So, our next speaker is probably known, many by you, as a former member of the Computer Chaos Club. Today, he is responsible for Red Team Assessments, Strategic Security Improvements and Incident Management. And I think it fits quite well to the presentation, which I said, because he's saying that he likes to be helpful without disturbing the internal organization.
So, I'm really looking forward to that. Please welcome Linus Neumann on stage.
Welcome, Linus. Hello. You catch me a bit nervous, because I just got bad news that I was expelled from the Chaos Computer Club, of which I am the acting spokesperson and organizer of the 38th Chaos Communication Congress in about a month.
So, a bit surprised, but I'll manage. I got a second job and I'm speaking today in that capacity, which is the head of security strategy at Security Research Labs.
So, yeah, this is not a CCC talk. This is a business-oriented talk. I like to degrade crisis to mere problems. A problem is not a good thing, but if the alternative is a crisis, a problem is quite nice. You like problems, because for a problem, you have a solution. For a crisis, you don't. In IT security, what we try to avoid is falling into crisis. I want to share a bit of my impressions on how we're doing and how we could be doing better. I mentioned I have a day job.
That day job is doing consulting, red teaming, and crisis management in that order, although the ones whom I manage crisis for are rarely our clients already. And I try to share a few of my insights from these crises that I've managed in the past years. I split my talk into five little myths that I want to talk about in IT security. And I'm unhappy about these myths, because I think that they keep our defenses off focus. IT security could be much better today than it is, and it is because we're doing the same mistakes not only over and over again, but also from organization to organization.
And I dive into five of these areas to complain and hopefully learn something. The first myth about IT security is awareness. Small anecdote from my consulting life. An organization was first breached by ransomware, then had a fake president attack where you transfer money to the attackers, and didn't really worry about that, had another fake president attack, and then decided, okay, somebody needs to do something. We need to do something about these fake president attacks. So they called me and said, Linus, can you help us? We had another fake president attack. And I was like, what, another?
What do you mean, another? And they said, well, the first time we didn't dare to call you because we were so ashamed. Now we would like to ask you to do security awareness training. And I said, well, why don't you solve the problem at its root and change the processes? If anybody can send you an email and ask you to wire transfer a six or seven digit amount to offshore accounts, this will happen again. We should look at the process and optimize the process and secure it so this doesn't happen again.
Well, no, they wanted the awareness training, and we did the awareness training, and I think a year later or so, they wire transferred another million offshore. This is the common average CISO reaction, right? There's awareness training. It has an ephemeral effect. The coverage is incomplete, and it's in essence a toxic culture because awareness trainings tell you that it's the employee's mistake. Somebody whose job it is to read emails and wire transfer money does it 500 times a day, and in the millions of times on the job they make a mistake, it's of course their problem.
This is what awareness trainings teach them. A 4I principle on high transactions would establish security in the process, has a permanent sustainability effect, covers everything, and is solution-oriented because the organization accepts accountability. And this is, of course, why nobody likes it, right? As IT people, we prefer to blame the individuals that operate the IT. So my recommendation is to reduce the attack surface in everyday workflows.
If you tell people not to click links in emails whose job it is to read emails and click links in emails, they're going to read emails and click links in emails, right? Change their work. Change their work environment to a more secure workflow. Number one, the mad attacker skills, right? You always hear about how attackers are crazy. They have these specific skills and they're operating in a highly professional environment and they improve every day.
I think the reality is specifically when it comes to ransomware attacks, attackers haven't had any evolutionary pressure to improve in the past years, about six, seven years. We have not exercised any evolutionary pressure on the attackers. This has gotten so far out of control that you now have absolute amateur hackers running ransomware campaigns in the millions.
Somehow, we gained access to an attacker's command and control infrastructure. The attacker had made a small mistake, makes the attacker sympathetic to me. We obtained an SSH key and had access to their command and control server. The mistake the attacker had made was they were using SSH as a tunneling protocol and the key that they left on a victim network was actually also valid for their root account. It's like the mistakes you guys make, right? These guys make them as well. We were able to look over their shoulder for a while.
We had root on their command and control server and notified about 40 victims live as they were being hacked, getting different reactions from them. I'm not going to really name the organizations, but I imagine they looked somehow like this when we called them. This is what the root folder looked like of the attackers. This looks very much as untidy and clumsy as my own home folder.
Again, very sympathetic. No sign of professionalism there. The Bash history revealed a passion for standard tools. I've listed them here on the right. This is also absolutely well-known boilerplate. Any hacker with a sense of honor would not call themselves a hacker for using these tools. This is exactly what professionalism is, scaling a business process that works. This business process works really well and this is why they operate this way. It doesn't help us not to learn from such common knowledge. Learn from the mistakes of others.
Defend against these attacks paths that are operated at scale. Third myth, detection. We all know this is the pillars of a mature IT security organization. We prevent attacks, we detect attacks and we recover from them. This is how it should be. This is how you think it is. This is how it really is. Usually our prevention sucks. After that, we don't detect anything. It's all downhill.
Remember, though, we know how attackers operate. It should be very normal to learn from common attacker behaviors from their IOCs and train your SOC to alert on specifically those. Nonetheless, my red team colleagues developed detection tools and in this case deception tools because they were getting bored. Every time we own clients using client networks using ADCS, Active Directory Certificate Services, so it's a PKI by Microsoft. Once you have the certificate, you can use it to authenticate to other services. It's oftentimes used to obtain tier zero privileges.
There's just nobody ever detects these. Nobody really monitors certificate issuance and whatnot. They built a honeypot for this and released it as open source. I encourage you to look into this for a while because this is what actual attackers do and this is what most organizations don't really monitor for. The fourth myth when it comes to the activities of common criminal gangs is the decryptor. There is an initiative, I think it's called No More Ransom.
We are also part of that initiative because we developed a decryptor and it's a website that collects decryption tools for ransomware gangs or ransomware families. It's surprising how many decryptors are available. To show you the kinds of mistakes the attackers make, I'm giving you a little bit of insight into what we found out about one particular gang. This is the Blackbuster gang. They implemented the ChaCha20 encryption algorithm. The mistake they are making here is when they encrypt larger files, they don't encrypt the full file because it takes too many resources.
But they basically apply intermittent encryption. You have a large VMDK image, a couple of gigabytes large, and you don't encrypt the whole, I don't know, 50 gigabytes, but only chunks in the file each. That's enough to make the file useless and far more efficient because you just jump across the file. The mistake they made is while carrying their encryption intermittently into the file, they did not pass on the initialization vector between chunks. They basically started encrypting with the same key stream again and again, which is what you see here in line one.
This is particularly done to VMDK files. This is hard drive images of virtual machines. What do hard drives have in large quantity? Zero space. Available allocatable space, and that is only zeros. They basically XOR zeros with their key stream. Because you know there's going to be zeros in your file and you see them, you now have the key stream, you XOR everything with the key stream, and you decrypt the file without even knowing the key. This is an absolute rookie mistake in encryption. This is what you would write a textbook example of somebody messing up their own encryption.
This is the example you would use. Nonetheless, this gang operated a quite successful business. Much more successful than most businesses, people in Ukraine or Russia operate. We basically found out about this a few months after they changed to this type of encryption. We investigated the files. My colleague, Tobias Müller, found the vulnerability, created tooling, and we first shared this tooling with victims that we saw on their website or on other command and control servers.
The BKA, BSI, FBI, or any reputable IT security and interior security organization we could think of. For a while, about for four months, if you were in the US, Germany, Europe, and you were falling victim to Blackbuster, at least a decryptor was available. In December 2023, they noticed it and upgraded their encryption to not have the vulnerability anymore, just as you would do. The problem is still, if you go to this website, it gives you the impression that when you're falling victim to Blackbuster, you can just decrypt the file. That is not the case.
In that same year, Blackbuster made 100 million plus. Even if the slight chance exists that there is a decryptor available at some point in time, it's not available to you in the time when you urgently need it. You should not rely on that being the case.
Of course, a very terrible myth that we all have in IT and in IT security is the myth of our backup. We have a backup. Somebody encrypts all of our files. We just restore from backup. That's going to be fine. The backup is right over there. It's tied to our active directory, which is what the attackers operate. But it's a good backup. I think nobody ever tested the backup. The biggest mistake organizations make is having the backup servers in the same identity and access management system that the attackers take over to obtain control of your files. That's the worst thing you can do.
You have to have it absolutely separate. The best practices in backup are well known. We want the backups to be immutable. We want them to be independent. We want them to be isolated, versioned, verified, and monitored. These are all the boxes your organization most likely doesn't check. The most important one is missing. Because even if you have all these terabytes of backups and your ESXi makes snapshots of the virtual machines and clutters up all the space, you are not going to be able to recover everything at once.
Even if these backups are available, recovering your business operations from these backups is going to take a time that is absolutely unacceptable when it comes to the business interruption these organizations are facing. The actually important part was missing in this list, and that is risk-based backups prioritizing business recovery. Business recovery does not mean that every single service is running again. Business recovery means that you can operate. You don't have to send thousands of people home.
You can run your organization with, of course, limited efficiency, but you can at least operate. This is not a joke. I've been in many situations in an absolute crisis, IT down, where the crisis committee is trying to find out how the business operations relate to IT. The longest I've seen is a process of about 14 days. This is 14 days. In a crisis, there's no weekend. You can talk to the workers' council about that. 14 days of finding out how the IT is linked to the business and how we now relaunch this IT to eventually have a business again. That in itself is a crisis.
I thought initially, when I witnessed this the first time, that this is something uncommon, something crazy. But it's not. It's absolutely normal in any organization that the IT operates an IT infrastructure not knowing exactly how it is important for the business or not. When there is an IT security that is securing this IT infrastructure, not really thinking about what threats the organization is facing.
Now, there are all these DORA acts and whatnot to help you force an organization into thinking about these things. But the very logical question of understanding, I'm protecting a business and not an IT, and the business is much more than its IT. All the attack surface are the humans out there that I happily somehow subtract from my IT security responsibility. And all the money that the organization makes is somewhere out there. And I don't understand it. I don't care about it. Because the IT that I'm trying to secure also doesn't care about it.
And this is why ransomware gangs are so successful for so many years now. It's the disconnect between business, IT, and IT security. And you can see it in the cafeteria of your organization, right? So if there's somebody nobody wants to sit with, likely IT person. The business people don't want to sit with the IT people because they're idiots.
Now, look for the people that not even the IT people want to sit with. That's the IT security people.
Now, imagine this tradition over so many years and how secure your organization is going to be. So my five takeaways, reduce your attack surface in everyday workflows, learn from the mistakes of others, exercise some evolutionary pressure on these attackers. The dwell time attackers spend in your environment is going down. We're making it easier and easier for them. Increase detection on well-trodden attack path. Put your detections where the meaningful attackers are. You will not get a decrypto on time. Forget about it. Even if you pay for it, it's not going to be there on time.
And certainly you're not going to get a decrypto on time for free and public. And you need prioritized recovery. This is what you need to look into. The ransomware crisis is not necessarily a crisis of IT security.
It is, too, but it is a crisis of organizational culture. Thanks a lot.
Thank you, Linus, for this talk and sorry for decommissioning you from JCC.
