‘The Rise Of Crypto-Miners’: Q&A With CyberArk’s Shay Nahari
Topics: Red Teaming, Threat Landscape & More
As most cyber security practitioners know, today’s threat landscape is both multidimensional and ever-changing – a surface that’s difficult to pinpoint month over month.
Between public breaches and subsequent fallout, cyber-anxiety has risen in recent years. Crown-jewel data protection has become a difficult feat while threat actors manipulate, propagate and infiltrate.
To get his take on both the shape of today’s security controls as well as red teaming, we spoke with CyberArk’s Head of Red Team Services, Shay Nahari.
What follows is our in-depth Q&A with the cyber expert:
Cyber Security Hub: How would you describe the current threat landscape?
Shay Nahari: I see things changing, and toward a much more targeted attack. In 2017, it was all about ransomware… There’s a shift there. In 2018, I foresee it to be the year of crypto-miners. More and more attackers are moving to crypto-mining-based attacks. The reason behind that is there’s more “bang for their buck.” With ransomware, once it’s propagated, you have to pray that the target pays the ransom. In crypto-mining, it’s a bit different. It’s running on the target, so they immediately see monetary gain. They don’t need to wait for the victim, they begin mining. The infected machine mines cryptocurrencies for you. So, there’s a shift in the threat landscape in that regard – moving to crypto-mining.
At the same time, there’s a shift on the vendor side, too. There is more awareness; the bar has been set a little bit higher. It’s not necessarily because of vendors… Organizations are understanding security… (With regard to) discussion between the security team and management, these days (it is even) done at the board level and C-level… They understand risk, and with that, the bar is being set higher.
CSHub: Can you briefly describe your experience in red teaming?
Nahari: I joined the company two years ago, to build up its red-team services. The red team’s (responsibility is to) measure the ability to detect and protect against targeted attacks, and simulate the adversary. It’s a goal-oriented exercise – of trying to get to the crown jewels. (We) identify the path to the crown jewels for the customer. My red-team experience (dates back) 15 years, with the IDF (Israeli Defense Force). Most of my experience was there; then I moved to the private sector and owned a consulting company for a few years. (As such), I did red-team services engagement. I joined CyberArk to build and lead those capabilities within (the company). It provides an “attacker perspective.” (What we) strongly believe in is being vendor agnostic, too. So, we simulate adversaries and look at company targets the (same way an) adversary would.
(Also, we don’t say), “All of your problems will go away with Vendor X.” We take a holistic approach to how attackers look at an organization. We plan and execute an attack – with that vendor-agnostic approach – and think like an attacker.
CSHub: How can you run effective Red Team exercises – without creating more vulnerabilities?
Nahari: Red teaming is different than penetration (“pen”) testing. In traditional pen testing and vulnerability assessments, you (may) scan the entire network, to find where the vulnerability is. In public breaches, nothing is done like this. When hackers breach (a network), they go in with a specific target in mind. They know exactly what they’re trying to achieve there. They may touch five machines before getting to the crown jewels. That’s easily exploitable. When you do red teaming, you assume the same mindset, and think like an attacker. With the crown jewels in mind, (you set out to) achieve the mission objective with minimal effects on the customer. You do not scan the entire network, you do a very targeted attack. This allows us to gain access to the crown jewels, with minimal lateral movement. The less targets we can touch, the more chance (we have) of achieving the objective.
CSHub: Can you go into some more depth about crypto-mining, and maybe discuss its evolution and trajectory?
Nahari: The space is evolving. There is that shift into crypto-mining. And it’s a huge subject. There are different things to be aware of – which cryptocurrencies attackers want to use, best ways to propagate malware, etc. As of now, I don’t see crypto going away. With cryptocurrency, there are specific characteristics that make it very hard to detect in the moment. More and more actors are migrating to this. I think this is just the beginning. It’s a different approach – infecting machines, or a website to infect the browser. In 2018 and maybe 2019, it will be the rise of crypto-miners.
On the blue team side of the house, I don’t see a lot of specific approaches done against crypto-mining, and there are various reasons. An event as a whole, (involves) distribution and execution. Think about it like a rocket: a missile takes the payload and delivers it from one point to the other. I don’t see specific solutions done to prevent the “bomb,” but there’s still a way to prevent the missile, or the delivery of that payload. Most of those involve privileged accounts, which are the most used. The privileged account (is a way for threat actors) to move laterally, steal credentials, get main admin credentials and propagate their crypto-mining. It’s all about scale. (You must) infect as many machines as you can. You can prevent the propagation…but as for the actual payload of crypto-mining, I don’t see specific (measures) done to prevent it.
CSHub: Is security a “technology” or “business culture” issue? Or a mixture of the two?
Nahari: I believe it’s a blend of the two – technology and culture. On the technology side, it’s really well known that complexity is the enemy of security. The more complex it is, the more likely to have an attack surface, or something exploited. More exposure to different technologies (can even) make the attack surface larger. There’s definitely an increase in security posture, as well. So at the same time, organizations understand that it’s not just about a shiny, blinking box, or a red light that’ll make all your problems go away. It’s really about understanding and giving attention to security, to incorporate it at “ground zero,” if you will, from the development cycle to deployment. I definitely see an improvement in business culture, but it’s not perfect yet. I see organizations understanding that security must be incorporated in all phases – including the DevOps life cycle… It’s not only about the technology, or the shiny box from the vendor. There needs to be an emphasis on best practices from all perspectives of the business.
CSHub: Does the ongoing talent crisis affect any of these aforementioned points?
Nahari: There’s a better understanding of the importance of security throughout the organization. Today, more and more organizations understand. Five years ago, if there was engagement (on security, you may have been) pointed to the IT department. Today that’s unheard of, because mature organizations have dedicated security teams. (This includes) teams for security, blue teaming, incident response, threat hunting, (etc.). So we definitely see that skillset being utilized a little better. Yet, there is definitely a skills shortage across the board – from threat hunters to incident responders, to SOC operators, and so on. The market is trying to catch up. The need is there, and the awareness is there. We need the skillsets. The average IT guy can no longer do the blue team, threat hunting and operate the SOC. That’s understood. I do think we’re taking some important steps in closing those gaps. But we’re not fully there yet, obviously.
Be Sure To Check Out: Competition, Automation Key To Cyber Success? Q&A With SentinelOne