In A Pandemic Crisis, All Sectors Need To Be On High Cyber Alert - An Interview With Ian Thornton-Trump
Ian Thornton-Trump, CD is a member of COVID-19 CTI League and CISO for Cyjax.
[PenTest Magazine]: Hello Ian! Thank you for agreeing to this interview. In these difficult days of the pandemic and a global lockdown as its result, we are all the more dependent on the cyber world than ever before. That makes us particularly vulnerable to potential cyberthreats. When was the first moment you came up with the idea for creating the COVID-19 CTI League?
[Ian Thornton-Trump, CD CISO for Cyjax]:
Well, to be honest, I was invited to this effort by Marc Rogers who is my Boss at DEFCON. I'm a member of the SOC "Goons", the security team at DEFCON and Marc Rogers leads, mentors and guides us every year. Through our closed "Goon" lists he asked for volunteers to join the team - my technical skills are somewhat atrophied - I spend most of my time taking my knowledge and experiences and providing wisdom to the next generation. I brought in a couple of my top technical and intelligence analysts to aid in the fight. I'm also a member of a similar UK effort called "Cyber Covid Volunteers".
[PT]: How is the rise in numbers of present cyberthreats correlated with the spread of the pandemic? Is there a clear connection between the dynamics of coronavirus’ spread and the emergence of new cyberthreats?
[ITT]: Yesterday, I put out a tweet "The only thing spreading faster than Corona virus, is cyber-crime related to Corona virus." It's really true - 60,000+ potentially fraudulent domains have been detected so far and it appears that all the major cyber-criminal groups are now pushing Trojans and Ransomware payloads under pandemic, Covid-19 and Corona virus scams. It's happening fast. When POTUS mentioned the potential for anti-malaria drugs - fake sites hawking these drugs appeared within hours.
[PT]: How quickly did you observe the first pandemic-related scams?
[ITT]: This hit with little to no warning - cyber criminals seemed to target China, Asia and the Middle East with bespoke campaigns as early as January. When the mainstream media picked up coverage of the Corona Virus spreading, cyber criminals were quick to expand the campaigns.
[PT]: What are the most common types of malicious cyber activities, currently? Is it COVID-19 related phishing or would you point to something else?
[ITT]: I think it's both overt like phishing and smishing campaigns, waterhole attacks and attacks on newly exposed infrastructure like Outlook web access and VPN systems not unprotected by 2FA. But there is a more sinister element ranging from counterfeit masks, fake testing kits and drugs being offered online - the DOJ and Canadian authorities have been very focused on taking these criminal offerings off line. Cyber criminals are using every aspect of the pandemic and it certainly did not help defenders when a 0-day attack against a Windows sub component called "Adobe Type Manager" came to light. It's a dangerous time to be online, especially when so many of us are under government orders to work from home.
[PT]: We know that there was an attack on a research laboratory, which is working on coronavirus analysis in Brno, Czech Republic. Do you expect that medical institutions will be under heavier threat now?
[ITT]: In addition to the attack you mentioned, we know of attacks on the WHO as well as other medical facilities. I am hopeful that these attacks are by accident rather than by design, as to cyber criminals, one IP address looks like another IP address. I think the threat level is certainly elevated for everyone. In terms of health care and the health care supply chain, there has always been a substantial amount of vulnerability present - mostly due to underfunding and technological debt but when those facilities are at capacity and delivering critical services to a large number of very sick citizens, cyber criminals and nation state actors should tread carefully - now is not the time to mess with a nation's health care system as it could elicit a kinetic response if casualties are attributed to a cyber-attack.
[PT]: What is your advice to medical facilities? How can they quickly enhance their cybersecurity?
[ITT]: The IT departments need to engage with cyber defender volunteer organisations for advice and help, and they need to shore up their defences - fast. As an example, a good threat intelligence feed, generated by volunteers or H-ISAC, should be being consumed by healthcare providers and these malicious domains should be blocked rapidly.
Facilities need to segment vulnerable systems off of the internet, deploy internal firewalls and put their services behind web application firewalls and/or proxies. Most of these "to dos" are not expensive but they need to be done - perhaps with the aid of volunteers - because right now there is a critical risk to facilities.
The first step to getting help is admitting that you need help.
[PT]: What about other sectors? Government, banking, critical infrastructure, commercial business?
[ITT]: In a pandemic crisis, all sectors you mention need to be on high cyber alert. The most impactful cyber-attack on a hospital is one that turns off the power, or the gas or the water - all of these are critical to the delivery of services. One of the good things coming out of this whole event will be a focused investment on business continuity as any weakness in security posture or resiliency is going to be very noticeable. We are not in a "Table top exercise" we are in an actual crisis. If the country that you live in and the state or municipality you live in are all declaring a crisis, if your business has not, what the hell are you thinking about?
[PT]: Those who can have switched to remote work now. Does it imply any higher risk for companies and their employees than it used to before the pandemic?
[ITT]: Absolutely it does. Many IT departments are now forced to support tens, hundreds or even thousands of mini-branch officers. These folks are going to be overwhelmed by not only the different gear found at all these home networks but simple configuration things, like DNS causing major problems with VPN connections. It's not only going to be difficult but there is a real danger of the infected family computer infecting a work computer. Or a family computer being used out of necessity for work - with any nastiness potentially making its way into the corporate network.
[PT]: What is the main focus of the COVID-19 CTI League?
[ITT]: The main focus is collecting and acting on the malicious activity being discovered every minute. The idea is to use our collective and global reach as information security professionals, leverage our relationship with vendors and collectively act to pull down malicious sites. In so doing we can supply indications of compromise accurately, timely and in a format that is readily consumable by an organisation that may have limited resources.
[PT]: Who is encouraged to join it and what skill set is required?
[ITT]: All manner of information security professions are welcome - however, the current focus is on Cyber Threat Intelligence professionals, reverse engineers as well as security architects and dev sec ops. This is all about relationships, sharing intelligence and working for the greater good. This is an unprecedented moment of a community - vendors and practitioners - coming together in a time of crisis. I sincerely hope the good will expands beyond this moment and is a template for future global sharing and cooperation.
[PT]: Could you share with our readers any achievements of the initiative so far?
[ITT]: Thousands of fraudulent domains and IP's have been identified. Representatives of major telecommunication providers, global ISPs, government agencies as well as hosting providers have blocked or taken down cyber-criminal infrastructure. Malware is being reverse engineered to identify C2 domains. I've never experienced a true cyber war room but there are hundreds of volunteers taking the fight to the cyber enemy.
[PT]: How can people help, other than joining? Any channels we should be keeping an eye on?
[ITT]: I would say that non IT people can help by following simple cyber hygiene by making sure their PCs and Macs are patched and up to date and running malware protection. Don't become part of the problem by becoming infected - so similar to the government advice on protecting yourself from Coronavirus! In terms of professionals, the IOC channel is the one to be watching as any fraudulent domain and lists of compromised hosts are being pushed up. A big part that everyone can do is amplify the legitimate and accurate advice coming from governments and the WHO on social media. There is a lot of FUD online and that's making people a lot more vulnerable to cyber-criminal scams. If you see something that looks dodgy, please report it and block the sender in your social media platform.
[PT]: How can people get in touch?
[ITT]: Access to the group is by referral from an existing member. So, it would be best to find someone within your organisation who has deep ties into the security community or make contact via LinkedIn or Twitter with senior security folks you know in the industry that can vouch for you. Many in the group are members of ISACs or State level CERTs so that's a good place to start.
[PT]: Any final thoughts or concluding messages to other ethical hacking professionals?
Yes. This is a time to come together as a community of defenders, leave egos at the door and work for the collective good. Take the responsibilities you have as an IT professional or security professional seriously. The number one piece of advice is: if you don't know what you're doing, or you are unsure, ask questions and/or seek resources online. Mistakes you make right now could have incredibly serious consequences for your organisation and ultimately your own career. In cyber, just like in Special Operations, "Slow is smooth, smooth is fast". Think Cyber Security. Plan Cyber Security. Do Cyber Security.