I'm going to call it a case study: They had a security strategy over GitHub about that, was rolling out multifactor authentication to their entire developer community. He talked about some of the challenges that they encountered upfront in terms of user interface, in terms of user lockout, talked about some of the different types of MFA and how they're trying to steer people away from those text-based notifications toward more secure second factors like YubiKeys, or physical keys, or prompts from the mobile phone itself. And he also talked about the need to verify that second factor that when people are just trying to initiate a 2FA, if they're being forced to, they'll just choose whatever is easiest as a second factor. And they'll forget about it very soon thereafter. So what they found is by circling back 20 days later and saying like, "Hey, this is the second product you chose, is this still what you want?" Do you still remember what it is that actually 25% of users actually switched on their second factor at that time? So that he's found to be a very effective way of avoiding having users locked out down the road. So those are some of my favorite conversations from. I can't wait to share the videos with all of you.
Field: Exactly. I got to point out something. And before we arrived there, Mike and I were talking about what did we think the big themes were going to be? Of course, we talked about generative AI and ransomware, and Michael said SEC compliance is going to be big, because everyone's talking about it, so the first guest we had - and I asked about SEC compliance - you thought it was talking about U.S. college athletics, it was a very different discussion.
Delaney: There could be you teaching him something then. That's interesting, rich conversations, the rich takeaways, I really appreciate that. And we can't wait to see the videos. Back to AI for a moment, did you get a sense from the experts you spoke with that organizations are actually prepared to integrate these new innovations in AI? And what do they need to do to get their house in order before implementation?
Field: I would say that the word of the day is proof of concept. I think a lot of organizations are there right now, and trying to figure out exactly what they can be doing with this, what they shouldn't be doing with it. And a lot of this is in the basement still. But Michael, I'll defer to you.
Novinson: I would tend to agree, I think that the conversations have leveled a bit. And some folks are still talking about how hackers can use it to write emails that are more convincing, if they're not English speakers. People are recognizing the shortcomings of it in terms of producing new and novel malware. But in terms of how to apply, that seems like they're still maybe some larger enterprises are exploring those either open-source or proprietary large language models. But I think it's still really early days and both on the IT side in terms of uses and then on the security side for how to safeguard it.
Field: But that said, this horse is out of the barn, I have never seen a technology take off and get from zero to 60 as quickly as generative AI has over the course of this calendar year. It is not going away. And it's something that we all are going to be dealing with in one way or another and something as an organization, ISMG, that we're going to address.
Delaney: Sure. Well, as I said, we look forward to those videos, can't wait. Thank you. Matt, moving on to out of control hacker teenagers. It seems that the U.S. government is studying the methods of amateur hackers, many of them teenagers with little technical training. But the reason they're doing that is to learn from them because they've been so adept at reaching large targets. Tell us more.
Schwartz: Yes, so the goal here is to, as you say, to learn. I don't know if we say from them so much as to warn others of their impending doom - sounds a bit grandiose, but just to pull it back to the lens here for a sec. We have in the United States now, a cyber safety review board that was launched by executive order, was signed into existence by President Joe Biden in 2021. Took a little while to get going. But last year issued its first report into the Log4J vulnerability Log4Shell and looked at how that was an endemic vulnerability and made a number of recommendations around getting those sorts of vulnerabilities identified and patched, and things that need to happen with the software supply chain to improve basic cybersecurity resilience. And that is the theme for these hacker teenagers, as you note. For what is now the second report from the cyber safety review board, which is modeled, not identically, but modeled on the NTSB, the National Transportation and Safety Board, which looks into airplane crashes, aeronautical disasters, that sort of stuff. More on that in a moment. So what did we learn from these hackers, many of whom were are teenagers loosely affiliated, a group of about eight to 10 of them who came together under the banner of Lapsus$ - U.S. dollar sign just to look extra scary. And they operated from late, I don't know, September 2021 until late 2022. Some of them have been arrested, alleged to members of the group have been arrested, but they haven't all been, but it looks like the group is probably wrapped up in its activities. So what can we learn from how this loosely affiliated hacker group, some teenagers were able to compromise dozens of well-defended companies using low-cost, low-complexity attacks. That is the mission statement as encapsulated by the cyber safety review board's deputy head, which is Google's security chief, Heather Adkins. And the board's led by an under secretary, the Department of Homeland Security, they've got the oversight of all this. And they said something similar, but I thought how they really nailed it here, you have a group of attackers who have taken down lots of organizations using very low-level attacks. For example, just to pick up on a couple of the themes that have been sounded in the course of this episode, multifactor authentication. That's one of the big takeaways from this report. Not everybody that this group went after fell victim, and the ones that didn't fall victim, the ones we don't even know about are the ones, by and large, that had multifactor authentication, not just multifactor authentication, but ones who were using, like Michael said, YubiKeys. So a dedicated piece of hardware, or what they recommend is smartphone apps. So that you're generating like with Google Authenticator, other apps are available, a one-time code on the device itself. They criticized - that's a strong word - but criticized anyone who's still relying on SMS-based authentication, you might remember that NIST called SMS-based authentication where you get a text message with a one-time code deprecated, I think back in 2016. And yet, I don't know how many services you use, certainly, I am using a number of services, including from my banks, which rely on one-time code that they send me. Lapsus$ was good at sim swapping, so they were able to clone people's mobile phone numbers, cell phone numbers, and intercept their one-time codes. And they use that to good effect to break into companies. They also made wide use of initial access brokers, as do other kinds of cybercrime groups. And this report isn't just really looking at Lapsus$, it's looking at Lapsus$ and similar kinds of groups, initial access brokers for 50 bucks, 500 bucks, maybe $5,000, depending on who you're going after, you can buy access to an organization. And if you want to take them down, extort them, deploy encrypted locking malware, if your ransomware group, this is a good return on investment, and groups are using it because it works. So those are just a couple of the takeaways from the Cyber Safety Review Board, urging organizations, saying "Look, these are teenage hackers, this is low-cost, low-complexity, please stop them." Because it's not just teen hackers who use these tactics. Anyone who wants to break into your network, a more audacious cybercrime group, organized crime, Mafia-type people, nation-states like North Korea or Russia, they will use as little as possible to get into your network. There are teenagers who can do it. Much worse is on your agenda. So please get your house in order. So that's the big takeaway here from their latest report.
Delaney: Very clear. Just tell us a bit more about the Cyber Safety Review Board. And you mentioned it was set up in 2021, tasked with reviewing their major cybersecurity incidents impacting the U.S. but how much teeth do they actually have and what happens to their investigations and recommendations?
Schwartz: They are in the business, I'd say, of gentle nudging. I'd say they have no teeth at all, which is the unfortunate part here. We have a legislative and regulatory environment in the United States where certain regulated industries like healthcare, or if you're a publicly traded company, there are enforcement measures that can be brought against you. But in general, there's nothing forcing people to do any of this stuff. It's not like you're an airplane manufacturer, and you've done something that's causing them to crash. And legally, you're required to fix that. We're not seeing the same thing here. There have been moves by the Biden administration with his cybersecurity strategy to try to create, as part of this overarching strategy, try to create some liability. That is not been warmly received. And the Biden administration acknowledges it could be two decades before they even get this in place. So we are seeing good moves in good directions. With the first report that looked at software supply chain problems. That report came out a year ago, certainly the problem hasn't been fixed. Hopefully, it'll give some impetus for CISOs. Hopefully, they can drop this report on somebody's desk and say, "My authenticator-based multifactor authentication program, please." Hopefully, that'll help. And then we have another third report that's going to be coming out, which is on the heels of the massive hack of Microsoft Online Exchange. And the board's going to be looking at that. And I should emphasize, again, it's a public and private board, has excellent people on it. Excellent insights, really great reports. They're going to be looking at the massive hack of Microsoft Online Exchange, as well as other cloud environments. But as you say, some of the initial reaction from the cybersecurity community has been, "Boy, wish they had subpoena power, or wish they can hold people to their findings."
Delaney: Matt, thorough insight, as always, thank you so much. Michael, back to you. Security vendor Check Point has snapped up Perimeter 81 for $490 million. Tell us about this deal.
Novinson: Absolutely. It's a fascinating acquisition from both a technology as well as from a financial standpoint. Let's start by talking a little bit about the technology here. So Perimeter 81 is a relatively recent company founded in the past half-decade, and they're really focused initially under zero trust network access piece of the equation, and they were focused on making it accessible to the masses that this was seen as a critical component of SASE. And you have something that in terms of time required to implement in terms of costs, and manpower required to implement was something that was only available to large enterprises. They really streamlined the process of bringing CTNA to the mid-market, to the SMBs, with deployment in an hour rather than in weeks. With a deployment that's largely automated, with a deployment that doesn't require almost any hardware. So it made ZTNA much more accessible and this was really anyone's claim to fame. More recently, they tried to broaden out their portfolio. They did add some secure web gateway capabilities over the past year. But where they're well-regarded isn't that ZTNA space; were actually named by Forrester in 2021 as a leader in ZTNA alongside vendors who are much larger than them. So Check Point here are trying to figure out how they want to play in this SASE, secure access service edge, market. So they announced that they're going to be building out an SD-WAN capability of their own in February, which is two note behind Fortinet or Palo Alto Networks, Cisco, all of which have been doing SD-WAN for a number of years. And they do have some capabilities on that security service edge side. But they were not recognized as a leader in SSE, by Gartner earlier this year unlike Palo Alto Networks and Cisco, which were toward the top of that quadrant. So Check Point here got themselves as some strong ZTNA capabilities. But the thing is that while Perimeter 81 was very good, they are narrow, and that people are talking about single-vendor SASE, Perimeter 81 couldn't even do single-vendor security service. And they were partnering for the CASB piece of it in relying on partnerships for some of the other ancillary capabilities like remote browser isolation. So it gives a Check Point some really good expertise in certain pieces of security service. And then what they're going to need to do is integrate that with some of their native capabilities to build up that security service center suite on their own. Neither Perimeter 81 nor Check Point were even made the security service edge Magic Quadrant that Gartner put out earlier this year. There are 10 vendors in there, neither of them were there. Question is going to be: If you bring the two of them together, do they make an appearance on that leaderboard? And if so, how high up?
Delaney: You obviously have been covering many of these M&As for a long time now. So what's particularly unique about this case from a financial perspective?
Novinson: Absolutely. And that's what caught a lot of people's attention, to have been wondering what does this -with the market downturn we've seen - what does it mean for startups? And there's been a lot of attempts to kick the can down the road, people have done debt financing, people have extended the runway through layoffs. But at some point, people are going to need an exit event whether that's another act pretty round, whether that's going public or whether that's being sold, and at what value is that going to happen. So what's fascinating about this Perimeter 81 case is that they're actually a unicorn, meaning a $1 billion U.S. dollar valuation. Just 14 months ago, at June of 2022, they revealed the unicorn status at RSA conference that year. So that 14 months later, they're worth 51%. This transaction was 490 million, so they're worth not even half of what they're worth 14 months ago. That's not because their business was shrinking or anything like that. It's just how does the market value go, and we're goingto see a major trickle down here, we saw Cybereason raised a new round of funding, their valuation was down 90%, in order to get that money. And the reckoning is, here, people have extended the runway as much as they can, and they're going to have to figure, they're going to have to ... investors and companies are going to have to accept serious downgrades that people were valued at, in a certain way, which was focused purely on growth, and not necessarily on profitability or on exit strategies. And companies are worth a lot less now than they were a year ago. And we're not just talking like 15-20%, which we've seen with companies like OneTrust or companies like Snyk that took a small valuation to raise more money, but we're going to see serious, meaningful valuation cuts. And then so then the trickle-down effect is what does that mean in terms of VCs and private equity firms that the folks who led that billion dollar funding round made 49 cents on their dollar, that's not great. So what does this mean in terms of willingness to invest in mid-stage, late-stage startups probably early stages still secure, since the exits are far enough away? But for those mid-stage and late-stage funding rounds, how willing are people to go in and do these right now, given the depressed valuations of the market? And how well your company's to say like, "I guess we are worth only a fraction of what we thought we were worth 12-18-24 months ago." So we are getting some data points here. And I think we're going to see a lot more exit events, whether it's a sale, whether it's another funding round in the months to come.
Delaney: Excellent overview.
Field: What I heard last week, Michael, was that tourists have left the investment market. And that leaves the residents there to pick up the slack. It's going to be a different market.
Novinson: And I can guess exactly who said that. I would agree on some of these companies. And some of these folks who gave these really high valuations. Yeah, we do not have a document insecurity and have not really made too many investments since so. Absolutely correct.
Delaney: Thank you. Well, finally, and just for fun, imagine AI as a pet. So what tricks or skills would you teach it to help protect your digital realm?
Field: Well, I would say if you're talking about large language models, AI already knows how to fetch. So that trick is off the charts but I would also say that if AI as a pet is most likely a cat in that case, it doesn't have masters, it has attendance.
Delaney: Like it!
Schwartz: I would have it alerted me to strangers or strange behavior or strange activity, stranger danger.
Delaney: Love that. Michael?
Novinson: This one stumped me. I was thinking about playing dead and I know that works for natural predators in the wild. I wonder if, like honey potting or deception technology, if there are ways that AI are played out in the wild against cyber adversaries and cause them to move on to more appealing targets.
Delaney: He says that with the dinosaur behind him. T Rex. I've got patch pounce. So upon my command, my AI would pounce on software vulnerabilities by finding, applying the latest patches to keep my systems secure. So one can only dream. Maybe not too long, though. Well, Tom, Michael, Matt, I really enjoyed this. Thank you so much, and thanks so much for watching. Until next time.