A Year In Review Part 1

[00:00:19.550] – Jason Pufahl

So, it is the end of 2021. I think we’re going to do the obligatory 2021 year-in-review episode. We spent some time talking about this, obviously ahead of time, and I think selected four or five things that we would consider to be reasonably substantive but try not to touch on everything that happened over the year.

[00:00:42.760] – Jason Pufahl

We debated the first one a little bit I think early on because 2020 probably marked the year of the transition from the traditional office environment to homework. But I think 2021 has seen the solidification of that.

[00:00:59.160] – Jason Pufahl

We flirted with the idea of going back to the offices for a variety of reasons, or maybe haven’t. But, work from home is now pretty well embedded in the culture. I think people expect that to be the norm going forward. I think people expect that as they’re talking to employers. From a security standpoint, I think that’s been a big change. I don’t see any [inaudible 00:01:19] that it’s going backward.

[00:01:21.530] – Matt Fusaro

Yeah. We thought we were going to be going back into the office, that did not happen. With that being the new standard. We had a lot of people reach out to us over the year wondering how they could better deal with it. A lot of places had no remote management of their systems. They just expected that the systems would be in the organization or if they were going to be out, they’d be out for a short period of time. That definitely didn’t happen.

[00:01:51.380] – Steve Maresca

And that seat change, certainly today has echoes as you’re suggesting. Organs are trying to claw back the systems that they procured and let out the door in a hurry. Data is not necessarily under the best control. I think it’s still a problem that many organizations are struggling with.

[00:02:11.310] – Steve Maresca

Certainly, quite a few have returned to the office as a subset, but the truth is that a decent enough proportion still have people out are contemplating returns to home at the moment. It’s not going away.

[00:02:24.500] – Steve Maresca

The same problems that we experienced in 2020 still persist. We’ve had multitudes of conversations about remote access struggles, facilitating policy across the perimeter that no longer exists. It’s a struggle, and I don’t think anyone has really tackled it completely.

[00:02:47.750] – Matt Fusaro

Yeah. I think it’s going to actually be very interesting when we see companies trying to maybe consolidate all these new services they bought to support all this. So, you’ve got a lot of places that signed up for different remote meeting types of software. You’ve got VPN implementations that happens. They’ve opened up services they wouldn’t have normally opened up.

[00:03:10.730] – Matt Fusaro

That’s definitely hit people pretty hard, and that’s why ransomware has been such a big deal this past year, right? We saw a lot of purchases that maybe are going to get reevaluated or changed.

[00:03:24.110] – Steve Maresca

Some will stick around, certainly. The hurried move to home wasn’t necessarily coupled with multi-factor, two-factor deployments. This year has seen a large number of them continue supporting that type of work as well as more generally protect the environments, of course. That’s a net improvement. But it’s the coupled component to what you just mentioned, Matt.

[00:03:49.910] – Jason Pufahl

It’s not just security, though, that has changed as a result of this. We’re seeing just connectivity in general be much more important in the home. Potentially, you’ve got your kids or a spouse that are home. You’re competing for bandwidth. A lot of the collaboration that you referred to in terms of the Zoom, the Teams, the GoToMeetings, those are all bandwidth-hungry apps.

[00:04:13.080] – Jason Pufahl

If you’re going to be home, some companies now are talking about dedicated connections for their employees and actually making modifications to that home office where probably in 2020 was much more like “go home and use your cable modem.” It doesn’t always work.

[00:04:27.820] – Matt Fusaro

Yeah. The providers were as nice as they can be. I know a lot of them took their bandwidth limits off for a while. I think a lot of that has come back or is coming back at this point. I know my provider is definitely back with it. So, some people are going to be getting bills that they don’t exactly want.

[00:04:46.070] – Jason Pufahl

Yeah. There are opportunities to make some more money if you’re in the data-moving business. Obviously, 2021, just a tremendous amount of ransomware. We refer to it often as the “security plague.” It’s been a huge cause of mostly every incident response job that we’ve done, maybe a couple of specifically targeted ones, but largely it’s opportunistic ransomware opportunities.

[00:05:16.710] – Jason Pufahl

And hugely effective, generally common ways of getting that foothold, phishing and exploiting patches, and missing vulnerabilities, but tons of them. I don’t see any reason to expect that they’re going to slow or stop in the year ahead.

[00:05:32.640] – Steve Maresca

And certainly, ransomware is not new in 2021. The biggest thing that we want to convey at the moment is that the sophistication, rigor, and general complexity of attacks has largely shifted.

[00:05:44.810] – Steve Maresca

All along the way. It’s been caused by vulnerabilities at the perimeter. It’s caused by identity theft or credential theft and similar types of weaknesses. But in 2021, biggest changes were a shift from merely encryption to behavior where exfiltration of data is almost a guarantee, especially at the tail end of 2021.

[00:06:07.970] – Steve Maresca

It’s preferred by some organizations as “double extortion.” You’re paying to recover your data and preserve some of your reputation because your organizational data is out in the open. That’s not going away. If anything, it’s becoming the de facto expectation of a ransomware attack.

[00:06:25.630] – Jason Pufahl

Honestly, it’s awfully clever. The first time that we ran across the double extortion I thought, well, that makes sense. If you’re looking to get money, that’s the way.

[00:06:35.410] – Steve Maresca

It sure is.

[00:06:38.930] – Jason Pufahl

You’re absolutely right, Steve. Ransomware has been around a long time. I think for us, what we felt was most substantive was the shift a little bit towards infrastructure-style attacks. We saw some really newsworthy events, Colonial Pipeline being one certainly where I think the risk of critical infrastructure being targeted or services that you’re used to being impacted from these is just greater, and you’ve no reason to expect that to go back.

[00:07:08.490] – Steve Maresca

Right, and other topical things that were in the news, the meatpacking plants being attacked. Most recently in the last week or so, Kronos, the time-keeping company being attacked, many employers affected as a result. Ultimately attacks against organizations that have greater involvement in everyone’s day-to-day life, regardless of their employer, regardless of their industry. That’s the next…

[00:07:33.890] – Jason Pufahl

Yeah, this is really front and center now. You don’t just hear it on the news because your local school got ransomware. Now it’s I’m not getting packages, or oil prices are being affected, things like that. It’s much more front and center now.

[00:07:49.690] – Steve Maresca

Right. They bleed into the real world. These attacks cause purchasing changes as you’re alluding to. Certain parts of the Eastern Seaboard had no gas for three weeks because people decided to buy it in a panic. Doesn’t mean there’s a supply issue necessarily, but these are the downstream effects of attacks of this variety.

[00:08:10.740] – Matt Fusaro

Another thing that changed a lot, too, was the things we learned about a lot of the groups that are doing this. It’s almost frightening to think about a lot of infrastructure that we care about—things like power plants and things that drive daily life—are really hanging on some spoken agreement that a lot of these groups just won’t go after.

[00:08:36.110] – Matt Fusaro

That can be broken at any time for any reason. There’ll be groups that are just not going to participate in that and do it anyway. But the intelligence that we got out of government intelligence, in the US, at least, they have struck deals with these people to say, “Hey, don’t touch this.” And we don’t know what that’s going to look like in a year from now.

[00:09:00.620] – Jason Pufahl

Interestingly, the group responsible for Colonial Pipeline, in a certain way, I don’t think fully expected the outcome of their actions. They stepped back and actually apologized for the attack on the infrastructure because I think they felt the whole weight of the government coming down.

[00:09:16.030] – Jason Pufahl

These tend to be ROI-driven events and not necessarily, “Hey, I want to cause this huge disruption.” I think, in that case, it was more than the attacker bargained for.

[00:09:27.740] – Matt Fusaro

Yeah. This was the first year I believe that there was actually some type of interaction with them and reaction if you will. They tried to shut down an entire group, which has not been done yet.

[00:09:40.110] – Jason Pufahl

But there’s also that push of “Let’s not negotiate with terrorists to some degree,” right?

[00:09:47.580] – Steve Maresca

Right, and actually, that’s where I was about to go.

[00:09:49.730] – Jason Pufahl

I figured.

[00:09:51.150] – Steve Maresca

Matt mentioned the government, so naturally, I’m thinking about the Department of Treasury. The guidance that’s been issued by federal law enforcement is effectively, that thou shalt not pay a ransom. It’s obviously a good idea for the organizational bottom line, but at the end of the day as well, there are treaties, there are embargoes, there are a variety of reasons that you don’t want to support organizations that are themselves performing ransomware attacks.

[00:10:23.370] – Steve Maresca

Ultimately, if there are regulated areas of the government, if there are regulated businesses, it may actually reflect very poorly on those organizations if they are to pay a ransom. So, the directive ultimately is to avoid it.

[00:10:40.100] – Steve Maresca

I think that that’s a unique change. It’s come out of CISA. It’s come out of the Department of Treasury. Typically, prior to that, there were really no comments about whether an organization should or should not pay. It’s a notable change that at least in 2021 people should be aware of if they weren’t.

[00:11:00.210] – Jason Pufahl

I think that it’s easy to say, a lot of organizations have gotten better about your data backups. So, the risk of legitimately losing data and have that huge business-impacting event are a little bit lower. I think people understand how to protect themselves against ransomware, and frankly, that’s partly what makes that double extortion concept so brilliant.

[00:11:21.920] – Jason Pufahl

Ultimately, they’re saying, “Hey, you probably have access to your data and can restore, but by the way, we also have access to your data and we’re going to release it.” It’s an interesting evolution, and I think it’s one of those where an action causes another reaction and then other things you have to think about that probably, frankly, weren’t anticipated when this was going down.

[00:11:44.170] – Jason Pufahl

In a way, I hate to say, but kudos to being clever. These things evolve and I think it’s really important to watch how these change so regularly.

[00:11:53.510] – Jason Pufahl

The other big thing I think that we’re seeing is a variety of entities. I’d say insurance carriers being one. There’s legislation in some cases that are suggesting that people develop more mature security programs. I think we’re finally seeing now not just vague references in specific industries to adhere to a security standard, but a much broader outcry to say, “If you follow a security standard, you’re going to have a better security program with less risk.”

[00:12:24.360] – Jason Pufahl

We’re seeing that push and we’re seeing that trend over and over now, and I think we’re finally getting to a point where people have to adopt or really have to reasonably consider a security standard to align their security program to.

[00:12:36.030] – Steve Maresca

Historically, the norm was, it’s probably a good idea to follow security best practices. Now, the shift is, all right, we ask you to think about it before. Now, please demonstrate. That’s the bigger change, ultimately, if I were to boil it down.

[00:12:52.310] – Steve Maresca

It’s now necessary, even from a business-to-business standpoint to prove that data exchange and similar is protected in a rigorous way as well as the processes and controls in organizations to support that type of thing.

[00:13:07.500] – Matt Fusaro

Yeah. There’s just too much sensitive data and data that affects people’s daily lives at this point where these things are needed. It’s just a public protection type of thing. How effective that’s going to be with that remains to be seen. I think a lot of this is dragging his feet behind the progression of technology and threats and things like that, but it’s a start.

[00:13:29.600] – Steve Maresca

I’m somewhat encouraged to finally see it. Let’s be honest, in 2021, almost every person who has credit cards, credit agencies, you name it. Some degree of insurance against identity theft, they’ve had their identity stolen. They’ve received a notification.

[00:13:50.490] – Steve Maresca

The fact that it’s a norm, and it’s taken organizations until 2021 to have more rigor about actually pursuing security maturity is unfortunate, but I’m encouraged to finally see it.

[00:14:03.100] – Matt Fusaro

Yeah. Agreed.

[00:14:04.020] – Jason Pufahl

I think we’re finally at a point where it feels like a well-organized discipline. We’ve all been in this field now for, give or take, 15 or 20 years. It started out with the network security person saying install a firewall to finally get into this point where you say there are things that you have to do to be more secure. I think people are listening to that and start moving in the right direction, which is great.

[00:14:27.750] – Jason Pufahl

I think, finally, we wanted to chat a little bit about the fact that 2021 was probably the year of some really high-profile vulnerabilities. Really impactful things to systems as commonplace as Exchange, for example, and probably more severe than previous years. Certainly, we feel that the vulnerabilities that we’ve seen have been more impactful to a broader base than probably before.

[00:14:54.750] – Steve Maresca

I think that’s accurate. The SANS Internet Storm Center raised it’s… They call it “InfoCON” plan, Defcon in similar, their level to orange. That hasn’t happened in a very long time. But more generally, I think the breadth of affected organizations of the vulnerabilities that occurred in 2021 is far more substantial than in previous years, and that’s the notable change.

[00:15:21.270] – Matt Fusaro

A lot of them were simple to actually exploit, too. I think that was the difference, too. Maybe what contributed to it being so high profile especially Exchange, in the most recent Log4j, these things did not take a lot of effort or sophisticated attackers to do anything with, and it’s stuff that ran a lot of organizations that’s why we’re seeing it so much in the spotlight.

[00:15:49.080] – Jason Pufahl

And aren’t easy necessarily to update. So I think what we’re finding here as a challenge is Exchange had multiple patches over multiple months. Exchange is hard to upgrade for a lot of people, and Log4j, difficult to really get clarity on how pervasive is it in your environment and what you actually need to fix. And you’re heavily reliant in some cases on hardware vendors to fix that and some other things. So high profile and not easy to address.

[00:16:13.910] – Matt Fusaro

Yeah. Log4j did two things. It really brought to the forefront the very basic thing that we tell everyone as you need inventory of things. Nobody had any idea where this thing is running. I think most organizations quite a bit of probably the better of two days to actually find out all the software that they were using that might have that installed and to actually have that remediated.

[00:16:41.260] – Matt Fusaro

And then the other thing was realizing that you’re relying on software sometimes that… I think it was just a couple of people that actually manage Log4j from a code development standpoint. These things are propping up large enterprise-level type software and-

[00:17:01.470] – Jason Pufahl

And the support base is low?

[00:17:03.000] – Matt Fusaro

Yeah.

[00:17:03.790] – Steve Maresca

Well, that’s embedded everywhere. Exchange, everyone… Well, not everyone, but most organizations use Exchange. Most organizations with Web apps are complex business intelligence, business management, HCM-type capabilities, they use Java stacks. It’s embedded everywhere.

[00:17:22.410] – Steve Maresca

The ubiquity of some of these underlying pieces of infrastructure mean that even organizations that weren’t quite aware that they might be impacted were, in fact, when they looked a little closer.

[00:17:35.400] – Steve Maresca

One unique aspect of that is that the issues we’ve just gone over, ProxyShell for Exchange, Log4 Shell, or whatever you want to call it, Log4j issue, PrintNightmare. Those were all things that use deeply embedded components of the operating systems or application stacks.

[00:17:57.870] – Steve Maresca

Exchange and Log4j were largely vulnerabilities exposed over the network perimeter to the internet. Obviously, there are lots of internal apps that are vulnerable with those issues, but the point is that the accessibility of some of the vulnerable services was unusually high with some of the vulnerabilities in the last year. That’s a defining factor because the whole world was left scrambling as a result.

[00:18:23.720] – Matt Fusaro

I think what this past year showed us is that if there are weaknesses in software that gets used quite a bit, people are going to find them now. There’s just enough people looking. There’s better tools out there now that used to be very difficult to use. They’re actually very accessible, or in some cases, open-source completely. It’s not very difficult to get into this anymore.

[00:18:47.550] – Steve Maresca

Other infrastructure that meets a similar level of ubiquity, virtualization, VMware. Hypervisors are now being attacked. Certainly, we’ve seen that in some of our incidents in the last year, and it makes sense. I would want to attack VMware infrastructure if I were a malicious entity. It’s just easier to undermine systems that are otherwise better protected.

[00:19:11.590] – Steve Maresca

And I think that that’s the biggest takeaway. Vulnerabilities are being prioritized for those that have the largest possible impact with lowest effort and certainly, that’s of course, the goal from any security researcher or malicious entitie’s perspective.

[00:19:30.700] – Steve Maresca

But the fact that we’ve had so many so quickly over a multitude of months is cause for a lot of pain in 2021, compounded by the fact that it seems as though each of them has had multiple patches that didn’t quite resolve them.

[00:19:47.490] – Jason Pufahl

Actually, there’s two things that have jumped out to me over the year. I feel like there’s been a variety of times where we’ve all sat in the room and said, “Well, I’ve never seen that before.” I don’t feel like in the last couple of years I’ve had those discussions. The double extortion stuff, the first time we saw it, we’re like, well, that’s something, and the attack on VMware specifically, in some cases we didn’t see.

[00:20:13.400] – Jason Pufahl

I think the other part is discussion around, hey, we need to craft communication to our clients, and yet we can’t give explicit guidance on how to address something. That’s been really challenging. We really like to say, here’s a known vulnerability or a new vulnerability, and here’s how you fix it.

[00:20:32.560] – Jason Pufahl

In a lot of cases, it’s been, here’s something really new, and by the way, we need to let this develop a little bit before we give you clarity on how to move forward. That’s been different for sure.

[00:20:44.830] – Jason Pufahl

We talked about four of them. Anyone in particular jump out to you as, hey, this is something I want to watch maybe going forward or something that really makes you concerned about where we’re going as an industry out of curiosity?

[00:20:59.840] – Steve Maresca

Vulnerabilities are sort of a constant background noise. There will be years where it’s similar to 2021 in terms of urgency and tempo. Others will be quieter. That requires constant attention. I think ransomware has been regularly in the mind of defenders for long enough that it’s still relatively well understood.

[00:21:24.910] – Steve Maresca

I would say that the things to keep in mind are more along the lines of the maturity requirements that are cropping out of the woodwork. Because they’re a bit of a surprise for some organizations, and we’ll be talking about that in a more detailed way for cyber liability for sure.

[00:21:43.040] – Steve Maresca

These are requirements that organizations must require self-reflection, introspective attention, and a lot of the time that’s not prioritized. It’s now the time to think about that.

[00:21:59.370] – Jason Pufahl

That’s the one that jumped out to me. Honestly, I feel a certain amount of optimism that insurance carriers are pushing this a little bit more aggressively. That there are some regulatory requirements for certain industries that we’re seeing, but there’s a general… It feels like there’s more of a buzz around, adhere to a standard, and improve your program.

[00:22:21.430] – Jason Pufahl

It’s so necessary because I find so often we’re in that reactive space a lot in instant response. I’m really optimistic that we’ll move a little bit more into a proactive space and companies will start to really pay attention to these fundamental components, a lot of these frameworks, and make some improvements.

[00:22:43.370] – Jason Pufahl

So with that, as always, we welcome people to reach out to us on LinkedIn at Vancord or on Twitter @Vancord Security. Continue this discussion. I suspect there are people who would say, hey, there’s a bunch of really notable things that you missed in your 2021, year-in-review, and we’re all ears.

[00:23:02.940] – Jason Pufahl

If there’s something that you think jumps out to you that we just didn’t cover, we’re happy to either follow up that with a subsequent episode, or hear why maybe you think one of the things that we put in this list probably doesn’t belong there. We’re interested in all of that.

[00:23:15.370] – Jason Pufahl

As always, we hope you got some value out of this and found it interesting, and continue listening to future episodes. Thanks, everybody, for listening.

[00:23:23.930] – Speaker 1

Stay vigilant, stay resilient. This has been CyberSound.