Cybersleuths probe online crooks from Burnaby data centre

Corporate systems vulnerable to attacks via at-home workers’ domestic devices

Getty Images

Nestled in a quiet Burnaby industrial area is a global data centre, part of the international fight against cybercrooks.

Those who work there are part of a sleuthing team that extends from Texas to B.C. and spans the globe. Part of what these sleuths do involves focusing their magnifying glasses on cybercrooks’ use of ransomware.

For the uninitiated, ransomware are pieces of programming crooks get into computer systems through a variety of means in order to hold the systems or their data hostage. Generally, that’s done by encrypting everything. And, they’ll hold it there until the victim pays up – usually in cyrptocurrency such as Bitcoin.

Staff at cybersecurity companies Fortinet’s (NASDAQ: FTNT) FortiGuard Labs and Proofpoint, Inc said there has been a significant rise in the number of such attacks since the start of the pandemic.

Chief of security insights and global threat alliances Derek Manky and cybersecurity researcher Aamir Lakhani are in the business of ransomware threat-hunting. They work to discover how attackers have gained entry to systems and what parts of an organization and its data the attack has breached.

“Basically, I’m a good hacker,” Manky said.

Indeed, it’s hacking skills that allow Manky and Lakhani to find out what cybercrooks are up to.

In short, they say, once a crook has gained entry into a system, the crook can leverage the mayhem they’ve caused to extort payment. And, if the payment comes, the system and data will be unencrypted again.

It’s what the crooks leave behind that can help companies such as Fortinet move from a defensive to an offensive position.

“You run the malware code in a secure environment,” Manky said. It’s a process that can take minutes, Lakhani added.

What they’re looking for is similarities to past attacks, data on which is shared with the cybersleuth fraternity. 

“Attackers constantly modify their attacks but they can be similar,” Lakhani said.

“It’s like a lead if you’re an investigator for the police, Manky said.

Such information can let sleuths categorize what family of attacks the ransomware may be from.

Some of the work also involves machine learning and artificial intelligence. “Things that human beings are too slow to do,” Manky said.

Once they have that information, it will be shared with others, many of them members of the Cyberthreat Alliance, a 28-member organization of cybersecurity companies whose goal is to protect end users, disrupt malicious actors and elevate overall cybersecurity.

Proofpoint (NASDAQ: PFPT) senior director of threat research and detection Sherrod DeGrippo said sleuths log everything the ransomware does as it’s run in the secure environment. She said once on a machine, the malware goes to a system’s command and control server and then issues the ransom note with details how to pay.

Sometimes, DeGrippo said, crooks allow a piece of de-encryption so the victim can see the data is still there.

DeGrippo said the ransomware culture is more creative than other crypto crook cultures. They tend to be more inventive with graphic design and can be quite stylish in their cyberchicanery.

Internet of Things

Manky and Lakhani also caution that so-called internet-of-things (IoT) devices can pose risks to organizations’ systems with so many people working from home.

The IOT is a system of interrelated devices, digital or mechanical machines. Each has a unique identifier and has the ability to transfer data over a network without human-to-human or human-to-computer interaction.

“Attackers know we have corporate networks at home,” Lakhani said, adding many people aren’t securing IoT devices from which lateral attacks might originate.

DeGrippo suggested people read such devices’ manuals to ensure that they can be segmented to keep them separate from other systems in a location. She suggested using reputable brands for IoT devices so problems can be easily fixed.

David Masson, director of enterprise security for global artificial intelligence cybersecurity firm Darktrace, said at-home workers isolated at home are more vulnerable to attacks without the in-house support they generally have from IT teams.

As our sense of normal became irrelevant when the pandemic overtook our collective attention in March, the move to working remotely was rushed and inconsistent,” Masson said. “Many companies did not have work-from-home policies in place – causing IT and security teams to become overworked and overcome with the responsibility of transitioning employees to remote work overnight.”

Home routers, he said, lack the sophistication of company ones and the connection of personal and work networks means that threats can be imported from home onto the larger corporate network, including threats that use personal IoT devices as a backdoor onto corporate networks. 

“They are a desirable target for attackers and present low hanging fruit,” he said. “Remote work makes things more complicated since it means companies are disjointed, spread out, and working in inconsistent ways that are often different from one another.”

What the pandemic has created, Masson said, is a moment of confusion in which attackers thrive.

“The bottom line is that organizations must have comprehensive visibility of the entire digital infrastructure. To stay head of threats, companies must adopt AI technology that is capable of autonomously responding to threats in real time,” Masson said. Although IoT devices are easy to use and help productivity, they also put companies at risk – it has become painfully apparent how easy it is to hack them. Complete, real-time visibility of these devices is critical to staying ahead of attacks.”