Advertisment

CXO of the Week: Robert Huber, Chief Security Officer and Head of Research, Tenable

We recently interacted with Robert Huber, Chief Security Officer and Head of Research, Tenable. He shared the techniques and tactics utilised by ransomware.

author-image
Manisha Sharma
New Update
Robert Huber

The stereotypical image of a cybercriminal in a hoodie operating from a basement severely downplays the scale of today’s ransomware operations - which poses one of the most significant threats to organizations in India. Cybersecurity is one of the existential threats of our time. New types of connected devices and compute platforms, from Cloud to IoT, have exploded the cyber attack surface. The old way of simply scanning on-premises IT devices for vulnerabilities is no longer enough. It’s time for a new approach.

Advertisment

We recently interacted with Robert Huber, Chief Security Officer and Head of Research, Tenable. He shared the techniques and tactics utilised by ransomware operators and their affiliates to infiltrate businesses, his entrepreneurial journey, the company’s growth, and much more. Read below to know more about it.

Introduction.

Cyberattacks have become an existential threat in their own right in this hyper-digital world. Today’s organizations operate on distributed, hybrid networks that stretch across many data centers in multiple geolocations, cloud-based infrastructures, applications, virtualised platforms and services, and much more. Simply put, there are more types of technologies, assets, and services in every organization than ever before. And each and every one of them is vulnerable to some sort of attack or threat above and beyond a simple, exploitable vulnerability caused by a missing patch. While attacks continue to increase in sophistication, the vast majority are opportunistic, preying on the fact that most teams are overwhelmed and unable to address even well-known vulnerabilities.

Advertisment

To address this fact, we see the need for Exposure Management. Exposure management draws on deep insights into all aspects of the modern attack surface - across assets, as things change, and with the context of interdependencies - to accurately gauge and prioritize exposure risk.

With what mission and objectives, the company was set up?

Our mission is to be a strategic partner to our customers by providing them with innovative solutions that deliver continuous visibility and contextual insight necessary to manage cyber risk. What we do matters in the existing scheme of things and we envision a future where every security team will have a real-time view of cyber exposure at all times; where cyber exposure will arm CISOs with accurate insights into the risks; and where every strategic business decision will factor in cyber exposure as a quantifiable metric.

Advertisment

Why has ransomware become such a flourishing business? Who are the players within this ecosystem and how does their business model work?

Ransomware-as-a-Service (RaaS) has proven to be lucrative for cybercriminals who don’t have the technical skills to develop their own malware or the infrastructure behind it. This has lowered the barrier to entry for a would-be cybercriminal. The ransomware ecosystem has three key players — Ransomware groups, affiliates, and initial access brokers (IABs). Ransomware groups are the face of the ecosystem, responsible for developing the ransomware, managing the infrastructure behind hosting stolen files and negotiating with victims.

Affiliates are the pillars holding up the structure of the ransomware ecosystem because they’re the ones doing the dirty work of infecting organizations in myriad ways. Affiliates identify attack pathways by purchasing access through Initial Access Brokers or by using common attack vectors such as spearphishing, brute-forcing RDP systems, exploiting unpatched or zero-day vulnerabilities, and purchasing stolen credentials from the dark web.

Advertisment

Initial Access Brokers or IABs are a group of cybercriminals who specialize in gaining access to an organization’s IT infrastructure. They specialize in gaining initial access to organizations using similar techniques as affiliates. They offer access to the highest bidders — this could be an affiliate purchasing access or the ransomware group itself developing a working relationship with IABs directly.

What, are the five important things that organizations should be looking at today?

There are many, many different types of assets which represent many different types of potential vulnerabilities, giving attackers more options and techniques than ever before to gain access across an organization’s attack surface.

Advertisment

This is why vulnerability management, as a critical security practice, has evolved to not only “scan for missing patches” but to put the right combinations of tools and sensors to safely and securely assess each type of asset for whatever type of vulnerability or misconfiguration may pose some amount of risk to the organization.

We are focused on empowering organizations to gain continuous visibility into five main focus areas: Active Directory, Operational Technology, Cloud, securing external or internet-facing assets, and Vulnerability Management for the modern attack surface.

Why do ransomware attacks continue to rise despite best efforts to curtail them?

Advertisment

Ransomware groups are ephemeral. We have seen multiple ransomware groups disappear over the years, either of their own accords or as a result of government and law enforcement action. We also hear numerous reports that newer groups include members of past ransomware groups. For instance, REvil was the successor to the infamous GandCrab ransomware outfit, while Conti is considered the successor to Ryuk. When certain groups are dismantled, new groups capture the attention of affiliates seeking new partnerships.

Ransomware groups may come and go but it’s the affiliates and Initial Access Brokers that make ransomware attacks a persistent threat to organizations.

How has the commodification of tactics led to an industrial revolution of global cybercrime?

Advertisment

Ransomware’s current dominance is directly linked to the emergence of a technique known as double extortion. The tactic, pioneered by the Maze ransomware group, involves stealing sensitive data from victims and threatening to publish these files on leaked websites, while also encrypting the data so that the victim cannot access it. Ransomware groups have recently added a variety of other extortion techniques to their repertoire, including launching DDoS attacks to contacting customers of their victims, making it even more challenging for defenders. These tactics are part of the ransomware gangs’ arsenal for placing additional pressure on victim organizations.

It’s therefore imperative that organizations prepare themselves in advance so they are in the best position possible to defend against and respond to ransomware attacks.

How are ransomware groups bidding against each other to attract affiliates by offering a larger percentage of ransom payments?

Ransomware gangs deploy various tactics to recruit affiliates. Earlier ransomware groups were posting recruitment messages on dark web forums. Once these forums took notice, threat actors pivoted to posting recruitment messages on their own leak websites. Affiliates play a major role in the ransomware ecosystem and are offered many incentives. This enables affiliates to operate independently, opening up the opportunity for them to work with multiple groups simultaneously.

Ransomware groups are very generous when courting and recruiting affiliates. Affiliates earn the bulk of ransom payments, earning anywhere between 70% to 80% of the total ransom amount. Some ransomware groups have become more aggressive in recruiting affiliates like ALPHV (a.k.a BlackCat), which offers a 90% cut to affiliates.

cxo-of-the-week tenable