September 7, 2023
EP 35 – Threat Innovations: Exploring Cascading Supply Chain Attacks
In this episode, we welcome back Shay Nahari, VP of CyberArk Red Team Services. His discussion with host David Puner revolves around attacker innovation, focusing on key areas like cascading supply chain attacks and session cookie hijacking. Lean in as Nahari explains how the Red Team simulates real-world attacks to help organizations identify vulnerabilities and improve their security posture.
You’re listening to the Trust Issues podcast. I’m David Puner, a Senior Editorial Manager at CyberArk, the global leader in Identity Security.
[00:00:23.200] – David Puner
Your organization isn’t the only one innovating. Threat actors have a new arsenal of tactics and tools to breach organizations and launch attacks, including methods fueled by generative AI, which we’ve discussed on previous Trust Issues episodes. They know that every identity at any access point is a gateway to an organization’s most valuable resources, and you know it too.
[00:00:48.190] – David Puner
Nine in 10 IT security decision makers expect AI to drive negative cybersecurity impact. Today’s attackers employ a business-innovation mindset and are constantly upping their game. Just look at the marketplace for ransomware. Strains are made, bought, and sold e-commerce style. Software supply chain attacks also continue to be a hot topic. Cascading software supply chain attacks, to be more specific.
[00:01:17.470] – David Puner
Then there’s cookie or session hijacking, where attackers gain control of a user’s session and steal their cookies, which can then be used to further penetrate networks by way of what’s essentially assumed identity.
[00:01:31.020] – David Puner
That’s a subject we’ve previously covered with today’s guest, Shay Nahari, who is the leader of CyberArk’s Red Team. Today, Shay talks with me about attacker Innovation and how he and his team, as offensive defenders, stay on the cutting edge.
[00:01:47.680] – David Puner
Then we’ll take a trip back to 2016 and the Bangladesh Bank Heist and a cutting edge engagement Shay and his team participated in, in the wake of the heist. Here’s my conversation with Shay Nahari. Shay Nahari, VP of CyberArk Red Team Services, welcome back to the podcast.
[00:02:06.810] – Shay Nahari
Hey, David, how are you doing?
[00:02:07.910] – David Puner
I’m doing all right, how are you?
[00:02:09.520] – Shay Nahari
Not too bad.
[00:02:10.740] – David Puner
Good to see you. You’ve been on the podcast a couple of times. We haven’t seen you since last December. Then for a while I was bumping to you in the Newton office, bumping into you, that is, in the Newton office. Then not so much. You’ve had a pretty busy summer. Where have you been and have you gotten over the jet lag yet?
[00:02:30.910] – Shay Nahari
Yeah, it’s been a busy summer, that’s one way of saying that. I traveled a lot, I spent a week in Israel, a mixture of business and vacation. From there I went to Singapore for our Singapore Impact customer event, met with the customers, had some media interviews, and from there I went to Australia, to Melbourne, for again to Impact World Tours, great event, and just recently came back.
[00:03:04.150] – David Puner
Great. Good to see you, and I hope to see you in the office one of these days. Most recently, you were on the podcast last December with Andy Thompson, and you came on to talk about cookie hijacking or stolen cookies. And then back in June of 2022, we talked about generally what you and the CyberArk Red team do. I think maybe a good place to start is as a quick refresher to our audience, what does the Red Team do?
[00:03:31.130] – Shay Nahari
We mainly do adversary simulation. Our goal is to provide organization a way to test themselves or measure themselves against attackers with certain set of capabilities. The idea is to emulate full scope breach against an organization.
[00:03:52.870] – Shay Nahari
I think what really interesting about this is where a lot of organization have their plan versus reality, is what happens when you evade their security tools with at least the first line of defense. What happened next and what happened when you actually need to use that plan that you have: blog that account, reset passwords, do incident response. This is where things become really interesting and this is where things move from “I have a plan” to “I don’t know what I’m doing right now” type of scenarios.
[00:04:26.870] – Shay Nahari
This is really what we’re trying to do. We’re trying to allow you to test and measure all your plans in the response against an attack, and try to find gaps in your overall security posture.
[00:04:38.380] – David Puner
Needless to say, the Red Team, probably for the most part, doesn’t really have an awful lot to do. Every once in a while, you get called in, work hard for a couple of days, and then chill for the rest of the year, right?
[00:04:50.450] – Shay Nahari
That’s exactly what we do. In reality, what happened is we spend a lot of our time researching techniques and attacks, because our idea is to allow organizations to test themselves again what is out there currently.
[00:05:05.710] – Shay Nahari
A lot of our time is spent on doing research, whether it’s finding what actors are doing, threat actors are currently doing, or finding our own ways to circumvent tools and create attacks, what we call TTPs, Tactics, Techniques, and Procedures. We do spend a lot of time researching those TTPs for the actual engagements that we have.
[00:05:31.280] – David Puner
Matt Cohen, CyberArk CEO, was on the podcast recently, and he talked about the three driving forces behind today’s Identity Security landscape. Those are to paint in broad strokes new identities, new environments, and attacker innovation. Probably none of these comments are a surprise to you.
[00:05:50.160] – David Puner
As a defender, really as an offensive defender, you focus a great deal on attacker innovations, as you just mentioned, which is, aka, attack methods. What’s gotten your attention these days on the attacker innovation front?
[00:06:05.960] – Shay Nahari
By the way, I love the term, offensive defender. I don’t think I’ve heard that before. I’m going to use it, I’m going to steal it.
[00:06:11.910] – David Puner
Alright, we’ll get you a bumper sticker. That’s probably a good one.
[00:06:15.260] – Shay Nahari
I’m not sure my wife will like it, but yeah, I love the term. As Matt mentioned, we’ve seen three different pillars in the attack landscape: the identities, the expansion of identities, which I’m sure Matt talked about, the new environments that move into the cloud, the proliferation of cloud assets, and then the attacker innovation, what we’re seeing as ways for active groups, things that they do to circumvent some of the security controls. If you’re trying to summarize the three main goals that we’re seeing, the first one is we’re seeing a huge increase in what we call cascading supply chain.
[00:06:55.730] – David Puner
Cascading supply chain.
[00:06:57.440] – Shay Nahari
Cascading supply chain are themselves not new. We’ve seen supply chains attack happening for the last 20 years. But in the past, we’ve seen it usually reserved for military and defense organizations. We’ve seen some attacks against critical infrastructure happening from a supply chain. We’ve seen this also leak into the more financially motivated groups. Some very famous ransomware started from a supply chain attack where the attacker compromised some vendors and from there, moved to the consumer level.
[00:07:33.490] – Shay Nahari
Cascading supply chain take it really one step further. Instead of just compromising a single vendor, let’s say a software vendor that allows you to move into other customers or other organizations. In a cascading supply chain, the actors compromise a vendor that provides software to another vendor, that provides software to another vendor and so on.
[00:07:56.440] – Shay Nahari
We further down the chain and that achieves a couple of things. One, obviously wider spread. If you are earlier in the supply chain, you have the ability to affect more organizations or more targets. By the way, when I say organizations could also be we’ve seen cascading supply chain also affecting individual users. It could be B2B or B2C type of attacks.
[00:08:19.630] – David Puner
It seems like this is something that’s probably been in existence for a while, almost like a Russian doll’s ripple effect of supply chain and a huge deal for almost any organization out there. Why is it something that we’re seeing more now of?
[00:08:35.450] – Shay Nahari
Again, supply chain gives you a lot of values in attack. You can find probably the weakest link in the chain and go after that. If you’re targeting a certain organization which is really mature, if you can compromise one of its vendors and allow you to infect the software of that, that your end target is using, you find yourself a way to get in without bypassing a lot of the security controls. That’s again, not new, we’ve seen this happen in various targets and different verticals.
[00:09:05.750] – Shay Nahari
What’s new here is, again, moving away from that single source because we’ve seen organizations spend more time on vetting their vendors, whether it’s checking the security and software of their vendor or having even integral flow within their own CI/CD pipeline to see if there is any effect to the code.
[00:09:26.390] – Shay Nahari
Once attacker moving away from that single vendor to the next link down the chain, it makes it extremely harder for your organization to vet that. Now you not only need to vet all your vendors, but you need to vet all of their vendors and their vendors.
[00:09:43.410] – Shay Nahari
It makes it harder, it’s obviously a little bit more time-consuming from an ROI, from the attacker perspective, because it now needs to affect more target and understand there might be more intelligence to understand what are the software that the target needs. But the return of investment is much larger.
[00:10:00.580] – Shay Nahari
In regards to what organization can do, fundamentally, it’s shifting the attention from maybe direct infection, what we used to see as phishing, to maybe supply chain attack. But the fundamental assumption of assumed breach should stay in place.
[00:10:17.250] – Shay Nahari
Organizations should assume attackers would find a way into their infrastructure, whether it’s in traditional aspect of “We’ll phish one of their users.” Or in the newer ways, “We infected one of your vendors and we got the internal access to that.” Organizations should make the assumption that attackers are already within their network and plan their entire security posture based on that. Start with that assumption and build upon that.
[00:10:44.440] – David Puner
How does Identity Security figure into that?
[00:10:48.020] – Shay Nahari
When we look at Identity Security, especially in recent years, we found that identity became sometimes the only perimeter. If you take away the firewalls and you make the assumptions that attackers, they already have foothold within your network to a supply chain attack, then you understand that identities are really the first line of defense you have against compromise.
[00:11:12.050] – Shay Nahari
If you can’t necessarily control the location of your employees, whether it’s work from home or a compromise to a supply chain, then you need to verify that the identities that are used within your infrastructure are monitored and audited and controlled by you, and that you have a good way to not only identify the usage of those identities, but also have the ability to react to and abuse of those.
[00:11:42.090] – David Puner
We’ve talked a lot about it here on the podcast, Generative AI, including with your colleague, Lavi Lazarovitz, recently who heads up CyberArk Labs. And for good reason, organizations are worried about what impact it’s going to have or it’s having right now. How does that figure into the supply chain attacks? Or is it just how does it figure into everything? How are you thinking about it? What are you seeing in the Generative AI world other than playing the Generative AI drinking game in Australia?
[00:12:11.830] – Shay Nahari
i think you can’t wake up in the morning without hearing Generative AI, right? I know Lavi talked extensively about that. We know it’s going to affect and going to change our lives. I think none of us really know how much. There’s obviously a lot of initiatives, both on the defensive side and the offensive side.
[00:12:31.690] – Shay Nahari
We’ve really started seeing that AI sticker being put on every defensive tool out there. I can tell you from an offensive perspective, there’s a few things we’re seeing. The first one is we’ve seen attackers obviously use it from code generation, and I know Lavi talked about it a little bit as well, so make it much easier to write malware.
[00:12:49.980] – Shay Nahari
The second thing we’ve seen is we’ve seen usage of AI without the protection, the built-in protections that are out there. So if, for example, you try to go to ChatGPT today and say, “Build me a bomb.” Obviously, it will say, “Well, I cannot do that.” We start seeing versions of that, of different AI modules, being sold in the dark web without that protection.
[00:13:15.080] – David Puner
Are those protections easily removed?
[00:13:17.850] – Shay Nahari
Well, if you control the module itself, yes, you can do whatever you want. The more controls that you have right now is because the module still states certain companies and then they can enforce certain restrictions. Again, not to say those cannot be bypassed even if they do exist, but if you control the module itself, you can remove those artificial limitations completely.
[00:13:41.400] – Shay Nahari
We’ve seen different modules getting sold in the dark web that claim to have any limitation removed. Whether it’s effective or not is to be determined, but we’ve seen actors selling those type of modules out there.
[00:13:56.170] – Shay Nahari
We’ve looked at AI for our own usage. It’s a mixed result. Obviously, it can make life easier for us, but at the same time, I think it also takes away a lot of the edge that you have as an attacker. I’ll give you an example. We have an internal project to write an offensive command control server that we develop in-house that has more than 300,000 lines of code as of right now.
[00:14:22.120] – Shay Nahari
We’re currently testing our code against different EDRs, different security controls, to see what’s getting detected and if we can bypass them from an attacker perspective. I can tell you we’ve done really well when we wrote our code to not get detected.
[00:14:36.500] – Shay Nahari
One day, one of my guys come and said, “You know what, Shay, we have a small module that we want to develop, and it’s a small one. In order to save time, we want to see if we can generate it with machine learning.” I said, “Sure, let’s try that.” It’s a really small module, less than 100 lines of code.
[00:14:52.620] – Shay Nahari
Then funny enough, when we generated it, we generated it, integrated it, and then did our security testing against vendors, and we found out that we’re getting detected. We found out that out of this huge project, the only thing that’s getting detected is the small, less than 100 lines of code, that was generated with AI.
[00:15:11.990] – Shay Nahari
We dug into that, and we suspect that the reason why that gets detected is because the way the code is generated is very different than what human would write. The defensive side of defensive AI basically said, “Well, that’s abnormal.” And triggered on that. There is pros and cons for this from an attacker perspective.
[00:15:33.000] – David Puner
What are the implications for attackers there?
[00:15:36.050] – Shay Nahari
I think just like defenders, AI will be a great tool. But I think at this point in time, human intervention and human awareness are still mandatory part of the development lifecycle. We have not seen a lot of success with blind-generating code, the AI code without testing or without human interfering there.
[00:16:02.400] – Shay Nahari
I think, again, it’s no different than a regular developer that’s writing software. It can be used, you just need to understand what you’re doing and it can shorten the time, but you need to know what you’re doing and what are the implications of jittering that code with AI.
[00:16:17.820] – David Puner
The next attacker innovation that I know you’ve been looking at quite a bit is session cookie hijacking. What’s been going on in that world since we last spoke to you about it last December? Maybe we should start by just a quick reminder of what cookie hijacking is.
[00:16:32.750] – Shay Nahari
In layman terms, cookies are a source of trust that is given to you or is set in your browser after you authenticate to a site. Imagine, again, you’re going to authenticate into Google with your password and multifactor authentication. Once the authentication part happens, your browser is given a cookie that has a certain duration. If you visit any of the Google subdomains, as long as the cookie is valid, you are not required to authenticate again. That is fundamental part of the way HTTP and browsers work.
[00:17:10.510] – Shay Nahari
Now, as you can notice, this happens post-authentication. Which means from an attacker perspective, that if we can steal that cookie, we can assume your identity for the duration of the session, which means we don’t need to know your password, we don’t need to have your multifactor authentication, we can just continue the session where you start.
[00:17:35.190] – Shay Nahari
Obviously, this is really, really big for attackers. We’ve start seeing this used a couple of years ago. We’ve completely migrated to that. There are other advantages of stealing cookies from an attacker perspective. Without going too technical, the level of privileges that you need to steal that is much lower than any other credentials in the browser or in the machine.
[00:17:59.790] – Shay Nahari
Imagine this, your browser is designed to run by a low-level account, which means the cookies are not stored, don’t require admin to be used by the browser. As an attacker, we don’t need to be admin to steal them. It’s also very hard for defensive mechanism like EDRs to detect. We’ve seen a huge explosion of this type of attack vector. I think Microsoft themselves reported a 100% year-over-year increase in session hijacking that they’ve seen. That’s really just a description of session hijacking.
[00:18:37.570] – David Puner
Can you give some examples around how session hijacking takes place or maybe some engagements that you’ve been involved in lately?
[00:18:46.390] – Shay Nahari
Yeah, we’ve actually been using session hijacking extensively in the last couple of years. Some examples to that is an attack we’ve done against a really, really large bank. The bank asked us to access to their payment infrastructure, their Swift infrastructure, and then we’ve bypassed the security controls on that by stealing cookies that allow us to access the Swift terminal, perform a wire transfer, and then steal someone else’s cookie to approve the transfer and send it away.
[00:19:20.830] – David Puner
I like how you so nonchalantly said, “Yeah, we did this engagement with some bank.” You’re speaking of something actually was a really big deal. I heard you give a presentation on this back in the spring, and I had no idea. It’s around the Bangladesh Bank Heist that happened in 2016. The cyberthieves stole $81 million, and I know that they were shooting higher at one point, but that’s what they made off with.
[00:19:48.920] – Shay Nahari
You’re right, 2016 may be one of the largest bank heists in recent history. As you said, the attackers made a series of 35 different transactions, trying to steal almost $1 billion from the Federal Reserve in New York. The first five transactions succeeded. On the sixth one, one of the banks that participated in the transfer noticed that the attacker misspelled The Ward Foundation in the transfer.
[00:20:15.620] – Shay Nahari
I’m imagining someone thinking, “Well, you’re trying to transfer $1 billion and you can’t spell The Ward Foundation.” And that triggered some investigation, so that’s really what triggered or stopped that specific attack. That triggered a lot of insight into how payments are made in the banking world.
[00:20:35.540] – Shay Nahari
The engagement I was just talking about was one of the results of that. A lot of banks are now looking into ways to see can attacker actually transfer money outside of their accounts. That engagement was exactly that. Adversary emulation aimed to test that. If attackers can transfer money and they bypass all the security controls and can the bank detect those types of activities before transactions are made.
[00:21:02.400] – David Puner
With that one, did you actually transfer funds or was it just about getting in?
[00:21:08.620] – Shay Nahari
This was really an interesting engagement. A lot of time, organization would define some critical infrastructure for us and say, “Once you get access to the control of the right privileges, stop.” In this case, the bank wanted to see end-to-end transfer. They actually gave us account numbers to use to steal the money if we’re successful. We’ve actually made a transfer.
[00:21:32.480] – Shay Nahari
They’ve imposed some limitations on the amount and where, and what time of the day, but that’s about it. This is one of the cases where they actually wanted to see the money being transferred out of the account. I think this was exciting.
[00:21:46.350] – David Puner
Since that time, you’ve run similar engagements with quite a few banks, I would think.
[00:21:51.650] – Shay Nahari
Yeah, we’ve done bank. We’ve actually used session hijacking to other extent, to other verticals as well. We’ve done critical infrastructure, water, energy. We’ve done CCTVs. Again, if you think about it, everything today is running on browsers. If you are able to steal those cookies, you have a free reign to everything that’s running within a browser context.
[00:22:14.940] – David Puner
That’s apropos that you would mention that because we, of course, have something called a secure web browser, that CyberArk has a secure web browser product that’ll be coming out toward the end of the year. Have you been involved in that at all? I imagine with your vast knowledge of cookie hijacking, you’ve had some input.
[00:22:34.010] – Shay Nahari
We’ve been talking about cookies and session hijacking for a couple of years internally, even before we started talking externally. We said, “You know what? This is interesting because this falls exactly into what we do. We are the Identity Security Company. This is what we do. We protect identities.”
[00:22:51.370] – Shay Nahari
We wanted to see if we can extend the protection to a fundamental flow in HTTP and see if we can solve that problem, and I think we provided that input internally. Yes, we were part of the very early-on, the input and thinking group on how that CyberArk secure browser will play and take effect and protect those session cookies.
[00:23:12.580] – David Puner
We can look forward to the release of that toward the end of the year. It’s going to look and feel like a regular Chromium-based browser, as I understand it.
[00:23:20.480] – Shay Nahari
Yeah, exactly. It’s built on Chromium. Because we’re building the browser from the ground up, we have an ability to do things that are not normally possible in regular browsers, and that also includes our cookies, and sessions are handled. In addition to other operational aspect, we have the ability to control at a very low level. Suffice to say we’re solving that cookie problem with the CyberArk secure browser, by eliminating those cookies from the endpoint completely.
[00:23:52.010] – David Puner
Does that mean that once that’s out, we’re not going to be able to have you back on to talk about cookies again? We’re going to have to find something else to talk to you about?
[00:23:58.420] – Shay Nahari
We’ll have to find different things to talk about, yes.
[00:24:01.220] – David Puner
Alright, okay. Well, it probably won’t be that hard. Shay, where are we going next around the world? Can I come along? What do you have coming up this fall?
[00:24:11.530] – Shay Nahari
I’m hopefully not traveling too much. There’s a Canada Impact, and I’m going to do in Toronto. But that’s it, that’s my plans right now, I need a break.
[00:24:22.310] – David Puner
Yeah, that’s a much better flight than Sydney or Australia to Boston.
[00:24:27.540] – Shay Nahari
Yes, much better commute.
[00:24:30.850] – David Puner
Shay Nahari, thanks so much for coming back onto the podcast. Look forward to seeing you in person sometime real soon and we’ll have you back on the podcast in the near future, I hope.
[00:24:40.790] – Shay Nahari
It’s been a pleasure. Thank you, David.
[00:24:42.200] – David Puner
Thank you.
[00:24:51.490] – David Puner
Thanks for listening to Trust Issues. If you like this episode, please check out our back catalog for more conversations with cyber defenders and protectors. Don’t miss new episodes. Make sure you’re following us wherever you get your podcasts. Let’s see, oh, yeah, drop us a line if you feel so inclined. Questions, comments, suggestions, which come to think of it, are kind of like comments. Our email address is [email protected]. See you next time.