Ryan Weeks, CISO at Datto, the global provider of security and cloud-based software solutions purpose-built for MSPs, sits with IT Europa Editor Carl Friedmann to discuss his priorities and the heightened sense of vigilance we must all adopt to remain safe as new threats, and versions of old ones, gather pace.
Can you describe the current threat landscape and what is of particular concern?
Since November, I've been paying close attention to the rate of information dumps from info stealing malware. There’s an info stealing malware called Redline that’s currently dominant, and in January there were over 10 million credentials dumped within a three-week period. That is just one example. You have increasing credential theft and emerging abilities to bypass weak multi-factor authentication (MFA) configuration, which ultimately lead to ransomware. Where I'm focusing is on how to kill ransomware attacks earlier in the chain. Another priority is the need to revisit the strength of our second factors so they can’t be easily bypassed, which means hardware tokens that when securely configured, make it impossible for threat actors to bypass MFA. The tactics threat actors use are very basic, but they’re evolving. If we don't get ahead of the next evolution, our risk of adverse cyber events will only increase. We also need to remember that info-stealing malware isn’t just stealing passwords; it’s stealing session cookies for websites you're logged into, which for some SMEs and MSPs are critical management tools. To respond to what we're seeing, my call to action for MSPs is to increase the strength of their second factors. Most MSPs will react when the first big attack happens, and weak MFA methods are evaded. By then, however, the technique will be so widely used that you’re already behind. The time to act is now, that’s what we are doing at Datto.
So then it's too late. It's a reactive more than preventative move.
Having a threat-informed cyber defence means knowing your enemy, what they do, and how they do it. Knowing your enemy is crucially important to establish an effective, threat-informed and risk-based security programme to ensure cyber resilience. It can help you be proactive in your defence.
But how well can you truly know your enemy considering how they shapeshift and how the battlefield is constantly evolving?
There's fear, uncertainty and doubt when it comes to threat actors. It feels as though every one is advanced but we rarely see innovative techniques being used. When a tactic works for one, others follow and it becomes a common technique. While we don’t have a crystal ball, it’s a certainty that threat actors will try new techniques. But the rate of innovation is far less than the rate of success they’ve had using established techniques. So it's easy to understand the tactics that enemies are currently using. To ignore existing techniques is like saying I'm not going to implement 90% protection because I'm not sure what the other 10% is. No reasonable person would reject that insurance policy. Instead, they’d say I'm going to get 90% protection and then study gaps in my defence to mitigate against the remaining 10%. For these techniques, you're going to have comprehensively defined infrastructure against both existing and new techniques. In 2019 we did a webinar with other channel vendors about MSP security and ransomware attacks, and we put together a document of everything that MSPs needed to do to protect themselves against the threats. I periodically revisit that document and there’s nothing new we need to add that isn’t already in it.
Is the rate of success with ransomware based purely on the sheer quantity of it, rather than the innovation? Is that the pattern you see evolving with threat actors?
There are many factors. There's a bit of pencil sharpening when it comes to threat actors, like those 10 million credentials from one info stealing malware. Even if 1% of those credentials are valid, that's hundreds of businesses compromised, if not thousands. So the rate of success is also tied to the complexity of building effective programs that understand all of these techniques and have layers of defences in place. Threat actors are creating mass exploitation utilities, and when you add attack automation with phishing botnets and credential stealers, it contributes to their success. Once they get a foothold, they can lie dormant for months, creating large queues of potential victims, and they then try to figure out which ones to hit and in what order. So just like that, they have a scaling problem. Then there's the war for ransomware affiliates, and that's difficult because of building trust in the affiliate network, but it’s not a doomsday scenario. We need to get serious about implementing a baseline security program that complies with some standards, however the insurance industry is going to push MSPs and SMEs in that direction anyway.
You mentioned earlier about crystal balls. It's difficult to anticipate or prepare for new threats, but is there an element of predictability?
The best time to handle a breach is before the ransomware ever hits, during the initial access stage of the attack. There's tons of intelligence out there about different malware that can be used to maintain persistence and backdoors that are precursors to ransomware attacks. MSPs can use that intelligence to search their environments for signs of those footholds and evict threat actors before they act on their objectives and deliver ransomware. It’s just a question of if they have the right expertise, access to knowledge and the right processes to do that type of hunting. It’s not impossible, but they just haven't focused on it.
Is it also a question of education then? Do MSPs need to get smarter about what’s out there?
It’s a multifaceted issue for MSPs. Some need a lot of education, others just need some guidance because they understand the threat, while others think they don’t have the right technologies or can’t put the right tech stack together. But to have a chance, you have to know how your enemy will behave when you go into battle with them, which should inform your technology choices beyond a raving review on Reddit. It’s difficult to put all the pieces together, but the revenue upside for MSPs that do is outpacing their peers because they’re turning that intelligence into billable protection for their customers, which also makes their customers safer. It can be difficult for MSPs to gather intelligence about the threat actors they’re facing, that’s why my internal threat management team is continuing to provide MSPs with free monthly threat briefs that contain information on detection opportunities. Effective threat intelligence and threat management can be very daunting, so one thing we try to do is distil information into an easily digestible form, which makes it highly actionable. We tie observed attacker techniques back to the CIS controls that defend against those techniques.
So it comes down to cost in many ways and having the resources available. But how do you discourage people from pursuing cyber criminality considering the lucrative appeal and relative lack of punishment, if any at all?
This is what makes cybercrime a wicked problem, like homelessness or addiction. There's probably never going to be a complete cure. We have a moral imperative to try to manage a wicked problem to its lowest possible level. It's a simple question with a complicated answer. We need to figure out how to incentivise people who would go into cybercrime to become good actors. When someone finds a weakness in your company, we should make it more attractive for them to disclose it. We talk about deterrence, but there are always safe-harbour nations where it’s difficult to hold threat actors accountable. We just need to keep chipping away until we make it so unattractive that people don't want to do it. We haven’t achieved that yet, but we need to keep trying.
Sounds like it's more a pursuit of risk mitigation rather than risk elimination.
We're always going to deal with this problem. Like Covid, this is endemic now. We need to stop thinking about it as something that's going to go away and start thinking about how we live safely with it. The way we implement practices in our daily life to minimise the Covid threat is the same with cybercrime. It's here and we have to manage it. It doesn’t mean we're not going to keep researching for a cure, but I think for the foreseeable future, that’s not in sight. We just need to implement the best hygiene to reduce our exposure to cyber events and boost immunity.