Listen to this podcast on Apple Podcasts, Spotify or wherever you find your favorite audio content.
On January 12, we launched Into the Breach — our new podcast series that showcases cyber stories told by the people who’ve lived them. In episode one, Lured to the Dark Side, I talk with a former BBC journalist who shared his experience profiling two criminal teen hackers who’d been arrested and then given a second shot at life. Each of them had a significant brush with the law, and today they’re using their superpowers for good, and both working for legit organizations as security pros whose aim is to keep the bad guys (and gals) out of networks.
Part two of Lured to the Dark Side features Nick Rossmann, threat intelligence brain trust whose dossier includes leading a world-class team of threat intelligence professionals, a stint at the C.I.A. and a position at the F.B.I. Nick gives us a behind-the-scenes look at what we know about threat actors: how they develop talent, where they operate, and how they’re evolving to put the “organized” in “organized crime.” He also shares the story of how his team uncovered training videos from an Iranian threat group and helped law enforcement take the group down, and gives us his prediction of what we might see next from the world of cybercrime.
Join me, and together we’ll venture Into the Breach.
Listen to the episode: Lured To The Dark Side: The Criminal Hacker Journey, Pt. 2
Mitch: How do the FBI, CIA and private sector combine forces to stop relentless cybercriminals? Well, today we talked to Nick Rossman. Nick is the former leader of IBM Security X Force Threat Intelligence and has a background working with both agencies. He helps us understand how threat intelligence is evolving to outmaneuver the booming cybercrime industry and how cyber criminals are actually taking pages from the playbooks of legitimate business and creating their own service economies and service providers. I am Mitch Mayne, and you’re listening to Into the Breach.
We want to take a look at the Cybercrime industry, specifically from the lens of threat intelligence, how the landscape is evolving and what threat actors are doing out there. I will give you a little spoiler alert working in cybersecurity threat intelligence has become one of my favorite areas to focus on. Just because it’s so interesting, it gives you so much, well, intelligence to use a word to describe a word, just give me a brief overview of what threat intelligence is, how it’s gathered, and what it can be used for.
Nick: So threat intelligence really starts at the indicator level. And for us, it’s gathering indicators of compromise to be able to better understand the threat actor and that means modeling how they conduct their attacks against our clients, against other partners against the rest of the cybersecurity community so that we can better understand how they work, how to stop them, and ways to detect and prevent them from responding. But at its highest level, it’s understanding their motivations as well. And when it comes to cyber criminals, you know, the motivations are pretty simple, right? They want to find a way to monetize their access to your enterprise systems to be able to make money and that could be stealing from you and your accounts directly. It could be using compromised credentials on your cloud platforms to be able to run crypto miners. And it’s essentially taking computing power that you’ve paid for from your cloud providers or could be extortion, like a ransomware attack. So it starts at that level, the micro level of indicators of compromised to understand either TTP is but ultimately, how do we prevent them and then better understand their motivations?
Mitch: So is it fair to say this is a little bit like spying on the spies?
Nick: It’s a little bit like spying on the spies, I think, what makes a threat intelligence or Cyber Threat Intelligence different from conventional espionage is that we’re not stealing information, per se, there’s no private companies in the United States where we’re not allowed to conduct operations, like the CIA is or the FBI. So we’re trying to pull together what’s essentially publicly available information, all the signals that are out there, a compromised server, what has happened on another enterprise network, to be able to figure the bad guys out. So it’s a little bit like more detective work, right, you’re going in afterwards into the crime to figure out how you can then prevent it the next time around.
Mitch: So it’s centered around digital fingerprints and digital footprints then.
Nick: Yeah, that’s probably a better analogy for it.
Mitch: Tell me a little bit about what the industry is like. Now the cybercrime industry as a whole and what the ROI is there.
Nick: I think over the past several years we’ve seen the industry evolve from really trying to work on credit cards. And when I say work on credit cards I use that in the most malicious terms. They were trying to steal credit card information, whether that was from a company that had it like a retailer or from an individual to be able to sell those credit card numbers online and be able to conduct some lower scale money laundering, essentially, right? Use your credit card to buy some stuff that they could have access to, or auction that credit card off for a fast buck so that someone else could do that same thing.
Mitch: This is like just basically getting your pocket picked only having it done virtually.
Nick: Yeah, exactly. And that’s what cybercrime was. And there were other forms of that. So there could have been unique ways to get credit cards, whether that was all in fact, a chat bot that’s widely used by a whole slew of companies. Or I will try to attack a particular type of software that’s used by a slew of companies who process credit card information before it enters the big credit card networks to be able to be used. That game wasn’t scalable, like those kinds of business operations, because you’ve got to be constantly going after credit cards. So what we’ve seen the cybercriminal switch to or in the last several years, is that a lot of these credit card incidents would start with something like a botnet, where they’re trying to steal as much account credential information from you from corporate users all over the world. And these botnets are running constantly on different command and control systems, basically other people’s computers that they’ve stolen resources from, to be able to go and get more credentials, right. So essentially, those credentials could get the bad guys access to your bank account, or they could conduct some kind of fraud, or it could give them access to a corporate network, or they could potentially rummage around in it and then look for credit cards. But where we’ve seen this shift in the past several years is to ransomware. It’s much more scalable if you combine a botnet conventional backdoor like that alongside ransomware, because now you’re not just looking for a credit card that you might sell for $1.
On the dark, when you’re going into a company getting compromised credentials, perhaps if I’m trying to attack Mitch co, I might get Mitch one of your employees credentials, I go and log on, like I’m that employee. And then I’m going to start rummaging around the network, trying to figure out how I can move laterally within the network using tools like PowerShell move in the networks to say, hey, where can I deploy this ransomware to maximum effect. And then bam, I start deploying the ransomware. But just before that, I’ve stolen a whole slew of data from your environment. And that data isn’t just credit card information, it might be could be personal health records, could be schematics, could be information about your employees. But all of this is to get ransomware into your environment, put as much leverage on you to pay the ransom, right, so that there’s a high cost to get your data backup and recover. So that you say, I give up, I just want to pay the bad guy for the key to get my data back and get back to work.
Mitch: Not only are the threat actors going into drop ransomware, but they’re also taking data in the process. I also wanted to talk a little bit about something that I’ve heard you speak extensively about and that’s this model of ransomware as a service, and that’s like its own little business model, right? It’s like this isn’t just picking pockets any longer. This is actually taking pages out of legitimate business models and applying them to cybercrime. Is that correct?
Nick: Yeah, that’s right. So you think of it as ransomware as a service, where I’m a ransomware operator. And now I want to scale the delivery of my ransomware in particular, so I can only conduct so many different operations that day with my own business, right? My own operators, they call themselves penetration testers, right? But they’re essentially penetrating the companies that are the victims of the potential attack. So what I do, then I say, I’m going to rent out some computing space in my ransomware. And another affiliate group, someone comes to me and say, ‘Hey, I’ve got a way to deliver the ransomware,’ myself, could be email hijacking, could be a social engineering ploy. And I’ll give you a cut of the ransom that I get back my play and an upfront fee on top of that for every time I get the ransom deployed. But now I’m really scaling my operations, because I’m renting the computing power of my ransomware. And just like a cloud company would be renting their computing power to be able to provide that resource to other companies to be able to run their operations.
So now if you’re a ransomware operator, you’ve got all of these different techniques that you’re able to use, you’ve offloaded some of the responsibility for getting into the victim networks to these affiliates, you’re running into ransomware as a service operation, making some money there, you might be conducting your own attacks. And on top of that, we also see these bad guys, they’re not just sticking to one business, they might be using those botnets in particular to steal credentials and conduct money laundering. So it all adds up into the various ways that they’re able to scale their operations.
Mitch: So this is an entire economy. This isn’t just an independent actor. Back a few years ago, we were still using images for advertising that had like, you know, the lone guy in the hoodies working from a coffee shop. This sounds like a brick and mortar business where folks get recruited from LinkedIn and then go sign up and orientation day and get dental benefits. Is that a little closer to what the reality is?
Nick: Now it is a little closer to it. And you might not show up for work at a beautiful office that looks like a We Work, but you might show up to someone else’s house or apartment where the servers are kept to be able to do this work or log in remotely during the pandemic to do your work as one of these operators as well. And they’re advertising so now they don’t go on LinkedIn to say, ‘Hey, we’re looking for customer service reps.’ They go on to the dark web and put posts out there asking for folks who have a record of developing malware or breaking into companies. So they’re using a lot of those same recruitment techniques.
Mitch: I’m glad you brought that up. In the previous episode, we talked to a journalist who had done a deep dive profile on youth, they were very young, I think 12 and 16 years old or something in that range. They had been involved in a sort of accidental cybercrime just sort of seeing what they could actually accomplish on the web and they ended up in the hands of law enforcement. But part of the background in that story was talking about how these kids at 12 and 16 years old, were actually making connections through the dark web into cyber, the cyber crime industry. Do you know how these folks are cultivated into this?
Nick: We don’t have any insights into what that cultivation process looks like. I think a lot of times what we assume is happening, and based on some of the indictments that we’ve seen from the US government, occasionally for people that they’ve been able to arrest or indict from the US is that they’re trained in computer science or engineering somewhere in their home country. And then they eventually go down a road that leads to this and they might have been in the military, they might have been a white hat hacker, working for a private company, and then shifted to that overall. But whatever the way that they get there, they’re ending up on the dark side, going after accounts going after the good guys and their data.
Mitch: Well, it did seem like from my previous interview with Chris Quevatre, that’s sort of what happened here with these two youths. He said that was something like the kids were actually on the dark web. And it was a little bit like a gang initiation, that in order for you to be friends with the folks on the dark web, you had to prove your worth, and by hacking into some large bank, so it does sound like there’s definitely a community, there’s definitely connections, and there’s definitely a cultivation path, whether it’s formal or informal.
Nick: I think that’s right, it certainly we see that with the affiliate groups, you know, oftentimes, they’re not just going up and knocking on the door with a resume and saying, This is what we’ve done, they’ve had a relationship going back some point of time between some of the key operators in the ransomware as a service team, or they’re known within the community in some way, whether it’s that recruitment like that you’re talking about or they built a reputation, they’re connecting with each other to be able to further cybercrime.
Mitch: You have a background with both the CIA and the FBI prior to joining private industry? Tell me a little bit about your career in those agencies, and how that has shaped what you do today.
Nick: Yeah, Mitch. So I started out as really a classical threat intelligence analyst broadly. So looking at geopolitical issues, social, economic, political problems out there in counterterrorism when I was in the FBI, and then in the Middle East, in particular, when I was at the agency. So the things I got from those programs are really to understand that we got to be able to convey complex information to a variety of audiences at the executive level for them to make decisions. And that means we’re not gonna be able to present them all the information that we have about a piece of malware that we’ve ripped apart and read, it’s really conveying, hey, why is this encryption unique and different? And what does it say about the bad guys that we know and understand this.
Mitch: Your team has also been involved in uncovering some pretty high profile crime groups and thinking specifically of something that we call ITG 18. And some information on Trick Bot? Tell me a little bit about both of those and how it was uncovered and how we partnered with law enforcement to actually help close it down?
Nick: Yeah, anytime that we’re seeing something major or new technique within the community, we’re working with law enforcement directly. And that could be the Department of Homeland Security, the FBI, depending on the type of incident that we see, always aware, though, that there are equities with our clients as well. And we’re providing that to law enforcement so that they’re able to better understand, hey, what’s net new here? What are the insights that we’re seeing off of this? And does law enforcement have a plan to potentially disrupt them, we don’t want any information that we release to potentially get out there and prevent law enforcement from bringing in indictment or trying to arrest someone the case of ITG a teen, we were able to work with law enforcement to show them this is the type of activity that we saw from this particular Iranian group that was trying to steal credentials to be able to conduct phishing campaigns against individuals of interest within Europe, in the Middle East, particularly from Western militaries. So they would go on and try to figure out, hey, how do I get access to your personal emails, try to gather as much data about you send emails out to your friends, to then get access to their emails, and then hopefully work their way up the chain to more senior individuals within the militaries in the region to be able to gather insights for basic espionage. Now, in the case of the trick bot gang, we’ve been lucky to work with a partner site Lera. And we have worked together to kind of better understand what that group is doing. And we’re constantly working with law enforcement to say, hey, what are these new techniques that we’re seeing these new affiliate campaigns that are out there, you know, potentially related to what trick bots are doing?
Mitch: So ITG 18. And by the way, that stands for IBM Threat Group. That’s correct. Right? All right. So with ITG 18 I understand that we actually were able to find training videos that they were using to train the gang right to go after these folks.
Nick: That’s exactly right. So we were able to go back and see a particular server and they essentially left the door open with the doors open, you’re essentially saying, ‘hey, you know, just come and take a look at our data.’ So we’re in that door, when we went through, we saw that they had videos, you know, hours long of how they conduct their spearfishing operation. So they use a commercial tool to be able to track all of the various personas or individuals that they’ve already hacked, to be able to go through their emails and send emails, you don’t want to have to go through, you know, 30 different tabs from Gmail to be able to access, you know, other email addresses that you’re trying to manage or have stolen from. So they’ve used commercial pieces of software to be able to do that. And in these videos, we saw them going through to get as much data about these individuals as they possibly could.
So in one case, the victim used Google. So Google has a service called Google Takeout, which says, ‘hey, let me just extract all of the information about myself from Google.’ This could be logging information, photos, everything down the line, great service to help preserve your privacy and understand what Google has about you. But also really helpful for attackers if they are able to get into your email so they can understand, hey, what are the credentials that I’m potentially using? Or where am I shopping? Where am I getting my DoorDash from? How often does that get delivered? What phone numbers do I use? Who are my friends? How do I potentially set up a persona about an individual that looks like them on a social media site to be able to attract other attention from friends that might be beneficial for them down the line. So all of this just takes a long time for the attackers we think to understand and be able to set up. So they created these training videos, basically just those screenshots running time for them. Again and again, you’re setting all this up and, and it’s not just Gmail, they were using Yahoo, and hotmail as well, for these various services they were running.
Mitch: So well, that’s sort of like darkly impressive that it’s that organized and that smartly put together all for, you know, malicious purposes. Kind of spooky stuff. I wanted to talk a little bit you know, since we have obviously active recruitment going on in you know, the cybercrime industry, and we also at the same time have a legitimate cybersecurity industry that is just clamoring for talent. I mean, there’s tons of stats out there on how short we are of talent, and all of them are, you know, some form of dismal. Is there something that you think business can do differently to help make the legitimate cyber career more interesting than a darker website?
Nick: Yeah, Mitch, I think there are a couple of things. One of those, is that recognizing just in your HR organization, that your security talent is likely to be poached quickly? And how do you adopt new performance measures create unique ways to incentivize those team members to stay with you once you have them? The other thing I think, if you’re a smaller company is to try to figure out, hey, we may not be able to incentivize someone to stay with us for a long time in our security operations team or our security group, generally, they may be able to get compensated much faster at a larger technology company at one of the big cybersecurity vendors.
So as a part of your cybersecurity strategy, recognizing the human capital side of that and saying, hey, that’s got a factor in how we’re going to obtain services from other third parties. And that’s where it can be beneficial to say, what’s the calculus of going to a managed security services provider to be able to get some of your security services, whether it’s incident response or running your sock operations, because that MSSP, that incident response company, that threat intelligence firm is going to be better able to scale to attract talent over the long term, then you as a small business or medium sized organization are going to be able to keep that talent and also as a matter of entertainment to and understanding what keeps a lot of folks excited in the cybersecurity industry. If you’re hitting the same problems again and again and solving them, you’re going to likely see those people go and that’s great for a company that has a really strong maturity level, but attackers are going to continue to evolve, just like your own people are going to want to evolve their career and work on more high profile problems. But all of that adds up into saying, hey, how does human capital and that strategy relate to my cybersecurity strategy? Do I have the ability to attract and retain that talent? Or is it more valuable for us to shift that to a managed security provider or another operations group to be able to keep that talent long term?
Mitch: Well, speaking of keeping talent or actually even getting talent, one of the things that we were able to talk about in the prior episode was this notion that these kids had the sense of, you know, quote, unquote, I don’t fit in and that was true in an academic setting. And they couldn’t envision themselves sitting in an office nine to five, Monday through Friday, there was a level of creativity and individuality. I think that’s kind of missing in today’s corporate world. Tell me a little bit about your thoughts on that, is there a way for the business world to adopt a more creative approach of how you work where you work, what you do when you’re there, that might help cultivate and keep talent.
Nick: I think when it comes down to cybersecurity talent, you’ve got to be willing to let them work where they want to work. And it’s a whole change even for a company like IBM running a security operation center to say, ‘hey, we’re gonna let some of this talent work remotely all of the time,’ because we’re not going to be able to attract and retain them. If you’re in a smaller city, it might be incredibly hard for you to find cybersecurity talent who’s willing to work there and come to the office. So you’ve got to have that flexibility of having remote work for those particular individuals, those particular teams, because it’s going to undermine your recruitment. So that’s one side of it. I think two is just recognizing as a part of it, what is going to make the cybersecurity career exciting, those folks that are in it, are going to want to try to tackle new problems all the time. So it’s okay to expect that churn. But if you can bring them those new problems as quickly as possible to keep them involved in what the security process looks like.
Mitch: So now that we’re on that point, if one of our listeners were interested in becoming some sort of the superhero, cyber sleuth like you have on your team, what advice would you give them?
Nick: Well, Mitch, that’s a great question. You know, when I get asked this by different folks who are going to college right now, I always say there’s a lot of paths to get to the major leagues, it’s kind of unlike the NFL. And in the NFL, you’ve basically got one path into become a top tier talent, you know, you’ve got to go to a big college and then get drafted. Cybersecurity is almost like the NBA and so much that there’s a lot of pathways to get to the NBA, it could be a US college could be major European basketball, or the NBA developmental league. So there’s a lot of ways to come up, I think it depends on really what you’re interested, it’s not a monolithic field. So starting to understand, hey, how do I research that particular area that I want to be in or the type of people or person that I want to be, if you want to be on the defensive side, oftentimes those certs can be of most value to us. So starting with security plus, and trying to work your way up to a CISSP. With more companies working on hybrid cloud, or cloud based platforms, having an understanding and some of the certifications from companies like IBM, AWS, Google Cloud and Azure from Microsoft can really be helpful. Understanding how the network architectures done on the cloud side, how security protocols are written. And also, if your mid career, taking a look at those same security certification programs that are out there, from Google or Microsoft, to be able to switch careers midway. And having an understanding of cloud deployed applications is key to be able to do that shift, I think, to some of the cybersecurity degrees that are out there at the graduate level programs can be great for people who’ve got degrees in other fields that are looking to shift over after a couple of years in the workforce, you just have to be careful to make sure that you’re getting enough technical analysis out of that. Are you learning Python? Are you learning how you know some of the basics on malware analysis? And how that’s done. Some basics around incident response? Or are you really just talking about security policy and some of the legal frameworks that are out there? So that’s a matter of how you judge those degrees. I think, again, there’s multiple pathways to it.
It also can be we’ve seen other folks within our X-Force, Red Team, certainly, that just got started hacking in the best way, Mitch, I say, but some of the basics of the different virtual environments that are out there that you’re able to work on and contests as well. So there’s a lot of pathways to get into security. When we talk about Iran in the ITG group, how I’ve learned to communicate about that at the executive level, I think I got honed and worked in some of those other public sector agencies that you talked about, and some of the training there. And it’s not just about briefing and bringing it up to an executive with a slide deck. It’s also how you write about it, everything from how you write an email to writing a 15 page report on the content that you’re trying to get out there and people to understand are all some of the unique things I learned on that side of the government sector. And I think that’s also where there can be a lot of incredible value if you are interested in going into cybersecurity but want to go on the government side as well, those programs at the Bureau and the CIA and NSA as well. They can help teach a lot of the core things you need to know about cybersecurity about security issues writ large, but a lot of what they’re going to do is also teach you how to communicate to senior leaders about what you’re seeing in the field so that you’re able to better communicate about what the bad guys are doing and why the hell it’s important. To the executive or the CISO that you’re talking to at that moment.
Mitch: I hear a subtle cry for communication expertise, woven throughout there, which the technology industry probably could use as a whole. But this one in particular, given both the complexity and the importance.
Nick: Yeah, absolutely. And we’re trying to communicate these complex findings all the time, whether it’s in text in an email, or in a report to someone, or a pretty looking PDF or a slide deck, you got to be able to boil it down simply so that in my case, a security seller is able to understand and apply it. Or in the other case, you know, what someone needs to do and tell their board on one investment that they need to make. So understanding how to communicate, it’s as important as you know, the analysis itself, but a pretty bias in that regard. Because I’ve got a background in liberal arts and public administration international relations, so I wasn’t steeped in the ones and zeros in the bits and bytes. But ultimately, you know, the flowery language that we use to convey what the security problems are out there.
Mitch: Tell me what keeps you awake at night? What’s the monster under Nick’s bed?
Nick: When it comes to the current threat landscape? You know, there’s two big things for me, you know, what is the evolving ransomware landscape gonna look like? I think we’re going to continue to see an evolution towards triple extortion. So you know, earlier you briefly mentioned things like double extortion. So I take data from you and then I conduct a ransomware attack in a triple extortion. What I might do is, if say, Mitch Co. is a primary supplier of the Nick Rossmann Organisation, I will steal data from Mitch Co. to conduct a ransomware attack to demand money from Mitch Co. But also go to the Nick Rosman Corporation and say, ‘hey, you want Mitch co back online you to owe me $35 million in Bitcoin,’ to be able to get them operational, I think we’re going to start to see that expansion of the ransomware market writ large trying to hit key suppliers. Now that could be on the physical side where you say, hey, you’re not going to get this shipment of a key chemical, unless you pay us and allow us to be able to get your supplier back online, to be able to get access to this particular additive you might need if you’re a biopharmaceutical company, for instance, or a big manufacturer, or, you know, a core technology that you’ve got implemented within your tech stack that you’re using to instrument how your network works. So that’s one thing that really keeps me up.
The other is just the persistent information that we have out there about espionage attacks against critical infrastructure, you know, everything ranging from, you know, power to dams, things like that, that keeps me up at night, and how an adversary might be able to potentially use those insecure networks to be able to conduct a cyber operation against the United States or against western governments, in an attempt to add leverage or in combination, potentially, with some kind of kinetic operation that they’re conducting around the world. And the difficulty there, Mitch, is that a lot of the ways that we know make our dams run, they are old software, and they are not going to be retrofitted for the future for cybersecurity proofing. So it’s going to be very hard to detect attacks against them to understand what the adversary is doing. And also, particularly in the US, we’ve got lots and lots of different companies of various sizes that are involved in protecting and running that infrastructure as well. So it’s just an incredibly difficult attack surface from the political side, as you think about well, how do we understand what the hell’s going on when we’ve got so many operators out there at various sizes? So those are the two things that keep me up the evolving ransomware landscape, and potential disruptive or destructive attacks against critical infrastructure.
Mitch: I can see why they would keep you awake, and now they will be keeping me awake.
Nick: I mean, just think about some of the other things with you know how converge with things like climate change, you know, imagine if you’re in New York City in the middle of the summer, and the power goes out, or there’s not enough power to be able to run air conditioners, it’s going to get pretty unbearable there pretty fast. So you’re going to be clearing out all kinds of operations, whether you’re a bank or a small business, you know, potentially just grinding life to a halt in a particular city, let alone all the terrible things that could be happening if you’re in a hospital and you can’t run a ventilator.
Mitch: Well, Nick, thank you. That’s great food for thought. Like I said, a little preview to upcoming episodes. So stay tuned. Any final words that we should know about?
Nick: This field is so big and enjoyable. Look for the mentors out there, the types of people that you want to be or work for and take a look at how they got there. There’s a lot of paths to get into cybersecurity. I also found in this field that people are willing to talk if you reach out to them.
Mitch: Thank you very much, Nick.
Nick: Thanks, Mitch. Thanks for having me.
Mitch: The special thanks to our guests, Nick Rossmann, for his time and insight for today’s episode. If you want to hear more stories like this, make sure to subscribe Into the Breach on Apple podcasts, Google podcasts and Spotify. You’ve been listening to Into the Breach, an IBM production. This episode was produced by Zach Ortega and Clara Shannon. Our music was composed by Jordan Wallace with audio production by Kieran Banerji. Thanks for venturing Into the Breach.