Black Hat: Deepen Desai, Zscaler
Speaker 1: This is Techstrong TV.
Mitch Ashley: Hey, everybody, Mitch Ashley. I am at the Mandelay Bay Suite, the studio host for Techstrong here at Black Hat in 2023 Las Vegas. We’re talking a lot of great folks, and I have a great privilege of being joined by Deepen Desai, who’s with Zscaler. He is the global CISO, head of the security research team. Wow. Fun job. This is the perfect place. This is sort of home country for you.
Deepen Desai: Perfect place, yeah.
Mitch Ashley: Excellent. Well, I’d love to dive in and talk a lot about Zscaler and all the great things you’re doing. You’ve got recognized on the Secure Service Edge recently, which is great for you all. But I know you’re here talking about your threat research report from the threat labs.
Deepen Desai: Right.
Mitch Ashley: So I think you’re talking tomorrow, right?
Deepen Desai: I have a presentation.
Mitch Ashley: You’re welcome to get any scoops in here that you want, but you may give a little preview to folks about what you’re doing.
Deepen Desai: Absolutely. So I can start with the report that we published on, that’s our annual ransomware report. So my team Threat Labs, it basically looks at data from Zscaler’s cloud platform. On any given day we are securing 300 billion transactions. We’re seeing more than half a million new unique payloads at our sandbox. So there’s a lot of unique intelligence that the team leverages to track threat actor activity campaigns, targeted attacks. So signals derived from there, and then the team is also tracking threat landscape where we’re tracking the threat actors, infrastructure, and in this case, the annual ransomware report is focused on what the ransomware gangs are after.
So combining both of these intel, what we do on an annual basis is draw a comparison between what are some of the newer trends that we’re seeing? How are we seeing increase in the attacks? Are they leveraging one tactic over the other? How are they able to evade some of the security controls as well? Are they going after specific industries? So all of those are basically part of the report that got published and we’re happy to share some of those insights.
Mitch Ashley: Excellent, excellent. Well, you’re in a great position with that vast amount of data. Of course, you have to treat it very sensitively and anonymize and do things like that. Of course. I’m curious, have you seen any changes in just the amount of data, the kind of data that you’ve collected, that you’ve done the threat report around ransomware for multiple years?
Deepen Desai: Yeah. Ransomware attacks continue to rise. I know there’s conflicting reports out there like, “Hey, it’s plateauing. It’s going down.” Based on the research data, and we do see some high quality data, 38% increase in successful ransomware attacks year over year. I’m talking about timeframe from August, 2022 to April, 2022 to April, 2023. So it does cover Q1 of this year as well. United States is one of the most targeted country. If I were to look at the overall geo. A lot of organizations in the US were successfully targeted by ransomware attacks.
The other piece we looked at was which industries are they going after, and manufacturing stays at the top year over year. There was no change over there. Then there’s a long tail after that, but manufacturing is the number one industry that was being hit even in the timeframe we looked at.
The other key trends, and these are more along the lines of how they’re evolving, what are we seeing on the horizon as well? So there are three key trends that we highlight, and this is going to be part of my talk track tomorrow as well. Number one is ransom as a service continues to grow in adoption. In fact, 8 out of 11 top ransomware families, and these are prevalent in terms of successful attacks that they’ve launched. They’re all leveraging RAS model. So it’s basically making it very easy for even a average skilled threat actor to pick up the service and launch fairly sophisticated ransomware attacks.
The second piece that we saw was weaponization of vulnerability exploits. This is where vulnerability exploits in combination with supply chain attack vector is being leveraged to go after organizations that are behind on their patching schedule. Or they have overly flat network where once you’re in the network, everything is trusted. That’s what they target, and then they reach the crown jewel and steal data.
Then the last trend, which is one of the most unique one and important one to keep an eye out for is encryption-less attacks. So this is where, if you look at the history it started … I mean ransomware has been around for a while, but 2017 when WannaCry, Bad Rabbit, NotPetya happened, that’s where everyone started paying attention to it. Because now people realize that they can really bring down, cripple your business operation. So all organizations had a program to get to a good state in terms of data backup, backup hygiene, even doing exercises to restore their data if there was a catastrophic event.
A few years later, obviously ransomware gang saw that everyone’s is able to recover from encrypted attacks, so they started stealing data. So now we are in the era of double extortion attack where they are encrypting data and they’re also stealing data. From last 12 months, what we’re noticing is many of these gangs, they’re not encrypting data, they’re just stealing data. I’m talking about large volume, terabytes and terabytes of data being stolen. In one of the cases that we were just investigating, it’s 24 terabytes of data stolen.
So the attack cycle looks identical to when they would encrypt the data except the last stage of the attack where they would push ransomware payload in a coordinated fashion, that will not happen. But they have access to your data. They have access to your environment, which means they know what kind of ransom demands can they make because they know what’s your financial status, what’s your cyber insurance coverage.
Mitch Ashley: Who your customers are.
Deepen Desai: Exactly.
Mitch Ashley: So is the threat then that they would use the data, sell the data? We’ve got it. We don’t need it encrypted to sell it, right?
Deepen Desai: They will threaten you, if you don’t pay ransom, your data will be leaked out and that will attract a lot more threat actors to go after you. That will also cause significant brand reputation harm.
Mitch Ashley: Loss of customers, loss of business.
Deepen Desai: Exactly. So that’s a new trend that we’re starting to see where they’re not encrypting data. It’s still very, very opportunistic. It’s not like, “Hey, I’m going to do this for every target.” They will see, in certain cases, they will still go ahead and encrypt the data if they feel like the organization wouldn’t care if you leak the data.
Mitch Ashley: Go to the traditional, call it that, ransomware. I’m curious, you mentioned manufacturing is still number one. How about healthcare? You see a lot more of that in the news cycle anyway of more and more ransomware there.
Deepen Desai: So year over year it did go down. It didn’t actually go up. So I guess they realized that bringing down a healthcare institution will definitely draw a lot of attention because it does cripple their ability to provide service, which can result into life and death situation.
Mitch Ashley: Oh, hospital systems, and doctors, and things.
Deepen Desai: Exactly. So based on our tracking, we saw that go down. Manufacturing actually went up. A few other industries as well where IT technology services where there is large downstream organizations that could get impacted like think of Kaseya, for example. Targeting a vendor that has thousands of downstream vendors relying on the software that they provide and then going after them, I think that can result in a lot of success for them. So they will continue going after such industries.
Another point I’ll mention about the encryption-less attack is they’re literally trying to stay under the radar. They’re doing this not just for themselves, but also for the victim. So they’re not causing business disruption because your data is not encrypted, so its business as usual for the victim. Victim will get a notification that you were hit, we have your data, here is the proof, you can log in and check. But the victim doesn’t get into media or unwanted attention. They’re not getting any kind of unwanted attention from law enforcement agencies, and in some of the cases we’re observing, ransom being paid out, and it’s all hush hush. Nobody knows.
Mitch Ashley: They’re staying under the radar for everybody. Interesting. What are your thoughts about the SEC pending rule of four day disclosure? That kind of puts a kibosh on that if that ends up happening.
Deepen Desai: For all public companies, absolutely, yes, it is. But private companies is still up there. So I think it’s a good move. It will definitely prevent what we’re seeing right now. I mean, there are still, as a public company, you are obligated to report these type of incidents even without that ruling in place. But it will definitely mandate that.
Mitch Ashley: It puts a timeframe on it.
Deepen Desai: And a timeframe on it.
Mitch Ashley: Maybe some accountability of what’s … I forget the term that they use. It’s not valuable kind of attack or of substance versus like, yeah, it happened, but not much came of it.
Deepen Desai: Correct, correct. Exactly. So ransomware does fall into that category for sure, because you’re losing your data.
Mitch Ashley: Interesting. So I mean, there’s a black market for this data, just like there’s a productized black market for ransomware toolkits and things like that. Are there easier paths to selling data?
Deepen Desai: So in many of the cases, they’re just outright leaking the data. So data is available to everyone.
Mitch Ashley: So just use it as a threat still?
Deepen Desai: Selling data is not a way for monetizing for these ransomware. They’re after very specific amount of ransom. We monitor a lot of these ransom negotiation as well between victim companies and the operators. They got stuck at say, I’ll bring a number, four million. That’s the lowest I’ll go. They start at seven. Victim organization is ready to pay two million and they will turn it down and leak the data. So they’re after a very specific amount of money.
Mitch Ashley: Treating it like a business. We do deals of this size and up, don’t bring smaller deals because they’ll get turned down. It’s kind of the same idea.
Deepen Desai: Exactly.
Mitch Ashley: It is a business. I mean, people outside the security industry don’t realize how much of a business, how much of an industry in and of itself that it is.
Deepen Desai: It’s funny you make that point because what I was talking earlier today with a colleague was I’m seeing more and more of a customer service angle in these attacks that are happening. Because they’re literally trying to cater to the victim. Obviously, they’ve breach their environment, which is not a good thing, but after that they are trying to assist the victim. If the victim pays ransom, they will also generate a report, which we call pen test report. They’ll literally call out how they got in, how they moved around, how they stole data, and provide detailed recommendations on what the victims should be doing in order to prevent these type of attacks from happening.
Mitch Ashley: So you not only get your data back, but we did a pen test, so here you go.
Deepen Desai: Exactly.
Mitch Ashley: Here’s what you do to prevent it. Wow, okay. Is that commonplace?
Deepen Desai: So some gangs are doing it more comprehensive than the others. There are a few of them that will just give you a five bullet point, “Hey, do this, this, this,” which is pretty generic. But there are certain gangs which are actually calling out, “Here is what we did. Here is how we got in.” That’s actually very fascinating.
Mitch Ashley: That is interesting. I’m not quite sure the motivation for that.
Deepen Desai: Like I said, customer service.
Mitch Ashley: Well, and there is customer services for all these productized security. So I have to bring up AI. Are you seeing anything in terms of AI being injected into the way people are doing ransomware attacks?
Deepen Desai: So if you think of a ransomware attack, these are multi-stage attacks. It’s not like you will receive an email with a ransomware payload and you get hit. It’s starts with phishing. There are multiple stages involved. They may even go after the vulnerability, like the MOVEit vulnerability, which was recently in the news where a clap ransomware gang was quick to capitalize. So when it comes to generative AI or AI in general, I would say phishing is where we have started seeing some evidence. Malware, there are a few cases, but it’s not like we’re seeing large volumes of attacks starting to leverage it. But it’s a direction we are heading in. I mean, there are malicious versions of chatGPT for instance, out there.
Mitch Ashley: DarkGPT.
Deepen Desai: FaudGPT, wormGPT. And good guys are also leveraging it to train their models and make sure they’re ahead of it.
Mitch Ashley: It may be already happening, but it seemed to me one of the low hanging fruit might be using agenda of AI to, if I’ve got access to your email, I would import a bunch of it. Now I ask GPT or whatever LLM you’re using to write a phishing email in the voice of someone who works at the company or the CEO if you have their account or whoever’s it is. Makes it even harder to see, now you get a text to say, “Go to a Best Buy and buy these cards for me,” which bosses don’t generally do.
Deepen Desai: We actually observed an attack and we call this business email a compromise where our CEO’s voice was actually used to generate a quick voice snippet and using AI or ML. the attack starts with an employee receiving a call, which just plays out this audio that say, “Hey, this is Jay. I’m in a location where the coverage is really bad, but I need you to …” and then it cuts off. Then it follows up with the same number with Jay’s picture and everything, the WhatsApp message that is like, “Hey, call dropped off. Can you take care of this, wire this much amount to this bank account?” So that’s already happening. We’re seeing that.
Mitch Ashley: I’m not surprised at all. And a video to follow, right?
Deepen Desai: A video to follow, yes.
Mitch Ashley: Something. Avatars that look like us. Maybe we already do and don’t know it. I’m curious, as a presenter at Black Hat, I haven’t done presentations myself to an RSA and other things. You’re always thinking about your audience and the kind of people that are going to be coming to your talk. Obviously researchers, people that are doing pen testing, people that are securing their own networks. What are the things are really important to you about how you deliver your talk tomorrow?
Deepen Desai: So I definitely feel at home. My career started as a researcher and I grew into the current role as well. The audience is pretty mixed, but definitely a lot of practitioners over here. There are CISOs, there are senior directors and directors as well, attending a lot of these talks. So my goal, when I’m presenting any of these topics, is always to make sure they get some key takeaways. So in ransomware case, and we can walk through them right now as well, but in this talk, the number one thing that we want to make sure everyone gets is, what are some of the new things we are observing? There are a few more that we’ll go through tomorrow, down until the programming languages that these guys are using, like Rust, Golang. Why are they doing that? How are they evolving the data ex-filtration aspect of it as well?
So one is educating everyone on the evolving ransomware threat landscape. The second biggest aspect is what do you do about it? We all know the problem. How do we defend against it? What can I do in near term, long term to get to a place where we’re in a better shape in terms of network defense?
Mitch Ashley: I’m curious, your thoughts on supply chain. We’ve been talking about that a lot for the last couple of years. But that’s such a wide and deep topic because you’d be talking about the approach of my tool chain and my development environment, talking about the people that I’m using, my SaaS or my cloud service providers, or just suppliers to my applications that are part of operating my business. You mentioned earlier about suppliers to your business. Is that a fast growing or one of the fastest growing areas of supply chain?
Deepen Desai: So, that’s a good point. Supply chain attacks can happen in both direction. I like to call it downstream as well as upstream. So downstream is where you’re leveraging a software that is very popular leveraged by thousands of organization, and they target the vendor who’s the owner of the software, SolarWinds, Kaseya, and then they’re able to do downstream attacks on all the organization that have that software running. The other, the vector is, say you are a large company of very strong security defenses. They’re not able to get to you. But you rely on a third party vendor that has really sensitive data that you do care about. Their security defenses are not as strong as yours. They will go after that. Then that’s an upstream attack because they’re stealing all your data that’s available to that supplier or that third party vendor that’s providing you a service. Then they come and demand ransom from you. So we’ve seen instances of that happen over the last two to three years as well.
Mitch Ashley: So you might use an analytics tool, service, SaaS kind of application or maybe an AI or something like that where you need that data there for them to do whatever they do with the data.
Deepen Desai: Exactly.
Mitch Ashley: And so, why not get it? That’s the easier path to your getting it. But it’s still your data, so we’d like some money to give it back to you.
Deepen Desai: Exactly.
Mitch Ashley: Good. Well, I wish you the best of luck. Anything new happening at Zscaler that you want to mention? You all have a lot of great products. CASB, we talked about Secure Service Edge.
Deepen Desai: I’ll mention a couple things. So number one is, when you’re planning your defense against ransomware, think about having a platform approach. You need to have a platform that’s able to send signals within the module that are part of the platform. The four stages that I mentioned: they find you, they compromise you, they move laterally, and then they steal data. How can you have a platform that will allow you to basically reduce your external attack surface, enforce consistent security policy to all your users and devices no matter whether they are, whether they’re at blackhead, whether they’re traveling, whether they’re home. Prevent that lateral propagation phase, which is reducing that blast radius from a user that makes a mistake, or a machine that gets hit by the bad guys. Then finally inline inspection of all data that’s egressing your devices. So that’s how I would look at and that’s what Zscaler helps thousands of organizations with in order to safeguard against these type of attacks.
A new thing that we actually announced a couple of months back at our user conferences, cyber risk quantification tool. It’s called Risk 360. That actually came from my group where we go through the pain of quantifying risk. What is real risk to the organization? How do I communicate that even to my board? And so, that’s where we saw what was being done outside in the industry, how cyber insurance folks who are also using these 800 questions that needs to be answered. There was a lot of subjectivity complexity in that. With those problem statements in mind, we went towards creating a tool that’s able to use data. That’s completely data-driven, no subjectivity. It looks at how you’re configured, what are some of the behavior we’re seeing in your environment, maturity of your controls. It’s not a binary response. You will say, “Yes, I’m doing MFA.” Or you may be doing MFA for one application, but you may have thousand applications in your environment. In everything else, you’re not doing MFA.
Mitch Ashley: Not at your SaaS vendor, but your apps or whatever.
Deepen Desai: Exactly. So observing the data and configuration and combination coming up with, yes, you’re doing MFA, but your maturity level on that control is 40% because you’re only doing it for certain apps, and here are all the apps where you’re not doing it. Same thing with TLS inspection, same thing with sandboxing. So all the controls that we provide. And there’s a lot of third party integrations as well where we’ll basically derive insights from wall management tools and other tooling that most organizations will have.
Mitch Ashley: We all know security researchers and practitioners love to fill those reports out, so we think it makes it easier, right?
Deepen Desai: Yes.
Mitch Ashley: No, we don’t like to do that, but we know we have to. Well, Deepen, it’s been fascinating to talk to you. I wish you the best. Break a leg tomorrow and have a fantastic talk. Looking forward to that. I hope you’ll come back again.
Deepen Desai: Thank you. Thank you for having me.
Mitch Ashley: You bet. Deepen Desai, who is a global CISO and Head of Security Research at Zscaler, so talking here at Black Hat.