Webinar Summary: Brian Krebs AMA

Question: How do you identify some of these bad actors?

Cybercriminals are the worst at passwords. People tend to reuse the same passwords. And cybercriminals are really bad at this, because if you think about it, they have to set up tons of infrastructure all the time, there's tons of websites, tons of domains, whatever it is. And so they're really lazy. In a lot of cases, they're using the same password and they're reusing them. And that's useful if you're trying to profile somebody and figure out if this email account belongs to them. But the ironic thing is, the lamer the password, the harder it is to identify someone. If it's generic enough, there's going to be tens of millions of people and other accounts that use that password. So it actually makes a lot of sense for these guys to pick poor passwords.

Question: What is Trickbot?

TrickBot is just malware as a service. Take spam. When I talk about spam, I'm talking about a catch-all phrase for stuff that you don't want in your inbox. It could be malicious, it could be phishing, could be spam. If you think at the Russian forums, when they refer to spam, if you translate it, in English, it means envelope. They view the content and delivery as two separate things. And so TrickBot is basically an envelope for delivering infections. It relies on malicious messages and then once they get in, TrickBot has a variety of tools that lets you look and see–what passwords they have stored, what operating system they use.

Question: Why are we seeing an increase in malware attacks?

We've seen over the last year or two an explosion in the number of companies victimized by threats like ransomware, and also an explosion in the number of companies that are paying. They're either paying to get their business back up and running. Even if they can restore it from backup, it just takes days sometimes. And so a lot of these attacks are more about availability that they are data integrity and data loss. So a lot of organizations just pay because it's the fastest way for them to get back on line. And if they have insurance, maybe their insurance provider is saying to go ahead and pay.

And on top of that we've seen the bad guys, when they get in, they will exfiltrate as much as possible and say we're going to publish all your data unless you pay a ransom. That's a secondary tip of income. If you dangle that type of meat in front of these guys they are rabid about it. They understand one thing—money.

Question: What do you advise people to do if they’ve been hit? Pay? Is It legal? What should people do?

These kinds of attacks are just going to increase in intensity and cost. We've seen the cost of these ransoms go way up over the last year. And they're just going to get more bold every time someone pays. At some point, we need to be able to stop and we need to be able to disrupt the financial gears that drive this industry. One of the things I try to get across to companies is, if you have the opportunity, nip this stuff in the bud. But you have to be expecting it. The problem is that a lot of companies get their security set up and it's like, it works, don't touch it. But when companies don't expect these intrusions, it's one infected system. Sometimes its a Remote Desktop protocol, sometimes it's an email. And a lot of times, it's days or weeks before the back guys take that access, gain that single foothold and move laterally within the organization.There's an opportunity for organizations to stop it, but they have to be looking for it, expecting it and responding quickly. So we need to decrease the time to discover these intrusions . We should be dedicated more resources to responding quickly and being more aware that these intrusions will happen.

Question: Do you still see mail as the primary vector?

My book Spam Nation was published in 2014 and I started working on that in 2010. I thought, in 10 years, there's no way we're going to be facing these same problems with email. And it's actually gotten worse. There's a lot more people involved on the bad guy side. They're trying different things. Malicious emails have gotten more targeted. They're doing a lot more reconnaissance on the organizations before they send it. The lures have gotten better. They have services now where you can spell check and grammar check.

Question: What should people be doing, at a minimum, to protect themselves before the attack?

Multi factor authentication is a big deal. It's not a panacea, and it's not going to solve all your problems. But it's a good first start. I always tell people, if you think multi factor is a pain, consider that it's the standard operating procedure. When these guys get into an account, if they hack your email, the very first thing they will do after changing your password is to enable multi factor authentication on a device that they control. So it's really important to take advantage of that if for no other reason than you can cut off that avenue. And look at the multi-factor options and pick the strongest one. SMS is really bad, but if it's the only one, okay.But obviously, we've seen, if the account is valuable enough, it just encourages the bad guys to target your mobile phone number, do a sim swap. Then you have much bigger problems. So I tell people, pen test your own accounts, the things you really care about. A lot of these require you to give them a phone number to set up an account. And if you leave your number, they will assume you're getting multi-factor that way. And a lot of services will let you remove your number from your account after you've created it. And I would seriously recommend people do that. Phone numbers were never meant to be identity documents. They're not. But so many services treat it like they are.

And, also, password reuse, password recycling are probably the biggest cause of takeover. And recycling passwords, like you know monkey123 at this site, and Monkey123 at another site, that's awful. Bad guys notice and can find these. They can use password lookup tools. But those can also be used to test the security of your users. Organizations should be doing this for everything—email, social media. There are a number of companies that have problems because they have one employee with a VPN account protected by the lamest password in the world. Someone did a password spray and before you know it, they're inside.

Question: What have you seen change in the way bad guys are operating in the work from home era? How should we be changing our response to new, COVID related threats?

It's important to take stock of the situation and see if there's a way to enforce some of the policies already on the books. Before the pandemic, we saw that the Bring Your Own Device stuff really kind of blurred the lines between a work and personal device. But COVID has completely annihilated those boundaries. You have a lot more people doing personal stuff on their work computer and vice versa. So a big challenge is securing VPN access. But we've seen a crazy number of very serious zero days for VPNs. And attackers have been quick to seize on those. We've seen attackers targeting employees, often new employees at a company, that by individually calling them up on their phone, posing as somebody—they create a fake profile on LinkedIn, they say I'm the new IT guy and I've been tasked with helping everybody update their VPN profile, and they just keep calling until they get someone to bite. That's another challenge for companies is keeping devices and the software up to date. It used to be simpler when all the machines were in the same place. It's a lot harder to do now.

Question: What are the impacts of threat actors on the election?

Election interference isn't really geared towards hacking the vote or interfering with the actual voting itself. They're trying to hack the voters, hack your brain, trying to essentially sow doubt about the democratic process in general. And so my sense is that these interferences have been mainly to fan the flames of discontent or disillusionment with the democratic process. And to sow doubts in people's mind about outcomes. So I think we haven't seen what's coming yet.