April 22, 2020: For this COVID-19 field report episode, we are joined by Ryan Kalember from Proofpoint where he is in charge of cybersecurity strategy. Ryan fills us in on the current landscape of cyber threats and what has changed during the pandemic and, interestingly, what has stayed the same. The coronavirus crisis has presented a huge opportunity for cybercriminals to exploit systems, using lures attached to all areas of the pandemic, however, as Ryan informs us, these lures use the same tactics with a different dressing. All of the ways in which phishing emails and attacks are conducted are the same as before this current period, it is the remote work model, overwork, and new systems that present refreshed opportunities for exploitation. In our conversation, we cover the range of ways bad actors are using these to their advantage and the trends in the cybersecurity space right now. Ryan takes us through the vulnerabilities that have become apparent during the last couple of months and shares some examples of how these can be taken advantage of. To finish off our chat, we look at the National Cyber Security Alliance and the focus of their work as well as how Ryan's position at Proofpoint fits into the larger picture of cybersecurity right now.
Key Points From This Episode:
Field Report - Cyber Attacks During COVID-19 with Proofpoint
Episode 231: Transcript - April 22, 2020:
This transcription is provided by artificial intelligence. We believe in technology but understand that even the smartest robots can sometimes get speech recognition wrong.
[0:00:04.5] BR: Welcome to this Week in Health IT News where we look at the news which will impact health IT. This is another field report where we talk with leaders from health systems and organizations on the frontlines. My name is Bill Russell, healthcare CIO coach and creator of This Week in Health IT a set of podcasts, videos and collaboration events dedicated to developing the next generation of health leaders.
Are you ready for this? We’re going to do something a little different for our Tuesday news day show next week, we’re going to go live at noon Eastern, 9 AM Pacific, we will be live on our YouTube channel with myself, Drex DeFord, Sue Schade and David Munst with StarBridge Advisors to discuss the new normal for health IT. With you supplying the questions with live chat, also, you can send in your questions ahead of time at firstname.lastname@example.org. I’m so excited to do this and I hope you will join us. Mark your calendar.
Noon Eastern, 9 AM pacific on April 28th. If you want to send the questions, feel free to do that and you can get to the show by going to thisweekhealth.com/live. This episode and every episode since we started the COVID-19 series have been sponsored by Sirius Healthcare. They reached out to me to see how we might partner during this time and that is how we’ve been able to support producing daily shows. Special thanks to Sirius for supporting the show’s efforts during the crisis. Now, on to today’s show.
[0:01:25.1] BR: All right, today’s conversation is with Ryan Kalember, the EVP, cyber security strategy at Proofpoint and board member of the national cyber security alliance. Good afternoon Ryan and welcome to the show.
[0:01:39.6] RK: Great to be here, thanks for having me Bill.
[0:01:41.1] BR: Well, thanks for taking a few minutes to meet with me today. I saw a presentation you did with a partner of yours a couple of weeks ago and I thought, that is a phenomenal topic you guys covered it so well and I wanted to really explore with you and we’re going to talk phishing today. Now, we might veer off that topic a little bit but for the most part, this COVID situation has really just opened up the opportunities for people to really exploit those. Give us – let’s just start with the basic question which is, what is the threat landscape look like during a crisis like this, like a COVID-19 crisis.
[0:02:19.0] RK: Well, interestingly, a lot of it looks the same but the social engineering component as you correctly pointed out looks a lot different. I think the attackers just like marketers and public health officials and other people who are doing any sort of communicating today have realized that there is really only one topic that matters on planet earth right now. Which is COVID-19.
It is perhaps the most clickable lure that we have ever seen. I don’t think we can point to a single event in the history of either [inaudible] and cyber security to go back 20 years or anywhere, threat researchers where we can remember every single type of actor jumping on one lure bandwagon at exactly the same time which is what we’ve seen happen basically since January.
[0:03:02.6] BR: Wow, are the actors different, I mean, it’s the same set of actors, what are some of those actors.
[0:03:09.2] RK: Sure, there is really kind of a pyramid, right? There is the nation state actors at the very top who tend to be the more sophisticated ones, we’ve seen actors from China, India, Pakistan, a couple of other places use COVID lures at this point. And then there’s this sort of more targeted attackers that are going after maybe one organization, maybe a smaller set of organizations, we’ve seen them use COVID lures.
And then there’s these scaled cybercrime actors that we can identify because they have their own infrastructure that’s big enough. The most prolific actor that we track is one known as threat actor 542, they are very famous now where they use EMOTET, they were actually the first ones really doing this at scale, going all the way back to late January.
They started to attack Japanese organizations with lures referencing disruptions to supply chains in China. Since then, much larger scale cybercrime actors have all gotten on the bandwagon and even the least sophisticated threat actors of all, to do what we would call business email compromise.
Really, simple spoofed messages saying something, I can remember one that was basically, "I’m stuck downtown, four people have tested positive around me so I’m going to need to move some things around, please get in touch ASAP." Really, COVID-19 is a wonderfully flexible lure for really any kind of cybercrime actor.
[0:04:29.9] BR: Wow, what are the payloads they’re trying to deliver through this stuff?
[0:04:34.8] RK: At this point, it’s been hundreds of thousands of malicious payloads, actually probably millions, I should check. But really, it’s been about 70% malware, that is malicious software designed to compromise some aspect of your computer, a lot of those have been remote access trojans, a lot of them have been key loggers, what we call information stealers.
Some of them have had what we call downloader functionality. Meaning, it’s one piece of malware but it can become something else later and oftentimes, the actors can sell that access with people working away from corporate networks and good defenses for the first time in a long time, those downloaders would become more valuable. The other 30% really is just credential phishing, trying to steal your password or log in details. Some of that has gone after a multi-factor authentication scheme, not a lot of it has. and then there’s of course the small volume stuff that has no payload at all and it’s just trying to get you to engage in a conversation.
[0:05:30.6] BR: Are we seeing any new sophisticated attacks or is it just variations on old attacks that we’ve seen?
[0:05:37.4] RK: It’s much more the latter. There is nothing new under the sun when it comes to trade craft because there doesn’t have to be. Really, most of the cyber threat landscape at this point relies on human activation. It’s macros and Word documents and sending power shell objects inside other documents, just sending people code and asking them to run it.
That is a much more successful approach right now than the incredible time and effort it takes to find a vulnerability that no one’s found before or maybe multiple different vulnerabilities in order to get to do something useful in a modern browser or an operating system. Really, that’s out of the scope of pretty much all but the apex actors. We’re all clicking on stuff, they don’t need to do anything different from a technical standpoint.
[0:06:21.6] BR: You’re saying I’m the weak link, is that what you’re telling me?
[0:06:26.0] RK: It’s carbon based risk and not silicon based risk, that’s absolutely true. The vulnerability between the chair and the screen.
[0:06:34.0] BR: How has work from home, you talk about people away from their normal work environment. Has that changed things made it harder to secure the environment or anything to that effect?
[0:06:47.9] RK: It certainly has an impact. One of the things that does change is your own behavior. People are not really enforcing the social norms that you might have in an office environment, that transaction where you might have walked down the hall to validate with the finance department before sending that wire, that’s not happening when everyone’s working from home and there’s some technical controls that are probably not in place.
You might be working from a device that you’ve never worked from before. Might be home computer that hasn’t been patched in a while. You might have a WiFi network that you’ve never changed the default password on. There are all kinds of risks that factor in from that perspective that have been mitigated by some things that organizations have been able to put in place but not necessarily a lot of them.
When you remove a user from the traditional secure environment, you're basically putting a lot of controls out of the equation and you’re focusing on two main controls. One is the ways in which the employee communicates which might be directly to cloud services and never go through any network you control or see at all and of course, that uses end point, whatever that happens to be.
[0:07:51.1] BR: Well, that becomes – I’ve been talking to a bunch of CIOs, we’ve done about 30 healthcare CIOs interviews over the last, about 40 days or so and a lot of them send people home and one of the things that happened was, they ran out of equipment.
For the first time, they weren’t working off of work equipment they were putting at home so they’re trying to create layers of abstraction, they’re trying to virtualize the whole environment and those kinds of things. They were utilizing cloud environments much more so than they had before. Does this does that change things, does that help at all? I mean, because phishing attacks, it’s coming through email, right? Just continually coming that way. When they are compromised, they’re not going to compromise the VDI environment and if they do, who cares, you could just – you could wipe out that VID environment.
[0:08:41.2] RK: Yeah.
[0:08:42.3] BR: They could compromise the home computer, does that create a problem?
[0:08:47.6] RK: Sure, because that home computer is now talking to the systems that that person needs to work. Those could be cloud systems, they could be client applications, they could be EMR applications. That same exposure happens when that home computer has access to systems and data that you care about.
Ultimately, the hot approach is obviously to try and go to what we call zero trust. Which is very old idea that has acquired some new momentum. Where really, the idea is that your parameter is not a network parameter. Your parameter is everywhere you make an access decision. Frankly, the corporate network, the network that you own and maintain should always have been treated like it was a home WiFi network that you didn’t trust.
In a lot of cases, CIOs and CISOs have been able to make some progress towards that model because they simply have to now. You have no network trust in the equation. That said, the risk is still there form a phishing attack, you write that the risk is mitigated when you're using things like virtual desktops because you can of course burn them down.
When it comes to email though, it is pervasive. If there’s any kind of persistence in that session at all, or if there’s a user using email from within a virtual desktop in an environment that has access to production systems, there is going to be exposure there and you’re not going to have the traditional set of network security controls. That means your email security controls matter a lot more and your end point security controls matter in the case of home equipment.
[0:10:15.9] BR: Yeah, I think one of the concerns that I just want to point this out, in the VDI environment, I think people say, "Well, we still VDI environment, it’s safe." But if you're not doing patching on the back end, that’s just as vulnerable as anything else that’s out there. I mean, I’ve seen people go into a VDI environment, pack out, take control of the server and start capturing all sorts of stuff.
[0:10:37.5] RK: Absolutely. Particularly as there are so many vulnerable VPN’s out there right now. And we have seen attackers leverage the vulnerabilities and whole secure and Palo Alto devices and [inaudible] devices which ware very widespread in healthcare in order to compromise entire environments and a lot of the patching should have gotten done months ago in those cases and in the case of Citrix devices, where you actually have application delivery controllers themselves be vulnerable. You know, it’s never quite as simple as these are VDIs, they’re disposable, I don’t have to worry about security anymore. You make an excellent point on just how exposed you are if the broader environment gets compromised, which again is something that the threat actor has a lot more options on with people working from home.
[0:11:27.7] BR: Yeah, all right. We’ll get back to this is what happens when I get going on this. Where have the campaigns been targeting, I mean, we’re talking about healthcare but is it pretty broad here, is it all the industries? Is it all geographies at this point?
[0:11:44.2] RK: It’s pretty global, we’ve seen again, the campaigns start in Asia where the pandemic started. We’ve seen a lot of European targeting, Canada, Australia, no one’s really been immune to this. The lion share's of course in the US and that’s usually lion share of targeting anyway.
And, the healthcare industry certainly has not been spared, you know, there was of course that chatter on the [inaudible] actors not getting healthcare and in the short term. That doesn’t appear to have panned out. Certainly, there are a couple of [inaudible] infections that people are dealing with right now in healthcare and healthcare adjacent organizations.
But really, the campaigns themselves are of every imaginable flavor. In healthcare specifically, we have seen quite a lot of BEC style campaigns and we’ve seen lures that come from the CDC, the WHO, recognized national and international and sometimes even local or state authorities that are in charge of promulgating information around the current pandemic which of course, in healthcare organization is going to have an even higher click rate and new generic higher click rate than your generic COVID-19 lure which is already don’t have an incredibly high click rate.
[0:12:50.7] BR: Yeah, let’s dive into some of those because in your presentation, you gave a couple other different examples and I thought it was – I thought that was pretty telling. So you had regional risk here in safety, economic risk, COVID cure were just some of the different things. Give us some examples on each one of these. So when you are talking about regional risk, what kind of email would people be looking at?
[0:13:14.8] RK: In the regional risk category, you’re looking for things that are basically like, well we have PPE coming in from China. So there is going to be some regional ties to the lower and there might even be regional ties to targeting. So for example, we sell a lot of campaigns in Italy attacking health care organizations and other organizations. That were all around of procurement of PPE, personal protective equipment. Those very often have a regional flavor.
They are very convincing, they are often very specific. There are some others that even are hyper-regional meaning that almost a single office location is involved in that and transitions a little bit into the fear and safety ones. Basically our colleague has tested positive, click here for the details of how we’re going to do contact tracing, that sort of thing that is all too imaginable for most of us who work in an office environment on a normal basis.
Those have tailed off a little bit as people have been working from home for longer. But if you have to sort of morbid curiosity that which of your coworkers has tested positive for COVID-19 that would be an excellent lure to get people to click on. Now the third category around the economic side has really ramped up over the last week or so. It certainly is the stimulus payments have started to hit in the US. It is a really phishable looking website.
It is freefilefillableforms.com. I am not making up that URL that is the actual one you get to if you go to the IRS and you are making change to your direct deposit information and lures around even private banks doing things for their customers around COVID-19 have been circulating for a while and are clearly pretty effective. The new one of course that we are seeing, given that it’s what’s on everybody’s mind right now are lures around what are the procedures for when we go back. And all of that really tracks to of course the headlines that we see and threat actors are wonderfully skilled and adapting those things into phishing lures.
[0:15:08.0] BR: Well I don’t – so you sent me an email that says because that is the conversation right now. How do we step out of this and what is the new normal, how do we get to the next phase. So obviously a lot of interest in that topic, so how do you turn that interest into an attack?
[0:15:25.4] RK: Well, maybe I will put together a Word document that is going to be a “On all of our office locations use the new policies and procedures and the dates and here is a calendar for when we go back.” And I am not going to put anything about that in the message body because I want you to click on that attachment. You are going to open it and maybe it will ask you to enable content, that little yellow bar at the top of the document. You click that and you’ve just run my code and I own your box, it is that simple and that is a simplified example but there are many, many, many permutations of that in the wild right now.
[0:15:58.0] BR: All right, so I think every time I hear one of these presentations you have appropriately scared the heck out of me. So it becomes a question of what are some of the best practices. I mean it is people, it is people who are clicking on this things, people are there but let’s talk about it from two aspects. One is I am IT, I know I need to do training, I know I need to create awareness. I know I need to continue to do that, that whole training aspect.
Talk first about the technology side, what are some things we absolutely need in place and then obviously you’re going to head on what do we need to make people aware of?
[0:16:38.1] RK: Sure, so there’s two really simple things that are very, very effective technical controls. One as I mentioned, none of this tradecraft is new. So if you have good controls on the email vector, you are safe from a huge percentage of this and you are not putting the burden on stressed out employees who of course are working from home and maybe not in the mental state they might be normally be in, to try and resist incredibly compelling COVID-19 lures.
The second place you really want to enforce some control especially if you have started to move things into the cloud is on what those log-ins look like. If you can actually do some form of adaptive access control, figure out does this device look healthy enough to connect my cloud resources, even if it is something as simple as your Office 365 accounts, which a threat actor had a lot of use for actually that is going to be very valuable.
It is simple and fast to configure, you can set it up with conditional access within the Microsoft Suite, there is all kinds of vendors like us that can help actually deliver additional functionality on top of that and compromised account detection, which is really going to be the new perimeter for a lot of healthcare organizations right now. But this is where the hope comes in, right? The likelihood that the majority of your organization is being targeted by these campaigns is actually quite low.
They are reasonably targeted overall. It is not like we are dealing with tidal wave-like volumes. In fact, the volumes in the overall email threat landscape are down from January to today that is because a lot of the actors are doing something different. They are off selling access that they got for many, many months prior to that. So with that you have an opportunity to understand which small subset of your population is at risk. Now the easiest way to start there is to figure out who gets interesting attacks.
And that is not everybody. You know we have actually started scoring threats differently based on is the lure really good, is the attack sophisticated, is this targeted, is this targeted solely at healthcare as a vertical. And when you can identify the small set of people in your organization in the typical healthcare organization it’s even if you have tens of thousands of people, it is usually about a 100 that are getting interesting attacks.
You can identify which people you really do need to protect a little bit better. The second side of that is that awareness training is fantastic, you want to get those click rates low but you also have to do that with the assumption that it is very, very difficult to get somebody in 2020, having been through everything that we’ve all been through especially on the healthcare side to not click on 100% of the things that might reach their inbox.
So there are other technical tools like browser isolation for those malicious links, which can be really, really effective in making sure that even if you do have a click, you don’t have a breach on your hands.
[0:19:19.4] BR: So take me back to you introduce me to a new concept. We talked about the perimeter and in Office 365 we’re essentially going to click a couple of buttons, set up configuration and it is going to determine if I am as a computer or as a person a vulnerable actor of some kind. Give me a little bit more detail on that.
[0:19:44.7] RK: Well, I mean if you think about it from the perspective of what security companies and of course Microsoft are trying to do, we’re trying to figure out when you log in whether you are who you say you are. And there’s obviously very simple ways to do that and just check your password and there is some more science than of course you could apply to that. At any given point in time, Microsoft’s own stat is that one half of 1% of all of Office 365 accounts are compromised in a given month.
That means millions and millions of compromised accounts and that’s mostly because people reuse the same passwords over and over again or they use really common passwords “spring2020!” That kind of thing so they are vulnerable to password replay and passwords spraying attacks. But that said, when I can identify that you’re coming from a new computer that you have never used before to access our Office 365 tenant, that is a risk factor.
Maybe in that case I should ask you for a multi-factor authentication or some other form of proof that you are who you say you are. There is lots of different ways to do that. It is always something that you ought to do in a way that’s culturally appropriate for the organization but it is a very rapid to deploy control. And when you have so many people going direct to cloud from home office, the old just not an information security is that identity is the new perimeter.
You can also say people are the new perimeter, depending on how you choose to phrase it but really that is what you are protecting now and cloud actually give you some very powerful ways to do that.
[0:21:09.2] BR: So Ryan give us a National Cyber Security Alliance, what is that National Cyber Security Alliance do?
[0:21:16.0] RK: So it is the longest tenured and probably best known organizations just trying to raise awareness in cyber security and cyber security best practices amongst the general public. So you might know October is cybersecurity awareness month that was sort of flagship product of the NCSA and so what we are really trying to do there is get good guidance in the hands of all of the people who need it to raise the overall resilience of society against cybercrime. And cybercrime is now a top 10 global economy no matter how you measure it and so certainly that work has never been more important.
[0:21:52.7] BR: That is an amazing statistic. So you’re in charge of cyber security strategy for Proofpoint, give us an idea of what role, what you do in that role. I probably should have started with this. I am going to finish it.
[0:22:05.2] RK: Sure, no problem. So my day is basically about making sure that our set of products, which are people-centric security products, conveniently for this discussion, are doing what they say they’re supposed to be doing right now meaning stopping all of that COVID phishing hoping people respond to it quickly and then actually even going beyond that.
Really we have a three part product portfolio. One, protect people from the attacks that target them. Two, make people more aware and more resilient, so that they can better protect themselves and their organizations and then three, protect the data and systems that those people don’t have access to. If we are doing that right, that certainly can lower the risk in this particular threat landscape and on into the future because right now we are living the future when it comes to a whole host of things, one of which is IT infrastructure. There’s been more change to how we have deployed services, moved data, move users in the last three months than probably the previous five years.
And it is extraordinary to see how that is working out on a global scale. The last part of my job is of course to advice CIOs and CISOs in terms of how to manage that change and like you, I’ve had lots of conversations recently. Everybody seems to be able to cram in more meetings via Zoom than they ever could in person when we are all traveling. And it is great to see actually more of the world thinking about that human vulnerability because it really is the defining characteristic of the threat landscape, whether you’re talking about COVID-19 phishing or not.
[0:23:34.6] BR: Yeah and then I will close with this but we are on a Zoom call and I continue to use Zoom and the Zoom exploits have been widely touted and talked about but it is an interesting example because they have these physics of Zoom usage through COVID-19 and it is through the roof and I think at some point people just say, ease of use trumps — they read the security they’re like, “Yeah somebody wants to drop in on this call so be it.” And away we go and that is generally a – that is sort of a mindset that sort of permeates isn’t it?
[0:24:10.9] RK: I think so and also Zoom might not be appropriate if you’re running a cabinet meeting. If you are running a normal organization's — even telehealth, it might entirely be appropriate to that threat model and certainly we are avid users of Zoom. We keep a very close eye on the actual exploitability and utility of any of the vulnerabilities that are found and Zoom actually had a bad one last year, for sure. We patched that quickly and certainly have to get comfortable with the team there.
And their processes but you know Zoom is getting free pen tests from some of the best security planet researchers on planet earth right now. So it is going to go through some bumpy times but it will come out on the end of it is probably the world’s most secure video conferencing product. Because everyone on the world is really taking a shots at it right now. So again, as long as we can make it through this era, will probably come out better.
[0:25:08.7] BR: That is pretty amazing. Ryan thanks for your time, I really appreciate this great conversation and I am glad to be able to share with our audience.
[0:25:16.0] RK: Likewise, it was a pleasure Bill.
[END OF INTERVIEW]
[0:25:18.5] BR: That is all for this show. Special thanks to our sponsors, VMware, StarBridge Advisors, Galen Healthcare, Health Lyrics and Pro Talent Advisors for choosing to invest in developing the next generation of health leaders. If you want to support the fastest growing podcast in the health IT space, the best way to do that is to share with a peer. Send an email, DM whatever you do. You could also follow us on social media, subscribe to our YouTube channel. There is a lot of different ways you can support us but sharing it with a peer is the best.
Please check back often as we would be dropping many more shows until we’ve flatten the curve across the country. Thanks for listening. That is all for now.