KuppingerCole's Advisory stands out due to our regular communication with vendors and key clients, providing us with in-depth insight into the issues and knowledge required to address real-world challenges.
Unlock the power of industry-leading insights and expertise. Gain access to our extensive knowledge base, vibrant community, and tailored analyst sessions—all designed to keep you at the forefront of identity security.
Get instant access to our complete research library.
Access essential knowledge at your fingertips with KuppingerCole's extensive resources. From in-depth reports to concise one-pagers, leverage our complete security library to inform strategy and drive innovation.
Get instant access to our complete research library.
Gain access to comprehensive resources, personalized analyst consultations, and exclusive events – all designed to enhance your decision-making capabilities and industry connections.
Get instant access to our complete research library.
Gain a true partner to drive transformative initiatives. Access comprehensive resources, tailored expert guidance, and networking opportunities.
Get instant access to our complete research library.
Optimize your decision-making process with the most comprehensive and up-to-date market data available.
Compare solution offerings and follow predefined best practices or adapt them to the individual requirements of your company.
Configure your individual requirements to discover the ideal solution for your business.
Meet our team of analysts and advisors who are highly skilled and experienced professionals dedicated to helping you make informed decisions and achieve your goals.
Meet our business team committed to helping you achieve success. We understand that running a business can be challenging, but with the right team in your corner, anything is possible.
Today, I wanna talk about ransomware and I wanna pose a question. Can we look at a ransomware attack at the attack chain? And can we identify a weak link in that chain?
Something, an opportunity that we can abuse to make it harder for attackers to execute an attack. Maybe we can take over, can take control over the attack. And that's the sort of the, the main premise. My name is Elliot.
I'm from, Garre also this, this isn't in, but Garre recently joined the Akamai family and we're very excited to be joining Akamai and bringing, bringing the Garda core customers, some of the Akamai security product and some of the Akamai customer, the Garda core security product. So we're very excited about that. So what are we gonna talk about today? So the reason I got to, to thinking about this topic was that I was doing another talk about the history of ransomware. And so I'm gonna start at that point. I'm gonna talk a little bit about the history of ransomware.
I'm gonna explain the idea. I'm gonna talk a little bit about this idea of disrupting attacks and disrupting the attackers. And then I'm gonna tell some customers stories that I hope can sort of substantiate this idea.
And yeah, hopefully by the end of this, you'll, you'll be convinced. So the history of ransomware, the first ransomware attack happened in 1989. That's I think a lot longer, a lot older than some people might think it might be older than some people in the room. Although looking at the room, I don't think so. But the first ransomware attack, a man named Joseph El Pope had this brilliant idea. He was gonna take these floppy discs. He was gonna put them in envelopes, close 'em up, put a stamp on it and mail them all over the world to thousands of people, right?
10,000 people, more than 10,000 people. Some people think 20,000 people and he was gonna mail this floppy disc. And whoever was so inclined to put that in their computer. And there were reasons why they would do that. Eventually their computer would lock up. It would be incre encrypted. And at some point they would have to turn on their printer and it would print out this page that said, please send me $189 to a PO box in Panama buy mail. And that was the first run from our tech and happened in 1989, just pretty bonkers.
It was called the aids information or the aids Trojan as researchers would call it. And it's a terrible name, right? But it had a purpose because if you think about it in the eighties, aids virus was a, was top of mind for a lot of people. It was a pandemic. People were interested in studying it, understanding how it works.
And he used that in order to basically social engineer people into opening that if that sounds familiar, that's cuz that's the same thing that's happening with, with COVID nowadays COVID is being used all over for, for fishing attacks and to get people to try and open malicious emails. So that's pretty similar, pretty similar story already. We can find sort of the first connection from this old attack to what we're dealing with today. So what else is there to talk about? So Joseph L.
Pope, by the way, after this attack, he was actually captured in the, he was arrested in the airport in Amsterdam, which is kind of funny cuz I gave the talk last week in Amsterdam. It was the first time I gave the history of cybersecurity talk. So it was right there, but he was, he was captured there. He was actually captured because of the way that he conducted this attack, right? The PO box in Panama led the Interpol to him and then the encryption, it was very basic encryption, but it was able to cause damage.
If you think about it, you know, some people aren't experts in security, especially not in the eighties. And when they tried to recover from this attack, they ended up deleting some of their information. What's worse. He used a mailing list with addresses of people who had attended w H O conferences on the topic of aids. So these were aids. Researchers lost their data. The Interpol came into the picture and they put 'em on trial and they would've, they would've also locked him up, but the story gets a lot weirder. So Joseph L.
Pope turned up into court with curlers in his beard and the cardboard boxes on his head. And the judge looked at him and he thought, well, this man is crazy because anyone writing ransomware in 1989, they think they're crazy. Cuz it's a crazy idea today. If we catch a ransom, write, we'll throw him in jail, but not then. And so they thought he was crazy. They let him go. It's an interesting story. And I really encourage people to maybe learn a little bit more about this. I'm not gonna get into the whole story, but the question is, what do we learn from this? Right?
What, what can we learn from this attack? I think the first thing is look at the structure of that attack. It's it's almost identical to the structure of modern ransom, right? You gotta deliver the malware, you gotta encrypt it and you have to monetize it somehow.
Well, not, not a, not a complex theory, right? This isn't the, the moral of the story. But when you look at these three things, maybe we can ask ourselves what is within our control? What can we still impact from this first ransomware to today, we can see the evolution and while we add some, some impact on monetization, we can still catch people throughout the history of ransomware. When we got to Bitcoin, it became a lot harder to catch people because it's, it's almost completely anonymous with encryption from very basic encryption that we could still impact and decrypt.
And in sort of the old days today, we're looking at very strong asymmetric encryption, which is really hard to decrypt, but the delivery delivery is a point of, of, of control. This is a point where we can still impact cuz you could look at the delivery, you could look at the history of it.
It, but there still hasn't been the point where, where we've sort of lost control. This is still the point where we can exert the most amount of control. And that was sort of the part of what we could learn from this. Maybe not a huge conclusion, but maybe when we look at an attack and we look at how we could control what is within our control. I think it's important when we look at ransomware, not to think of ransomware as the end, the beginning and the end, right? A ransomware attack is a complex thing, right? We need to unfold it like an accordion. It's just a tip of the spear.
The ransomware is just at the end, the tip of the spear before that a lot of things need to happen. It needs to land somewhere, right? It needs to install itself, find a foothold. It needs to recon find out where it is, where it's going and it needs to move laterally. And then at the end it'll it'll detonate. So this gives us, this is a good thing, cuz it gives us a lot of surface area to work with. This gives us a lot of opportunities to come in and disrupt the attacks.
So the question that I wanna ask is like, what's the weakest point because you could come in pre infection, you can come in with a sort of try to stop spam emails. You can try to stop phishing emails. And I think that's really good. And I think that's really useful, but we know that, that these things get breached. You can create a very strong perimeter and you probably should, but these things, people get through that. So I wouldn't call that the weakest point in the attack that we could leverage.
It was still important during, during the infection, you know, you could come in there's products like EDR, you know, you want to try and see whether or not something is trying to install the problem with that. And I guess I'm gonna nitpick here is that with EDR, if you cannot detect it or if you haven't been able to detect it and we know attackers are going to try and evade the detection, if you cannot detect it, then you're not gonna catch it. And that's gonna be a problem for you later on. Even if you're able to detect it, you need a lot of people on there to monitor and, and, and observe.
And it might take too much time, especially when you're looking at, at an attack, like, like a ransomware attack that happens very quickly. So in this, in this situ I wouldn't call that the weak link, although it is valuable and it is important that we, we continue to detect respond and, and, and so on. There's the, the end of the attack. Some companies are, are trying to stop the ransomware as it encrypts. I think that's interesting. It doesn't work 100% of the time. I don't know if it works 50% of the time, but it works. Sometimes it's not a perfect solution.
I don't think we're there yet where this is the sort of golden ticket. But what I think is the weak spot. What I think is, is the point where we could leverage the most is the and lateral movement. And the reason I think that is because I've never seen a ransom or land on 10,000 computers at the same time, it just doesn't happen. They need to land. If they're lucky, they'll land on 10 machines, 20 machines, and then they'll spread, they have to spread.
It's a non-negotiable cuz ransomware needs to monetize and it can monetize the, it, it increases with the amount of computers, amount of machines that you can, you can impact. So my theory is if we can control this in a perfect world, we'll have very, very, very fine control over, over the network, the visibility, the level of visibility we need and the level of control to stop lateral movement and in this way to really control and attack the, the flow of an attack, especially with ransomware. And what we're talking about this sort of perfect world is basically zero trust.
You know, this is something that people have have figured out on as a theory and it's network zero trust workload to workload zero trust server to server zero trust machine to machine. And the idea is if you could have the type of visibility between machines that the, the traffic between each and every machine, then you could see these attacks. You could see when lateral movement isn't happening. And if you have the ability to control and exert control over it, then you can stop it. And you need to do that with automation and orchestration.
Because if you know, if you've ever tried a segmenting project, for example, if you do it manually, it's really hard. You need a software solution, software based solution. So this is sort of the idea of zero trust. And I wanna try to tell you two stories and I hope these stories can show you how powerful this can be. The idea zero trust idea could be the first story is interesting. It's interesting because it's a post breach story. The customer that we're talking about, wasn't our customer at the time. So we had a partner was working with this customer.
The partner found something interesting suspicious in, in the network and they called us almost immediately. We were there a few hours later because they knew that our product is really good.
We could, we could create that zero trust between machine. We could get that granular visibility. We could get that control and they knew that they needed something like that. So we installed on 200 end points. And this is what we saw. This is from the product. This is from the UI. What you're looking at is, is a lot of connections. This isn't what a network should look like. Ironically, I think it looks like a virus is I feel like really interesting, but this isn't what a network should look like.
What you're looking at is 20 machines around 20 machines that are infected that are trying to communicate with every other machine in a network through the SMB port. So this is 4 45 and all of these connections are just these machines trying to, to communicate. And we saw this and we knew that we had lateral movement. We knew that there was an attack going at at that exact moment. Now lateral movement is noisy recon and lateral lateral movement is noisy. It's noisy because it, it, it needs to happen quickly.
This isn't a low attack, low, slow attack where they're trying to mask their no they're trying to get around. So this is what happens and it's pretty visible, pretty clear what's going on? Right. So first thing we're trying to do is we want to try and find the source of the infection.
Now, if you have this ability, this visibility into the traffic, then it's pretty easy to man. If you have the software around it, to provide the filters that you need, it's pretty easy to go back into the source. And so we were able to source 20 machines that were infected. We're able to do that pretty quickly and now begins everybody favored step, which is cleanup or, you know, the, the isolation of these machines. If you can do it, there's a problem though, right? And this is why you need to exert very, very precise, control this for this to be worth worthwhile your effort.
You need to be able to have very, very granular control. And the reason is that if you, well, if you have like a laptop or something like that, you could re-image it pretty quickly. But if you're looking at a server and we were looking at a database server that was communicating with production servers in the environment, that's important. You can't just take that off the environment. You can't just isolate it, right? You can't just disconnect it without business impact. Luckily we didn't have to. What you need is sort of the level of this level of granular control.
What we did is we put all of the infected machines that we isolated within minutes, put them in a group, put 'em in a sort of a tag. And then we isolated only the SMB port surgically. And we cut off the attack. At that point, if you have that type of control over your network, that type of visibility you have control over the attack, the attack at that point, it was, it was a couple hours in stopped. And basically what they did is they, they, yeah, they basically took all the machines that were, they block them and, and they blocked the port where the attack was happening.
There was no need to do anything physical. We didn't need to deploy anything physical. It was all software based. We just put our agents on these, on these infected machines and we just stopped the attack from happening. So in the end, we were able to remediate. We didn't have to impact the business and we stopped the attack within hours of it happening all because we had that, that control over the network, the ability to look at machine at the information, traveling between machines, the network and see exactly what's going on and stop.
It took them 24 hours to fully recover, but it was over before it even started. And this is sort of a, a post-breach story. I have another story to try and make another point because post-breach is interesting, but it doesn't really happen that often that we come in after what happens normally is is you, you buy our product and you're, you're already installed and you've configured your environment so that it works the way that you want it to work. And so in this case, what's interesting here is we identified the IOCs.
We analyzed the IOCs and it was dark side and that's the same ransomware as a colonial pipeline attack. So it's a serious, a serious threat. And in this, this story, this is a real story as well. Customer had the product installed. This is a much shorter story, as you could imagine, as you might imagine. So in this story, they started seeing sort of the same thing, lateral movement, there's a machine on a network.
Why, why is there lateral movement going on? They got, they got the alerts. And later on, when they investigated, they found that an employee took their laptop home. They got infected through the RDP port through the internet, on, through the RDP port, but the dark side ransomware, was it targeted or was it just a random thing? We don't know, but they got infected. They brought it back into the office.
And bam, I was just trying to spread. This could have ended very, very differently. So in an alternate reality, this would've been millions, thousands, thousands of dollars of, of ransom. But in this case, they already had the rules in place.
They said, no laptop, like, like divine commandments, no laptop shall communicate with any other laptop through the RDP and SMB port, because why would they, because why would they need to, they knew their environment. They knew what kind of zero trust they wanted to implement. It was implemented. And so they did get the alert that something was trying to happen, but nothing happened.
The entire attack was, was basically isolated into the, this machine because it's, as if they had sort of a personal firewall around each and every one of the machines in their environment and where they could define exactly what's coming in and coming out, also outgoing as traffic through the internet, through the HTTP S sport, I believe. And so they knew exactly what information can come and leave. And that's sort of gave them the protection, the ransomware attack, same ransomware attack that took, took down colonial pipeline. Didn't he get, didn't even get a chance to start.
So that's why when you have that amount of power over network traffic, and you could do these things with this sort of software, software based solution that you could, you could exert that level of control, that level of power here. They also wrote a rule, no laptop that's connected to the internet should, should, should get any kind of traffic from the RDP and SMB ports solving the problem to, you know, moving on into the future. And so I hope just by these, these small examples and the, the, the basic idea that just to show why I think this is sort of a weak link in the attack.
If you can have that type of control, if you have that power, it's, it's a lot of power that you could have over an attacker, especially with ransomware, especially with ransomware. That's it? I hope you guys enjoyed it.
