The Changing Cyber Threat Landscape and its impact on IAM (II)

So as usual, thank you very much. Very informative also for me. So before I start, do you have any questions, anything you'd like to ask, especially. So on that experience from the field as Kumar is
We're here around. If you'd like to have questions answered, which are more, let's say of a private nature, we are around approach us. We're happy to talk. We're happy to provide you with more insights with more information. Now, what, what, what is the impact? So what is the, what is the takeaway for, for the IM projects of the world? So at first I did my very brief introduction. So the one or other may or may not know me, I've been in the identity business for the past 15 years, working for vendors, working for customers, working for service providers. So there was some decent experience to that particular piece. And with that kind of context, I'm actually happy to talk about the importance of the threat landscape visibility towards identity and identity access management. So what we're looking at, and, and, and some of that might be very obvious to you is a identity data theft data leakage of any kind.
So that might be that as Kumar set, it's about exfiltration of files folders, but it's only, that's much more than that. So just to give an example, a large largest food and beverage organization or hack bar anonymous weeks ago, for some reasons, with the result that anonymous has published a complete set of their customers in a specific regions with full details. So with PII and CII data, so actually organizations, competitive organizations of that customers could understand who in particular in person is making business with whom under which condition and with what prerequisites. So I let's put it the simple way. I'm, I'm, I'm, I'm, I'm an owner of supermarket. And I go out there and look at that list. And I see that my competitor two blocks down the street, also being a customer of that organization, and I can see their, their sales and, and, and, and, and, and procurement conditions.
So I'm asking myself then, okay, so why don't I get these kind of conditions? Why is that particular competitive mind getting more discount than I do? So this is the risk out of identity data, but especially also data leakage. So what does that mean for an organization itself? We should look at these early warnings. So one of the very important keywords around cyber security is prediction. If you think about the execution of a, of an attack of an hack, it is most likely that with the very traditional approaches, you try to somehow counter that attack. At the point in time, when that event is happening, you rely on the expertise on the professionalism of your staff, of your tools, of your procedures to identify this attack. And with the panel discussion before 1, 1, 1 particular sentence was, was also, I think mentioned from, from Adida. So we don't know the unknown.
So how do you know that you identify each and every attack you can't? So the thing is you need to step back a bit and think about, okay, what's the prediction of it. So giving you some insights. So this is our observation, our, our analysis with customers, from their customers with data. So one of the interesting aspects about data theft, first of all, it's PII information and CII information. Now think about the following. Let's have a look at this. You might see username, email address, password password is something which could be found in clear text. I mean, you all know this service have been pawed, right? So where can check your email? Is it out there? Is it particular password out there, these kind of things. So, but this is a very single of you. If you look at this kind of information where you have a complete list out of your organizational context, we identify my users are using a corporate asset, an email address for private purposes.
So look at the source. Now give you another example, a most current example, where we are talking with an organization, it's a governmental organization in the wider financial area. We found multiple records where those employees were using that governmental effort, the email address for private purposes to sign up and register for fitness first at sixth at Tinder and the likes. So this is something where we look at that and we were laughing at first, but then if you think about the implication and the impact of it, it's not only the technological aspect of this, that this kind of information might be used in some other way. It's also the brand infringement out of this. Now making public that your users are using their corporate email address to, to up a Tinder. We all know the purpose of Tinder. It's a reputational issue, right? And this is something which organizations should be made aware of to take action on that
Passwords. Now give you another example on that. So I'm not sure that comes well. No. So passwords, if you think about the following scenario, credential sets, identity information is out there. No doubt, nothing to talk about because it's business as usual. The interesting thing about this discovery is what you make out of it. Now, if you think about creating, let's say an Excel file out of that, another example from one of our customers, we found about 2,900 credential records, whereas they have only in quotes only 2,300 employees. So the thing is, if you look at these email addresses this all in the organization context, so it's all related to that one particular organization to that one particular customer, there's a mismatch in numbers. What does that mean? Multiple times? The same email address has been used for different kind of sources for different kind of purposes. Now let's take the password into consideration. If you look at the records where you can see in clear text the password, so you might have then similar username in terms of an email address, the same password for let's say six different sources. So what is your assumption? How likely is that particular password with that particular email address? AKA username used by that particular user for lazy purposes in a corporate context,
Me as, as someone who's interested in that I would just go and try, okay, let's check the outlook web access. For instance, try the credential set. There's a slight chance that there is a hit, and this is where the whole journey begins. Now think about what Kumar set was
The actual event, the exfiltration, the encryption is something at the very end of this whole chain of individual, individual steps and procedures. What you need to understand is, and ask yourself is how could that happen? That exfiltration actually could be executed. If you think about the attack methods as of now, which is ransomware, malware, fishing, spare fishing, the vast majority of those attacks are executed in the context of identity or identity related data. Is it either the credential set which works to intrude an organization or the infrastructure of an, or is it just to understand how can I fake an identity in the context of an organization? If I look at the email address, I instantly understand what is the generation methodology for an email address of that corporation. And it could be so highly sophisticated using special characters. What there is once this information is out there, me as an interested reader, I'm able to understand if I look at the webpage of that organization, look at the management board, look at the CFO name.
I know what the email address of that CFO is. And from there on the whole journey starts, I create my spare fishing email, for instance, sending out. So I provide information in this identity context, which the recipient is not instantly able to determine. So what is true and where does the fake begin? So I can fake the senders address because I know you won't see these emails, you might receive those. We have something like a scrambled value@gmail.com. That's not the case. Yeah. So a fairing attack specifically targeting individuals in the name of other individuals, which could be uniquely referenced. And this is something which we are able to understand, and we can provide this information. And that is for the purpose of, so what is it, what you need to do?
Yeah. So what to do. So that's the takeaway, first of all, of course, security awareness training. I mean, at, at, at very first reiterate to your users that may be using a corporate asset, like an email address for private purposes is inappropriate. So simple. That second is if you look at the situation where passwords are floating around, and even though giving the example, which is a real live example, where for laziness reasons, the similar password has been used multiple times for different kind of services out there. Think about improving your authentication procedures. I've been in the position requesting budget from management to say, Hey, let's put something in like MFA and they turn around say, yeah, great idea. What does it cost? Yeah. Here's the proposal. Here's the offer. Yeah. It's total like this. Well, yeah. So what's the level of security we'll reach with that investment.
Well, yeah. I mean, we can make ourselves better and more secure. Yeah. But what are the measurements now giving that information with that context is something which allows to go to management, request a funding, a budget upon evidence upon valid information, because you can clearly show the shortcomings about credential usage by your users. And that allows you to, to just say, Hey, we're out there. I mean, we're listed, our users are not working as they should. They're not using our assets as they should. Let's do something about it. I mean, it's a combination of activities like security awareness, trainings, MFA, for instance, all these kind of things, data leakage, you've mentioned it before intellectual property, that's the highest value target despite any financial aspirations, which hackers are after that. That's just a simple, I mean, the whole situation of IP leakage is not very new just because we're in a cyber age and let's say patent plannings and, and records and things like are digitalized nowadays.
They've been there a hundred years ago and that kind of industry spin was there a hundred years ago, but in different manners and matters, it has been executed differently. The only thing right now is that we are able to track specifically upon our observations, for instance, like any others could do, or some others could do as well to say, Hey, there is sensitive data out there. It, the reference example yeah. With that food and beverage organization is one aspect of this. The other aspect of this is if you are working on a, on a new invention yeah. E mobility talking about a certain aspect about charging, for instance, it's an example given you don't want to lose it. And even though just before you actually brought it to market, you would make to sure you want to make sure that it remains in an intellectual property within your organization. So you need to understand what is there, what is your particular exposure talking about? The attack factors, the attack surface, the vulnerabilities said the very end of the particular chain, that's the actual sense of the meaning to this? It's, it's, it's just the door through which hackers walk into your organization. Interesting is the whole part before. So how do they identify the door? How do they identify the weakness, how they are able to execute on that weakness. And as said, the vast majority of the execution of the context of identity data,
What of interest could also be, if you are aware of data exfiltration, to understand how that could happen and which path so follow the breadcrumbs back, this whole leakage, this whole set of data has taken, because with that, you're able to understand what doors do you need to look at in particular to put some extra security on, maybe to do something different, just to make sure that that doesn't happen again. Yeah. Back tracing and also the identification of the TTPs tactics, the techniques and procedures, to understand how the threat actors were able to exfiltrate that particular set of data, this information, it helps a lot just understand on a regular basis in terms of an night, till approach in a re way to always improve your security situation.
Well, early warning now, we've, we've been used the term observation a lot. So the thing is our company does cyber intelligence intelligence services a a as you, yeah. I six was, was dropped as a topic. Now think of James Bond. Yeah. Running around ears, eyes everywhere, collecting data, collecting information for whatever purpose, for whatever unknown purpose at that point in time of collection. Now, with that, think about the following. You, you walk around and you have the ability to somehow memorize every single word in your surrounding, which has been spoken not only to you, but to others. You're able to memorize everything you see, even outside your view perspective, maybe everything, you smell, everything you taste. You dunno what for at that point in time. But when I get to you and say, Hey, in four months time, so what was the reception is talking about while you passed their way?
Now, this is something which is of huge value because, and this is what I said. That is the type of data and information gathering unintentionally at first, but with an intention afterwards, to analyze that data. And this is something which allows us in that particular case, because of that observations to tell organizations that they've been particularly mentioned in terms of a campaign in terms of a campaign enrollment that assets have been mentioned, like you've mentioned IP addresses. So these IP addresses have been spoken about because they've been identified in the combination with a software asset where vulnerabilities are well known, where an operating system is not patched, all these kind of information and things. And that is a huge benefit for you as an organization to understand not only there is something you need to do in terms of patch management, for instance, but it's also the possibility for you to understand and further, why are you becoming a target?
Why are you on that particular silver plate? And again, getting back to that initial reference with a food and beverage organization, they've been put on the silver plate by themselves because of a business decision that there were technological shortcomings was just the Metro effect to execute that particular hack, but the trigger and the reason why was their business decision to not take down any business in and towards Russia that put them on that mentioned server plate. And this is also something of importance that business decisions have immediate impact on the hackability and the potential of being hacked by any threat actors, for whatever purpose, whatever kind.
So again, prediction, it's a key word. So this prediction is way ahead of time, because if you think about the whole procedure of an attack, there's what we call the kill chain. The kill chain is of seven, sometimes eight stages, depending on what kind of execution actually happening. And it's kind of a blueprint how to get to the next stage, to the next level, towards your objective of encryption data, exfiltration, identity theft, and the most used approach to counter that is between what we call the stage three and four, where actually the software, the malicious software is enrolled into organizations. However, that will be now being able to start at the very early beginning at stage one and two, which means we are behaving like those actors, like those hackers, we are observing organizations. So you've brought up the, the reference to the house. Now think about the following.
You built a house, you take care of, you know, the, the stone walls. You take care of the windows, the frames, the locks, the front door, the back door, the fence around your garden, the garage door, the lock on your garage door. And this is something where the capabilities are given to just walk around your house, to have a look from the outside, because that what intruders would do as well, just to figure out what other weak spots. Yeah. So for instance, we see there is a garage door of a particular vendor particular model out of a particular series. So this is something where we understand, oh, there was a lock in there with a weakness. Yeah. You just hit it with a hammer and it's open. I get in, I can use the internal back door into the kitchen for instance, and the intruders in your house.
We tell you early warning. Yeah. So there's a potential risk. The other way around is like, like spies do regularly. Oh yeah. Ears and eyes everywhere. We observe communication. So for instance, someone's mentioning Alexander, Platz 11. We know it's your property. So we know these guys are talking in the context of, of a criminal act because we know these guys as for actors, so we can tell you, and that's the, the, that's the beauty of a particular early warning. And that allows you then yeah. To remove yourself from that silver plate out of the focus. Yeah. Would you like to continue finalize? Yep.
Well, thanks there. Now, going back to the thesis again of why this is all important and what are we missing very, very clearly. You heard me saying that, well, you know, you always have to understand you are attack surface. You always have to understand weaknesses into those attack surfaces. You need to understand is your brand matter of interest for cybercriminals. You need to have a visibility by which you understand is your distal footprint, very policy in nature, which cybercriminals can use to get in. You have a situation where you go about understanding situational awareness. I think that is one area which has been actually completely left altogether by all cybersecurity professionals. You need to understand what is going on in your industry from cybercrime perspective in technological stack, which you're using as well as geolocation from where you're operating from, by the way, in, in the world of geo geopolitics, as you know, your geopolitical presence plays a role in cybercrime, which is gonna get orchestrated against you.
So we go back to the basics and we, we say that, well, you, as our organization, you need to understand your external attack surfaces. As, as Derek was explaining, you need to have a ability to understand, well, these are your assets. These are your systems. These are your applications, which is internet accessible. And if I'm a cyber criminal, that will my first place, how I will get into your organization, then you go about understanding. Are there any weaknesses into those attacks using vulnerability, intelligence, you then go and apply your brand intelligence. Again, going back to the point, are you a matter of interest is your product and solution is something important for cyber criminal groups.
You then understand your distal footprint. Again, going back to the point around identity theft, data theft, you know, all that comes together as part of your distal footprint and how are you actually controlling those? How are you making sure that your distal footprint is not very powerous in nature again, situational awareness. And finally you combine that with cyber intelligence. So I'll go back to the basics. We are not just a cyber intelligence company, not another one. We do way more than cyber intelligence. And we go about combining multiple sort of verticals to give you a complete comprehensive view of your external threats and risk. Now, these are very relatable in nature. As you can imagine, we are, we are telling you how good or bad look like from outside end perspective. We are telling you very, very clearly. These are your asset, which are internet accessible.
There are vulnerabilities. There, there are weaknesses out there. Your digital footprint is weak. Your brand is a matter of interest for cybercriminals. And then we are mapping that back to specific groups of cybercriminals who are looking at attacking you. Why are they looking at attacking you? Their motivation? Very, very important for us to understand. I know it may sound a little theoretical here, but it's so very important in your cyber posture management, to understand why somebody has interest towards me. If I go back to my intelligence days, that's the first thing I will do. Why am I a target? As Derek was saying, what do they want from you? Like, are they behind your intellectual property? PII? What are they after? When can they attack? How ready are they? Not every cyber criminal drugs are just behind your life. That's not reality. We will tell you.
Yeah, for sure. As a cybersecurity company, we want to sell more. We are gonna tell you for, for God's sake, like the whole world is behind you, but that's not reality. Cyber crime is a very organized business. Let me be super honest to you. This is not just that flick back in those days, I'll be out of uni and I'm gonna just launch your attack against somebody to make some money. No, the world has completely changed. You then go about understanding, how are they gonna attack? What sort of tools, arm, simulation they will potentially use to come and attack you and replay this back. So we are gonna be telling you your doors and windows. We are gonna be telling you weaknesses into those doors and windows. We will tell you very clearly, your brand is a very lucrative brand. We will map that out with your distal footprint.
We'll tell you in your industry, there are cyber crimes which are evolving. There are, there are new trends, which we are seeing out there. And we will very specifically tell you who are those adversaries who are looking at potentially attacking you. So going back to, you know, the basics and in any warfare for that matter, you know, there was this saying that you need understand strength and weaknesses of your enemies and yourself to win a warfare. Any warfare, talking about, take traditional intelligence to cyber intelligence, to anything you apply. You need to understand strength and weaknesses of your enemies and your self. Now our recommendation is we will have to go back to basic. We do not understand what we are up against. We have no idea. Yes, we have got all the tools, no problem at all, but we have got actually no idea what we are up against, and you need to have that visibility.
So you need to know your enemies. You need to know yourself by understanding your distal footprint, by understanding your attacks, by understanding your shadow it, by understanding you've forgotten it and apply that together. Right? Well, I can talk about number of cases. Studies here, just to give you a little bit of color very, very quickly. We have gone about actually identifying a potential threat towards a very large manufacturing company who were banging the middle of a M and a where a group of well competitors went about actually hiring cyber crime group to really understand why they have so much of interest towards this. And that was something which was very predictive in nature, which we, we were able to advise to them. We have gone about busting number of ransomware campaigns against financial institution, to retail, to critical infrastructure. We have gone about identifying hundreds of power attack surfaces towards a very large media company to you name it, retail company out there, which was being used by cybercriminals to potentially actually come back and attack them or cause a reputational damage.
I can keep going. We've got heaps of example. We have gone about actually creating two products very quickly. We have, we have a product called decipher, which is a SAS based platform. Non-invasive doesn't require any implementation whatsoever in an hour. I can deliver outcomes to you and all we need is your name, your domain name. We assume that we are, you are hiring is by. We are gonna go and find information the way cybercriminals are finding information about you. They're not calling you to ask you a question that, do you have any vulnerability? Can we actually please come back and attack you? No, they have a way to find that. And if they can find, we can find you and that's the whole thesis around this, we will, first of all, create a profile for yourself automatically on the platform. And then we start to deliver those six pillars, which you saw starting from your doors and windows to telling you who are those adversary who are looking at breaking into your doors and windows? Well, that is it. I will stop here. Thank you so much for listening to us. It has been almost one and a half hours. Thank you.
Thank you, Kumar. Thank you Burke for this. Very interesting, but yet terrifying and boring picture of the future landscape. Before we wrap this session, I would like to give the audience the chance to raise any questions.
I believe we have five minutes. So questions.
If there are not any questions from the audience in this room here, I would like you to ask a question by myself. You illustrated a very lucrative and creative way for cyber criminals to obtain and maintain attacks against companies and governments. So therefore I would like you, if you can give us a statement since the rising cyber criminals and the, the numbers which they can obtain and monetary value or other values are very growing fast and they develop very fast and get very creative. Do you think that the defense can keep up with the SP pace of the attackers?
Great question. So I'm gonna present two points here. Point number one. I'm not very sure if you are aware that cybercrime is the mosted business right now, let me, let me give you example. I could show you enough evidences out there. You've heard about NFTs. You have heard about virtual CA you know, assets out there. There were number of campaigns which were launched by cybercriminal groups, where they went about inviting all of us, normal people to go and invest behind for digital asset. If you would have invested $1 11 months back today, that is $21,000 in 11 months, 21000% of outcome is being delivered by cyber crime. You think about the way they're going. They're inviting normal people sedations to come in and fund them. That's point. Number one, like going back to your question, I think my take will be, you need to like going back to the basics of understanding, like, do you have a visibility?
Do you really understand, first of all, what you are up against? Do you understand what are some of your vulnerable assets out there? Do you understand? Like, okay, well, how invasive your distal footprint is and how do you then go about applying that into your cyber posture? I think one area where we have not gone about investing historically a lot, our, our assumption was like, you know what? We are gonna like buy every possible tool on the perimeter to network, to endpoint, to around our data. And, and the walls are gonna be tall enough. Nobody will be able to cross the wall. Reality is we are seeing right now, every, every second you see a cyber crime happening. The clear problem is we do not understand what is going on outside of, outside of our organization. And you need to apply that as part of your cyber policy management. Super important.
If I, if I may add two points to that. So the one is you could easily compare that with, you know, the fairytale where the, of the race between the rabbit and the Hawk, right? I think it's obvious who's who, so we're not the rabbit. Definitely not, but, and this is something I think should be taken into consideration is be being, unabled becoming able to execute more strategic and more tactical like the hedgehog, you know, you can't win the race ultimately, but you can control your own position within that race. And this is I think the most important part, if you think about a cyber security strategy, but also your, in that particular context or the conference, the IM strategy as well. So that's one, one aspect of this, the other aspect of this, and this is related to the current physical situation of the war as usual, during war times, inventions and improvements on weapons and ammunition.
And there is in tactics is accelerating because either party is eager to win a conflict on that particular physical manner, but nowadays also on that cyber level. So my expectation is actually that techniques, tactics, technology, infrastructure is rapidly improving and more accelerated improving than during usual times. And it'll be interesting to see once that particular situation is cleared. What does that mean for the rest of the remaining days, where there is no such conflict and everything's turning back into somewhat kind of business as usual as it was before. I mean, we we've spoken about it. And I just had my thoughts about that as well. If you, if you think about the, the, as assertion of the grouping of her actors, prera, it was more like, well, let's say it wasn't financial interest, which was the one of the drivers to get together. It was their capabilities on which level of that particular kill shame they could execute the best. So they were collaborating just as an opportunistic with an opportunistic approach. And that has changed now, former allies, where you would have Russians with Bulgarian, with the German, yeah. Working on code that has completely changed. Now you see Russians with Bella Russians, with Koreans working and you see that German and the Bulgarian working with the French hacker. For instance, now the interesting part of that is what will be their expertise and how would the impact of their new expertise and experience and capabilities then harm us when we get back to business as usual.
Great point. Thank
You very much. There's the question in the audience as well.
Speaker 10 00:36:16 Yeah. Thank you for this illuminating presentation. I actually have a question that follow up to your explanation. So as a cyber security Analyst, working in a, so I'd be interested in how would you, so to me it feels like it's a bit of cold war mechanisms at play here, and you gave a quite realistic explanation to it realistic in, in terms of the theoretical approach. And what would you say is the actual, oh, would you say, you said that the hackers are politicizing in, in a way, so why would you say is that, is that only down to the war? Or like only sorry about that, but is it down to the war or are there any other factors at play that like the, for example, social media and the increasing propaganda and such.
So here's my question back to that. So why do you do what you do? Is it because you're completely convinced of what you do is that maybe you get well paid? Is it the combination of both? Is it the influential indication from your surrounding to do what you do?
Speaker 10 00:37:41 The, the honest answer.
Yeah. Go for it.
Speaker 10 00:37:45 So I, I studied political science and cyber security, so it's a bit of both, but I haven't find my final spot yet. I say, so it's to get in the stock. I think it's, it's interesting to, to, to learn how it goes and then develop. So it's, first of all, knowledge gathering, I guess that's my intention.
Yeah. So if, if
Going back to your question, is this just because of war, we are seeing all this escalation and you know, cybercriminal groups are coming together and they are geo politically ganging up together. The answer is no, this has been happening for years and years. It was not so visible earlier, because think about it. If I'm my six, you are CIA. Somebody's za. Do I go about sharing all my trade secret with you? Yes. I trust you. You're my lie. I love working with you. No problem at all. But there, there is a boundary under which every agency operates historically. What used to happen there is we spoke about earlier information sharing, threat sharing. My clear problem with that whole thesis is, are you sharing the right set of information with your friends and families and your allies? The answer is no, right now we are faking it. Let me be super honest. If a cyber crime happens on me, do you think I'm gonna come to a public community and say, well, I got attacked, bad luck.
I can tell you this right now. Answer is now. So the reality is, you know, cybercriminal groups, we are always organized geopolitically, but they never used to share their asset, their tools, techniques, their infrastructure. Historically, now that is happening very well. And that is not gonna stop. Now, you have created like two poles in the world order, right? And I don't think so. You're gonna take that away so quickly, even if the water stops. So that is gonna continue to play. You're gonna have interest of one party towards organization of other parties. You're gonna have interest of one set of demographic. Let's say data set of, of a particular type of community being interested on the other side. This is coming, and this is happening right now. You can't say it's coming, it's actually happening right now.
Yeah. And then also to your question, the trigger, why an individual is joining a particular campaign, a particular group of actors, multiple reasons. Yeah. So a due to the geopolitical station situation that are set boundaries. So they can't collaborate with others across that particular boundary. As of now, it's like a court war curtain right now in that particular cyber situation. The other aspect is, I mean, you are doing something for your profession where you think a that's my personal interest. I would like to satisfy. This is something which I can valuable for me, for my friends, family, for society, whatever the driver might be. So these hackers, for instance, they've been triggered and, and, and thrilled by the patriotism, the given capabilities set before to expand their expertise, the techniques and procedures and tools. And there is because now they are officially funded with much more substance than these private equity funding. Yeah. Where you spent, like, I don't know, $10 as an investment and return something at $210 or $210,000. Sorry. So, so this is something to think about. So the, the triggers, the key drivers for each individual might be different. I think what worries is actually that this grouping is happening, that it's data driven that the capabilities to raise and shine to improve become better. Yeah. On a long run. That's something we should worry.
I don't know if we were able to answer your question. Okay.
Thank you very much for your explanation. I.