Name: How to Build a Cyber-Resilient Organization: Know the Threat to Beat the Threat
Uploaded: 2025-03-28T02:56:10.055Z
Duration: 1 h 10 min 4 s
Description: How to Build a Cyber-Resilient Organization: Know the Threat to Beat the Threat

Transcript for "How to Build a Cyber-Resilient Organization: Know the Threat to Beat the Threat": Hey. Good morning, everyone. And thank you for joining us today for our webinar on how to build a cyber resilient organisation. My name is Shane Barco, and I'm thrilled to welcome you on behalf of SecureWorks. In today's digital landscape, the threat of cyberattacks is more prevalent than ever. Building a resilient cybersecurity program is crucial to protecting your organisation's data, assets, and reputation. We're excited to have two esteemed experts with us to shed light on this critical topic. Our speakers today, Alex Tilly, senior threat researcher from the Secureworks Counter Threat Unit. Alex brings over 25 of experience in cybersecurity, having worked in various sectors, including online casinos, banks, and the Australian Federal Police crime cybercrime operations. He has served as the eCrime intel lead and APAC Threat Intelligence Lead. With well over a decade in the cybersecurity field, Alex will provide us with insights into the behavior, motivations, and latest trends in cybercrime. We're also joined by Gus Janitsky, the head of incident response readiness here at SecureWorks. Gus leads the incident response team for the APAC region, and he's handling over 1,300 incident responses per year. His extensive experience spans across public sector, financial services, retail, telecommunications, energy, and health care. Now during this webinar, Alison Gaus will cover the threat act of behaviour and motivation to help us understand the latest trends in cybercrime. Real world examples of how organisations have both fallen victim to and protected themselves from threats. Strategies to strengthen your cyber resilience program with managed detection and response. Now whether you're dealing with opportunistic cyber attacks or sophisticated state sponsored threats, threats. Today's session will equip you with the knowledge and tools to build a resilient organization. But before we get started, a few housekeeping items. This webinar is gonna be approximately one hour. There's a a q and a feature to submit your questions at any time, and we'll address as many as possible in in the presentation. There's gonna be a recording of the webinar, that will be shared with you after the session. And we also have some resources as well that you can download and take away with you. Now a couple of things as well. This is about we're not here just to present. We want to converse with you. So feel free to ask questions, talk with us. We wanna we wanna start a conversation with you, so please feel free to be open about that. So before we dive into the content, we'd like to get a better understanding of your current priorities. So I've got a little poll that we've set up. I'm gonna give you about thirty seconds, to answer this poll for us, and then we'll continue. So the question is, as you continue to invest in your cyber resilience programs, what is your top priority or investment over the next twelve months? Give me another ten seconds, and then we'll click across. Okay. There's some results here. Seen anything come up yet? Maybe maybe you're slow to click on it. Maybe the calculator is not working. Not sure. But, we'll move on now. And without further ado, it's my pleasure to introduce our experts, Alex and Gus. The floor is yours. Thanks, Shane. And good morning, everyone, and welcome to this webinar. Hi, Alex. How are you today also? So guys. Looking forward to it. Cheers, man. So, look. Let's kick off at just with a very, very brief intro about SecureWorks. So everyone knows who we are. Pretty much we've been doing this since 1999. So we are pretty, pretty old in the industry. And we have, pretty much three, what we say, pillars. So the first one is around consulting. So we do this is where we do our reactivity response. So we when we go and help our clients, with, when they they are suffering an incident. But we also provide what we call, proactive incident response, which is, consulting services to help our clients to prevent. So improve that, cybersecurity rate, readiness and, resiliency. And, also, we do a lot of penetration testing. So we help our clients to see what vulnerabilities they have in their infrastructure applications, etcetera. So, again, with the idea to increase their resiliency. The other pillar that we have is pretty much what Alex does, which is our control unit. So we are very, very, well established in the market, around our thread intel. And Alex likely is gonna tell you a little bit about that later. But we actively follow, around a 75 threat groups in in in in in in in in dark web, and in environment. So we are pretty good at that, and we provide a lot of info to our clients. And then finally, we got our our XDR platform, which is called Tejas with us, which is a cloud based platform, that we, provide to our clients. And it's, it's actually, it's the only open platform that exists from an XDR point of view. So pretty much, we can receive any type of logs from your environment, correlate that, and, do any triage or alerts for you really, really quick. So it's a really good platform, to know about. So how does this work altogether? So pretty much, we got, a lot of things. We got, our data. Right? So our integration is, our key differentiator. So pretty much, they just the Aegis platform through our clients, we process around 5,000,000,000,000 weekly events. Right? So and that's based on all our customer base, which is a really, really good source of of threat intel. On top of that, we got, our 1,300 plus annual reactive incident engagement. So every time our team goes and helps our clients with an active incident, we gather information about that, about the threat actor. And we work with, with Alex's team also. And we also do around 55,000 annual threading hunting engagements where we go into our clients to see if they've been breached and they have, and they didn't know about it. So there's a lot of activity there, and that goes all the way back to what Alex's team does. So a 75 plus threat group struck by the CTU team. We have around a hundred CTU researchers, including Alex, looking at the dark web and what the threat actors are doing. So all that information, everything goes into our thread intel team, and that follows back into our Tejas platform where we generate around, 600,000, threat indicators and around, 20,000, Tejas XDR and and NDR countermeasures. So I reckon we have a very good, information, around the the environment, and we're fairly active with that. And that goes back to our clients. So ransomware has a lens for resilience. And look, I'll Alex, I'll I'll start with this, and then, maybe you can take over a little bit. So this is what we are seeing, from a ransomware point of view, and this is based on on on our CTU, state of the threat report that was released, I think it was December 2023. So it's fairly recent. So this is what we are seeing in based on our reactive cases. Right? Around 32% of the, initial access vectors to, from, two organizations to deploy, ransomware is is based on stolen credentials. Right? And that means that the threat actors through access brokers, went, and and gained, you know, some credentials. And with that, with that, they went straight ahead and gained access to to the organizations. That was also helped by different things around, MFA, saturation attacks or also misconfiguration. So but many clients, that we had also had no MFA at all. And, also, that's, obtained again through phishing. Right? So the threat actors use phish to phishing emails or spear phishing emails to, obtain valid credentials and access your environment. The other 14% is malware. So we've seen also a lot of, botnet operators offering access to, compromised organizations for the threat actors to, deploy ransomware. And we've seen a lot of, ransomware be being deployed as, drive by by by downloads or as part of phishing. And finally, the other 32% is around scan and exploit. So pretty much external facing infrastructure that hasn't been patched, third act to scan it, identify this, the vulnerability, and they exploit that. And I'll talk about that in, in one of the examples. So from a resiliency point of view, if you start thinking about that now, if you have good, identity and access management and and good hygiene with your, user accounts credentials and good patching regime, you pretty much cover 644% of the possible initial access vectors. So, Alex, do you wanna talk about this a little bit? Yeah. Yeah. Thanks, Gus. So we when we first talked about doing a panel on resilient, it led to ransomware as the the key topic for resilience conversation simply because like, that everyone's concerned about these days, and b, it does encompass as a very broad umbrella term for a threat. Ransomware, all different aspects of, attack and defense technologies and, you know, people processes and technologies that we've got these days. So when we look at it through the lens of ransomware, we get to cover, I would say, 95% of different types of attacks, be they through, as Gus has talked about, scan and exploit and external phishing, that sort of stuff, all the way through to, you know, popping boxes and then putting implants and lateral movement inside network, dummy credentials, all those, you know, nasty bits and pieces that that we as stupid people work to prevent can be encompassed under that one threat banner of ransomware. Now ransomware itself is a threat. It started out pretty basic. Right? It was really just, I'm gonna encrypt all the m p threes on your laptop. Right? I'll ask you for $300 to decrypt it. That's sort of where it started out, but because anyone who's worked in in criminality knows that criminals don't keep doing crime unless they're making money. So once it became clear that this ransomware model of encrypting and extorting people for was actually making money a couple hundred bucks at a time, it was a logical progression that it would expand out to attack the price. Right? And then once it started to attack enterprise and sort of and even small medium businesses these days as well, we saw the evolution of the threat techniques and tooling by the bad guys. So rather than just trying to get you to run one executable on an endpoint, we saw the criminals start to use all of these tools and techniques that we previously ascribed to state based actors. So things like, you know, foothold on the network, lateral movement, credential dumping, data exfiltration, these things that we sort of historically would see nation states doing to each other, we were now seeing happening on a criminal scale. And therefore, the amount that they're asking for went up exponentially into the millions of dollars. So where we're at now is that it's a real possible sorry. It's not possible. It's a real recognized threat, and it does help with the discussion about how businesses can prepare, detect, respond, and, you know, going forward. And, of course, you know, this story in Australia, they're attacking the beer, so we can't really be having that. Yeah. We need to try to figure out a way to protect the beer at all cost. Yeah. One of the things, Alex, that he was saying, which is really, really, really interesting is, the speed of the port of how they are deploying. Right? We used to have before, it it would take days. Right? And now we are under twenty four hours of deployment ransomware. We'll show you a case that we have prepared for you today, where we kind of show how actions taken by the threat actors on an environment is measured in minutes. Right? And it's how fast that is. Definitely. Definitely. And we we may come across a little bit, or should should we say, a little bit beaten by this, but that's simply because that's the reality. If we use words like when this happens to you, that doesn't mean that we're expecting it happen to you. It just means that as good preparedness people, you need to prepare for the worst and hope for the best. Right? So if we talk about we're not pointing a finger, we're just saying in general terms when you may have a bad day. So yeah. So, we're going here. So yeah. Basically, this is sort of what we were just talking about where it is hours to weeks to months. So, unfortunately, you can't hang your hat on the fact that you might detect it in twenty days or thirty or forty days. You may be one of the lucky ones in inverted commerce who does have that sort of telemetry to look back on, and we'll touch on that later on around the preparedness steps. But you also may not simply not have the chance to do a longer term investigation because you may get hit, and your business could be within hours as as Gus has said. So it's unfortunately, the full gamut of attack types means the full gamut of attack timings. And what we talk about here is that if you prepare for the for the worst, you can hopefully have a better day than your competitors. And and, honestly, that's what I thought about really is how does this your peers? And we think with some of the, examples and some of the tips we'll give you today, you might get a little bit further down the track of your peers and be able to easier potentially. What do you think, Gus? Maybe we can get there? Sorry? I think so. Alright. Oh, no. That's alright. I was just gonna say, so do you wanna jump into one of the Yeah. Case studies or should we Oh, let let's talk about this one and then we can jump to this case study, because it it goes back to your your resiliency, conversation. Right? It's and the planning of things. I think, look, one of the things that when when SecureWorks, we we do our, our incident commander trainings. Right? We we start with a quote by Ensey Howard that says plants are worthless, but but planning is everything. Right? And that's that's as as real as it gets. Right? And when you talk about resiliency and and and what Alex Alex was saying before, right, it's a plan for the world, for the worst is have those plans ready. Have your playbooks for, for example, ransomware or other threat other type of attacks. Right? So, normally, when you're talking about ransomware, one of the things that you need to do is, once you detected the activity, set up a ten minute timer to see how the threat threat actor is behaving in the environment. Because based on that, you can define if it's, has already proven that access to your system or is isolated, host, but also think about your crown jewels, your data. So isolate if if it's a ransomware, that you're facing, isolate your backup systems in just before the threat actors get to them. Because normally, they're gonna in the normal attack from from of a ransomware some ransomware point of view, they're gonna go to your backup systems first, delete the data, and then, encrypt your your your, your your production systems. So isolate first to protect, isolate your file servers, isolate your critical systems. Right? It's a preventive measure. Right? But at least you know they you you that they are still in a good condition. And then disable accounts and and do in other containers. And then finally monitor and adjust. Right? This is the kind of quick containment and resiliency that you wanna get. But this requires practice. Right? And that's very important. This requires practice in going into that. So it's it's really good to to to think about this. I don't know. Alex, any thoughts on this before we move to this? Yeah. Definitely. In the planning phases, one thing that's really, really important for make making your business more resilient and more able to deal with the bad day is that planning phase and the approval and, what's the word, agreement from different staff members. Because as Gus has said, he used the the term crown jewels, which is exactly right. And the situation is this, if we do continue this this threat of using ransomware as the lens through through which we view resilience, If you sit in a room full of your business leaders, your business team leaders, for instance, and you say, alright. We've got x number of resources to deploy to recover from this massive incident. What comes back first? If you ask that question of of your business leaders at that point in time when the when when the hair is on fire and business has been crippled, everyone's system is the most important system in the world to someone and has to come back first. So having that pre discussion around, well, what is our actual plan for being resilient when this bad thing happens? Those plans around methode Gus used an all are also a really good term there, which is adjusting. So making sure that you've got a plan, but you are able to to an extent adjust it per the threat is really, really key to making sure that you can recover quicker because no matter what happens, you are gonna have a very bad period of time, but your planning and your preparation through technical and people means is what makes that a little bit easier. Correct. The typical case is if things get bad, right, do you have a procedure today to isolate your organization from the Internet from the Internet? So cut everything out. Right? So think about that question because that would tell you a little bit about your resiliency. And that's a typical question we do ask during our table tops. Alex, have we got to that case study and and take it from there? For sure. The gold blazer one? Let's do that one. Yeah. Alright. Cool. Thanks, mate. Alright. So we'll talk about, a ransomware case with, Alfie, which we as a KiwiX tracks as called blazer. So the timeline of events, right, first of all, from an FTP server, right, we got an internal connection, VPN connection, right, from a host, SVC host. Now interestingly enough, at this this stage, there wasn't any failed log on attempts. So clearly, the threat actor had the credentials. And from the SFTP server, there were two connections to a vCenter management host. Right after thirty minutes, right, from the vCenter, the third actors established a reverse SSH tunnel to a malicious IP. The following day, so twenty four hours later, so they stopped doing that. They went back, back to sleep. They came back the following day. They went back to straight to the vCenter, and they initiated moved laterally to the domain controllers. In the domain controllers, they used, privileged credentials to do reconnaissance activities. They use, Windows two, so leaving off the land. That's to avoid any detection. They stopped the log creation creations by using with their web web t utile tool, and they created a service that actually that services the service that we did the reverse engineering of of of that DLL, and it was an other SSH tunnel. They stopped it for the day. They came back the following day on the domain controllers direct directly enabled RDP. Three days, after, they, went back to the FTP server. They did some shuffling with the credentials. Also, they created a a a download and open SSH and created an account. Then they went to the VIM server, which is a backup system. And they logged in with privileged accounts, downloaded the same, reverse shell, open SSH shell. And, they also, executed a few PowerShell scripts. We that's when they actually deleted the backup data, which is this is the kind of thing that normally tells you the next step is a ransomware. The following day, they executed, other, PowerShell scripts. One was using WMI tools. And four days after, they deployed the ransomware. So very methodical approach. They had a lot of time. This is a typical case. They were pretty much ten days from initial compromise to detection. Right? Initial access vector definitely was due to a compromised credentials and also v the VPN didn't have an AMFA. Now when we talk about resiliency, right, you are talking about ten days of a threat actor being in your environment. Right? And that's where you say visibility is everything. This client in particular didn't have EDR solutions in the endpoints in the service, and that wasn't monitored. So, literally, they were flying blind. So if you if when we look at our clients that have Tejas, for example, and we they get incidents, we really are flagging the incidents that pretty much at step two when we see a reverse SSH channel or something like that, depending on how they're, how they configure Tejas and what data they're sending to Tejas, we can even get that from a compromised credential point of view. So, again, resiliency is detection and response and recovery. Right? But it's also the protection aspects. Right? So it's really important to have everything that formula, when you look at resiliency. Thoughts, Alex? Yeah. And I yeah. And I I think another another key part of this whole thing is that from a from a a victim organization point of view, shall we say, you you mentioned, Gus, that it's like it's it's at the point of the backups being deleted that you can start to infer that the next step is going to be a ransomware attack, and that's completely valid. And that that that's completely what, you know, the correct assumption that that you come up with. But what's interesting is that with with the intelligence that you can feed into these things, you would hope that at that point, historically, you go back and and identify those indicators that your ransomware case a little bit earlier as well. So whilst you may discount an indicator alert or something like that prior to that, once you get to the point where deleted, all those prior alerts that you may have discounted is just just being commodity malware or maybe just some sort of script kiddie popping a web server or something like that, all of a sudden get bought into sharp focus, hopefully, and you start to expect more from your visibility tools. Because all of a sudden, what was just to close the ticket and move on, reimage the box has gone from a zero of a yeah. We got a little you know, someone's clicked the link or whatever to a we're actively about to be ransomware key. We need to really deploy all resources. And the the speed of which that hockey stick goes and then you can pop your response is really, really crucial in identifying the threat and containing it, as Gus has said, around containing those boxes that have the threat on them and identifying that initial access vector. How did the bad guys get in now that we've said this is pretty much gonna be a ransomware attack that we're gonna deal with maybe in, as as we've said, an hour, a day, a week. Who knows? But we know that that's where this this threat group was going on this. All of a sudden, our response goes from a normal one to a really, really high intensity response, and that is correct. But how are you going to do that? How are you planning to uplift your response very quickly based on the telemetry that you have available to you? Yeah. And and I think, like you were saying, Alex, the analysis bit. Right? Because, ThreadDAC is now using living off the land tools. Right? They're gonna be using all your default Windows or Linux, tool sets to do malicious things. And likely you get an alert, but that alert might not be critical because it might be a, one of your, system administrators doing work. So when you get those things and you say, oh, well, someone is, I don't know, using a specific tool, WMI, for example, in Windows, you need to ask a question is, okay. Is actually that the user account that has the privileges or is the admin guy? Or do we have a change request for that? What's happening in that box? Right? And that's part of your resiliency to analyze that, right, and say, okay. There's something wrong and investigate and see if that is actually nonmalicious or it's malicious. Yeah. Definitely. You need to understand your own your own environment to understand. Well, you know, should that marketing machine be connecting to that accounts machine directly? Probably not. Maybe that's weird. Yeah. But, you know, but to actually So have a visibility to to see that event and then have the flexibility to respond to it is key. Exactly. So, Alex, I'll go to the, RASM or resiliency slide. So because I think this is the message, and then we can move a little bit to to some stats. So what does it look like? Again, it's visibility on on endpoints and servers. Right? It's you can't fight. You can't detect if what you can't see. Right? That's the that's that's a no brainer at this stage. So good EDR solutions are critical. Also quick detection and triage. Now that means sending that telemetry from your EDR and other security solutions and other network infrastructure, so firewalls, proxies, VPNs, your cloud environment, say, Office three six five, whatever you're using. Right? Have the right logs configured and sending that telemetry to your XDR platform or SOC, for them to look at those alerts and let you know when something is wrong. So quality of this is really, really important, because if a SOC misses an alert, you got ransomware. So it's pretty much like that. Then have a skilled IR team. If it's internal or third party, onboarded earlier starting the analysis and and doing all the things that they need to do to, to contain and eradicate the threat. Think about your backups. Are they cyber resilient? Can they be tampered with? If they can, then you need to improve that. Business continuity and disaster recovery plans, the same. Right? Are they cyber resilient? Playbooks, procedures for drastic