Security analyst, researcher and ethical hacker, Keren Elazari, invites us to view cybersecurity from the hacker perspective at her keynote during N-able’s Empower Prague 2023 conference.
Sharing her vision of hackers being heroes, Elazari recounts incidents of criminals hitting hospitals and targeting Microsoft Word and Excel files.
Here are the key takeaways from her talk – they might even make you consider enlisting the help of an ethical hacker for your business.
1. Hackers build the immune system of the digital world
First, Elazari presents an image of what a ‘typical hacker’ looks like: darkened room, hoodie. But she challenges that with the image of the good hacker, such as those depicted in the 1995 film Hackers with Angelina Jolie, a great inspiration to Elazari during her childhood in Tel Aviv.
She refers to hackers as ‘the immune system of our digital age’, made up of good and bad actors. “Hackers help us identify problems,” she says. “Yes, there are many malicious hackers, cyber criminals, terrorists and spies that use neutralised one-way abilities and exploits. But there are so many friendly hackers, just like the friendly bacteria that are part of our own immune system.”
2. Hackers are early adopters of new technology
Hackers often take to new technology first. “Many times, they’re the ones who will find a way to use and abuse new technology before anybody else even notices it. So as security professionals, as defenders, we can’t afford not to learn from what the bad guys are doing,” she says.
3. The cybercriminal ecosystem is rife with ‘malicious innovation’
“There is incredible innovation in the cybercriminal ecosystem,” Elazari tells the audience as she deep dives into stories of the Ryuk ransomware attack which affected hospitals in the US and Europe during the pandemic.
“During Covid-19 we all experienced different changes to our lives,” she says. “Criminals experienced a renaissance, the experience and opportunity to mutate and improve and evolve their code, their products and their capabilities.
“They’ve also found new infection vectors, just like we were dealing with viruses infecting us as humans, they found new ways to get into different devices and systems. Emails, which are a classic, stolen credentials, stolen passwords that have already been leaked online in various databases, direct exploits of the remote communication systems, the remote desktops or remote VPN, finding exploits in those products.”
4. Criminals have used automation for a long time
As the general public is just waking up to artificial intelligence, it really isn’t new to malicious hackers. “Criminals already use automation. They don’t call it AI or machine learning, but they use automation throughout their supply chain. They use automation for text translation, so that they create emails in 20-30 different languages. They do image and content localisation to target specific organisations and people in sectors, and they do A/B testing to understand which emails get people to engage more.”
They also have fantastic automation, with credential harvesting tools, credential stuffing tools and password cracking tools. With attacks on remote communication systems, they use scanning and exploitation which is already automated and has been automated for six or seven years, according to Elazari.
“While yes, we talk about AI in the context of cybersecurity, I want you to understand that for cyber criminals, automation has already been part of their supply chain in the infection state, the exploitation stage and the encryption state for years. Some of the first successful ransomware strains ever had automation built into them,” she says.
5. They’re ahead of the game
Microsoft typically issues patches, or updates, to vulnerabilities that they have discovered on the first Tuesday of every month, known as Patch Tuesday. These are vulnerabilities that the larger ecosystem did not know about. So, there’s Patch Tuesday, Exploit Wednesday and Uninstall Thursday. What happens typically on Exploit Wednesday is that there is a rise of new attacks and exploits taking advantage of all those vulnerabilities just freshly patched. Some of these vulnerabilities are really quite serious.
April’s Patch Tuesday was ‘a real doozy’, says Elazari. “Of the vulnerabilities disclosed in last month’s Patch Tuesday, almost 50 per cent of them remote code execution. That’s the kind of thing that gives hackers like me that good, fuzzy, tingly feeling, because that’s what we want to achieve – remote code execution. Especially if we can do that without authorisation, authentication or privileges, we can do that easily. With these vulnerabilities, it was possible and from the almost hundreds of vulnerabilities that were patched.”
She points out that not every company or client updates these patches and that can leave them open to attack: “Criminals don’t just move very fast. When there are new vulnerabilities that they can move to exploit within hours.”
6. Hackers use psychology to fool their victims
Hackers use psychology as well as technology. Elazari explains a trick where hackers hide a piece of malware in a Microsoft Word document and the Word document claims to have been made on Windows 11 Alpha. This is allegedly a version only released for developers but in this particular case, it’s just a way to get people to interact with the document. In order to view the content, you must click on the gold bar that says ‘Enable Editing’ and ‘Enable Content’.
“The criminals instruct people what to do, so that the malicious payload will interact with your machine. People typically are nice, and they comply. Now, of course, it’s not always Word documents or PDF. Sometimes it’s also Excel,” she tells the audience. “They’re really using the security warning and subverting it.”
7. They have professional business models
We learn of a Ukranian hacker who leaked files from a pro-Russian cybercriminal organisation – all of their information, all of their logs, their chat logs, a lot of details about how they operate.
“From those logs, we learn fascinating things. For example, they are not hackers sitting in a basement with hoodies, they are managers and planners, and they sit in office buildings, some of them in St. Petersburg. They do planning strategically. In fact, they plan to open six more offices and hire 50 to add people by the end of September 2022. And they invest $20m annually in their infrastructure and their growth. Does your organisation spend $20m annually in your infrastructure and growth? It’s very impressive,” Elazari says.
Essentially, the documents show that they operate like an organisation. They have an HR department, performance reviews and employee of the month competitions. “Allegedly, some of the people working for this didn’t quite realise that they were working for criminal organisations,” she adds.
As it turns out, other criminal groups are competing for market share. Elazari introduces the concept of Ransomware as a Service, popular with cybercriminals. One particularly successful Ransomware as a Service group is LockBit and the LockBit 2.0 product. What’s special about LockBit – and a few other ransomware groups have done the same – is the double extortion model. They’re not just encrypting the files, they’re also threatening to release all the files to the public in the hopes that this will leverage higher extortion fees, higher taxes and fees from their victims.
Elazari shows the LockBit ransom note from the infamous Accenture attack: “It’s got all the useful information of stuff has been infected, yada, yada, contact us if you want to get access to your files. But there’s also this, ‘Would you like to earn millions of dollars? Our company requires access to networks of various organisations come and work with us. Here’s how to get in touch with us on the Darknet.’”
The attackers also have product endorsements: ‘We are one of the best design offers on the market with a focus on speed of encryption as well as functionality.’
“Now they’re not just boasting, this is not just empty PR, there was actually a technology tested out to check the speed of encryption, and LockBit are indeed quite fast. They compete on these aspects. They compete on market share, they compete on speed. And they even give interviews. There’s a YouTube channel where LockBit gave an interview, and they were asked about who they target and why they target different organisations. And from their perspective, they said, ‘Well, if they can get money, that’s all they want.’
One of the reasons LockBit are so successful is because of the Ransomware as a Service model, so they can actually create the ransomware platform and then work with lower-level criminals to deploy the ransomware in exchange for about 20 per cent commission off the top of the ransom money that they extract.
“Imagine that we’re in Sand Hill Road in Silicon Valley, where all the venture capital funds have their offices,” Elazari says. “Imagine I’m there, and I’m pitching a company with an organisation. And I have all of these things, they would call it innovation. They would say, ‘Here’s our chequebook, we would like to invest’. We’re seeing cybercriminals investing millions and millions in their evolution, in their development, and they are now faster than ever.”
What we can do
Elazari explains that moving to the cloud, especially for your customers, helps solve a lot of the problems. It helps address the rapid speed in which hackers operate, because you can add and deploy the latest updates within seconds, and you know what’s going on. You can benefit from the power of the cloud in the sense that it’s not just about you, or your customers. It’s about everybody. It’s about everybody being protected and using the wisdom of the crowd and building that digital immune system. And in some cases, it’s by learning from hackers.
“As I look at 2023, I see that there’s a lot of investment in R&D and innovation in the technology space, also by the bad guys. That is an opportunity for us to evolve and create better technology services to help our customers and the people we work with. I see that security budgets are growing in scope, but not in headcount. Chief Security Officers and Chief Information Officers need to do more with less, they need to show more results, more actionable insight with fewer people. They are more likely to work with any cloud provider, more likely to work with a managed security provider, so it’s actually blue skies ahead and a blue ocean.”
“I believe we need more human hackers to the rescue,” she says. “Even companies like Microsoft and Twitter are using human hackers and bug bounty programmes where hackers are paid to identify vulnerabilities like in the Wild West, where the sheriff would give out a bounty. They’re using these programmes to fix their AI models.”
More on hackers
Information Age’s guide to recruiting ethical hackers – With no slowdown in the number of cyber attacks in sight, surprisingly, there’s some good news: not all hackers are out to harm your business. That’s right, there’s a growing market of ethical hackers who want to earn money protecting organisations
The evolution of the hacker: what businesses needs to know – What can be done to defend against all types of attackers?
Thinking like a hacker: Crucial for businesses in mitigating the cyber threat – How can organisations get ahead of cybercriminals? The best advice would be to think like a hacker
