Fidelis' Buratowski: Ransomware Should Change the Way You Think About Security

At the end of the day, what you have to focus on is, how do you stop the end user from clicking that link, from opening up that document that is engineered to make them want to open it?

Lorna Garey

October 6, 2016

11 Min Read
Ransomware

Lorna GareyMike Buratowski, senior VP ofcybersecurity services for Fidelis Cybersecurity, gave an eye-opening keynote at the recent Continuum Navigate conference in Boston. Channel Partners sat down with Buratowski at the event to talk about ransomware and how partners can keep customers safe.

The good news: There’s a lot of opportunity. The Trustwave 2016 Security Pressures Report shows that 86 percent of cybersecurity professionals already partner or plan to partner with an MSSP in 2016. Moreover, Gartner says that, by 2020, 40 percent of security-technology acquisitions will be directly influenced by security-outsourcing providers, up from less than 15 percent now. Globally, the managed security services market is projected to reach $41 billion by 2022, with a compound annual growth rate of 16.6 percent over the next five years, says Allied Market Research.

Fidelis' Mike BuratowskiThe bad news: This is one area where you’ll never achieve a perfect score.

“That’s the unfortunate thing about security,” says Buratowski. “You’re fighting a battle that you can never make 100 percent. But really, anything in life is not 100 percent.”

Still, Buratowski points out that managing customer expectations is nothing new for the channel.

“You may think you have the greatest relationship and then, poof, for some reason they decide to go with somebody else,” he says. “It may not have been cost; it may have been a conversation that somebody had that rubbed them the wrong way.”{ad}

One option to add stickiness is to offer a comprehensive ransomware-prevention solution that comprises security technology and policy, education, and backup/disaster recovery, often to a cloud service. The latter is something many agents already sell. We asked Buratowski about the other legs of the stool, his top advice and what’s on the horizon.

Channel Partners: Ransomware is what everyone is worried about right now, and it’s still morphing. You can even buy ransomware as a service.

Mike Buratowski: You don’t even have to be an expert these days. To a certain extent, it puts a layer of separation between the actual crime occurring versus what the skilled hacker did. It’s like, “I just wrote a piece of software, whatever somebody did with it, that’s not my fault.”

CP: It’s almost a channel model.

MB: Kinda, yeah.

CP: Say a customer has the basics in place — you’ve got your antivirus, you’ve got your firewall. It’s a resource-constrained small company. As their MSP or agent, what do you do …

{vpipagebreak}

… next?

MB: Ransomware really is just running a program. Somebody has to do something to execute it. It doesn’t just miraculously show up. So at the end of the day, what you have to focus on is, how do you stop the end user from clicking that link, from opening up that document that is engineered to make them want to open it?

That’s really the challenging part. I’ve seen some amazing spear-phishing attacks. An example comes to mind from when I was at the DCFL (Defense Computer Forensics Laboratory, where Buratowski worked for 10 years). The bad guys basically got a business development person’s email address, which in today’s world is not difficult to do. I mean shoot, imagine if you got the attendee list for the conference here? Now you already have the start of what people’s functions are, what they’re interested in.

So what they did is, they said, “OK, here’s this business development person.” They generated a Trojanized PDF of a request for proposal, a government RFP, and then they spoofed the email address of a legitimate person in a military unit and sent it to the business development person and said, “We’d be interested in having you submit a proposal for this.”{ad}

What business development guy is not going to double-click on that?

CP: What could he have done instead?

MB: Expand out the header and say, “OK, wait a second, there’s something going on there.”

The education of people is probably the first and foremost thing that we have to focus on.

From a technology perspective, there’s definitely stuff that we can do in this area. There has to be a mechanism for security to be built in to do the validation of some of these things — calling out, “Hey, this email address doesn’t match what the sender says.”

CP: Should Microsoft be doing that in Exchange/Outlook? Popping up a warning?

MB: I’m talking about being a little bit more proactive, like potentially looking at an IP address, where it resolves to, and pinging the address to see if it goes back to the correct region.

Stuff like that can happen almost instantaneously, and it would be great to have that sort of functionality built in. Doing a simple DNS resolution or “who is” on an IP address is not a challenge. It may slow things down a tiny bit – we’re talking a couple of seconds – but I definitely think it …

{vpipagebreak}

… should be something that’s taken out of the hands of the end user and built back into the email server.

Essentially, anything that can be automated from the machine perspective should be, because machines are binary — they are logical, it’s yes or no, there’s no gray area. In contrast, social engineering really is gray, and spear phishing is all about the human factor.

If we could flag it, then at least you’re giving the end user the ability to go, “Wait a second, maybe I should look at this more closely.” The best-case scenario: That detection is built-in.

But at the same time, Microsoft is an application company. Its core function is to provide Office programs that let you run your business. Yes, they build in security. But the security piece of it isn’t always at the forefront of their mind — accessibility and usability are, because they know if customers get slowed down or things get dumped in a junk folder that shouldn’t, everybody gets angry.{ad}

That’s why I think it’s got to be taken out of the end-users’ hands as much as possible.

CP: OK, say the worst happens and an end user takes the bait. Do you see partners setting up Tor accounts and bitcoin wallets in advance, just in case?

MB: Surprisingly, we have. That’s absolutely something that the MSP should consider if they want to go down that road.

Companies all the time say, “I don’t have a bitcoin wallet, how am I going to pay this?” And we’ve facilitated them being able to make the payment, or having them set up their own account.

It’s really each business’ decision as to whether or not they would consider paying the ransom.

CP: What percentage do pay?

MB: The vast majority. Either they pay, or a lot of times what happens is, once a strain of ransomware comes out, there will be a company that breaks it and provides a decryption program. If that’s available – and we tell folks up front, see what’s out there – and if you can break it without having to pay, then that’s your first go-to.

But in situations where they can’t, again, it comes down to, “I need this data to function. I’m going to pay this relatively small amount of money, in the grand scheme of things.”

CP: Kaspersky’s doing a lot with that decryption effort.

[Editor’s Note: Kaspersky recently joined with Europol, the Dutch National Police and Intel Security on a No More Ransom project that offers advice on preventing ransomware as well as free tools to help retrieve encrypted data without shelling out bitcoin.]

MB: Yeah, it is. I mean, it is a huge thing because …

{vpipagebreak}

… the economy of malicious attacks is changing. They’re going directly to the end customer, I guess, if that’s what you want to call it, the end victim. Before, they would try to extract data and then sell it themselves. Well, now they’re just going to get the money directly because it’s a faster payoff.

And, I don’t want to say it necessarily puts them at less of a risk — but it then becomes a smaller crime because of the amount of money that you’ve extorted, it’s spread across lots and lots of people as opposed to, “Hey, they stole millions of credit cards in this one big theft,” so it may not get the same visibility and attention from law enforcement.

Plus, I think people are a lot less likely to report ransomware incidents because data isn’t being stolen, so there [are] no regulatory requirements to report. If they can make it go away and not take the reputational hit, that’s a value to the victim as well.

CP: Many companies think, “We’re using Google or AWS or Azure for backup, our stuff’s in that cloud, so we don’t have to worry because ransomware isn’t going to follow.” Is that valid?

MB: I’m not aware of cases where ransomware has gone out and encrypted [data housed with a cloud provider]. I’ve currently seen it only localized to companies, but to their network as well, so logical share drives within the network.

But then, there’s also the opposite side of that. Yeah, you’re trusting Google and Azure and other cloud providers. Now, granted, they’re going to have really good security, but what’s to say it’s not going to happen at some point?{ad}

For now, I think that you’re probably making the right bet by protecting information up in Google Docs and Azure and AWS, but you just also need to recognize that the data is also out of your control.

Granted, you’re putting it with some of the best companies to rely on. And again, I’m probably oversensitive to the potential risks as opposed to what’s immediately in front of me because since I live it every day. I’m a bit jaded and cynical. But it’s something that you have to consider.

CP: These providers have a huge incentive not to have customer data hit with ransomware.

MB: It would be devastating to them. It would send a shudder through the IT community, there’s no doubt about that.

CP: Is there a downside to cloud-based backups and DR?

MB: If an incident happens, how do those cloud providers fit into the incident-response plan?

We’ve run into situations where the cloud provider has made it difficult to …

{vpipagebreak}

… get forensic images. When companies set up those agreements, they need to make sure they understand the terms and conditions of what they’re allowed to get back from the provider. 

We’ve run into, “Well, the data belongs to the client, yeah, but it’s on our servers, and the way we run our servers is proprietary, so we’re not going to give it to you.” And that can throw a wrench into a lot of things, so definitely read the fine print. It goes back to planning, not only from an incident-response standpoint, but from a backup and disaster-recovery standpoint, too. You really need to know what their responsibilities are.

CP: Do partners need to worry about ransomware that’s like a time bomb, hiding in backups and popping up for a second bite after a ransom has been paid?

MB: I haven’t seen ransomware done that way, but I have seen malware done that way.

CP: Besides email, what’s a popular way to introduce malware?

MB: At Black Hat, people were weaponizing USB devices because the USB standard is very open and there is a capability to install malware in the lowest levels of USB and get it to execute. [Here’s a description of “mousejacking.”]

We did an investigation with Logitech; there was a university that proved they could take a gaming mouse and get malware installed onto it.{ad}

Well, obviously, that’s a big concern, so they asked us to look at it and see what the truth is. And the answer is, yes, you can get an executable on there. However, it’s small — I think it ended up being 43 kilobytes of addressable space that a bad guy could put data on, and when you look at the average size of malware, most were considerably larger than that. And it was a very particular model.

CP: That’s a proof of concept, though.

MB: It absolutely is a proof of concept; it became a big brouhaha because it showed the vulnerability of USB devices. There are some places where you are actually not allowed to plug in a USB storage device.

It’s something that people need to consider, especially for the MSP markets. You can turn off the ability to register a USB device in the registry of the operating system.

We’ve done some social engineering where we’ll go to the parking lot and drop a USB drive that’s not weaponized, but simulates it. I had a Word document on there that says, “Hey, thanks for finding this thumb drive, please bring it to the session.” (referring to an education session at a customer site)

So the person who picked it up handed it to me, and people started chuckling a little bit. I said “OK, you just infected your entire network.”

CP: Bottom line …?

MB: You have to change your thinking about security. It’s just got to be an everyday thing, just like you lock your car door, just like you lock your house door.

That’s how we have to get people to think about it. And not just security people — that’s the way we need to get everybody to think about it.

“Oh, you know what, I’m going to lock my computer — Ctrl-Alt-Delete.” It’s simple, but it saves somebody from walking by and shoulder surfing or seeing what’s on your screen or accessing your data and potentially sending emails on your behalf or doing lots and lots of different things. It needs to really become a culture.

Read more about:

Agents

About the Author

Free Newsletters for the Channel
Register for Your Free Newsletter Now

You May Also Like