Here Come the Cyber Cartels - Ep. 125

This week we catch up with Tom Kellermann, Head of Cybersecurity Strategy at VMware to discuss the explosion in, and growing aggression of, cyber cartels and the differences in attack motives across nation-state attackers and the offer that just can’t be refused by the “untouchables”.

Episode Table of Contents

  • [01:41] Behavioral Anomaly Detection Capabilities of Carbon Black
  • [08:35] Targeting the Financial Sector to Offset Economic Sanctions
  • [15:58] Where Do We Start With These Cyber Cartels
  • [22:52] Getting Visibility and Full Telemetry
  • [28:49] The Trust That Exists Between Cyber Cartels
  • About Our Guest

Behavioral Anomaly Detection Capabilities of Cyber Cartels

Rachael: We've got Tom Kellermann. He's the Head of Cybersecurity Strategy for VMware. He's Vice-Chair for the Cyber Investigations Advisory Board for the United States Secret Service. He is also a Wilson Center Global Fellow for Cyber Policy.

Rachael: Welcome to the podcast Tom. VMware recently or semi-recently acquired Carbon Black, how is that working today?

Tom: About 18 months ago we were acquired by VMware and we became the security division of VMware. Essentially all of the Carbon Black capabilities you might be familiar with from application control to EDR to Next-Gen AV. Those analytics are being integrated into the larger fabric of VMware.

Tom: Things like vSphere now have Workload Security, you've got Workspace ONE that has the text and response capabilities. Even with Horizon VDI, you've got Secure Cloning. All based off of the behavioral anomaly detection capabilities of Carbon Black.

Eric: We often talk about building security from the ground up. Infusing security into the virtualization stack, the OS, and things like that. I hope we see some major progress here.

Tom: Intrinsic security is the vision. It's modern zero trust that has to go beyond identity and endpoints all the way into the infrastructure itself. The goal should really be decreasing dwell time and suppressing an adversary, unbeknownst to an adversary.

Tom: Can you detect, deceive, divert, contain and hunt an adversary unbeknownst to the adversary? That's kind of the goal of the infrastructure defense itself.

Eric: It'll be interesting to see over time if the industry continues to go this direction. How quickly we go in this direction maybe is the better way of describing it.

The Real Competition in This Cyber Insurgency

Tom: Well, given the fact that America's dealing with a cyber insurgency I hope we move faster. The challenge in the industry is there's really a lack of cooperation in the industry. We all see each other as competitors, but the real competition is essentially the Russian-speaking dark web. And we really pay attention to that.

Eric: It would be very nice for Rachael and I to be out of business. We could talk about the beach or think about the podcasts we could do if the security problem was solved. If we solve this, embedded security and everything, and it worked really well, I'd be at the beach.

Tom: I'll be concise enough so you can go out to the beach today.

Eric: It doesn't work like that. We've got a major industry problem that we have to deal with first. It keeps us all employed.

Rachael: I’d love to dig into the Cyber Investigations Advisory Board for the United States Secret Service. I don't know that anybody's ever really thought about cyber in the Secret Service, or that being at the forefront. What does this advisory board do?

Tom: For those who aren't familiar with the history of the Secret Service they were created essentially right after the Civil War to deal with counterfeit currency, and then only after the assassination of McKinley did they move into protective responsibilities for dignitaries and leaders of the country.

Tom: They have been laser-focused on financial crime investigations. They've been the tip of the spear for all financial crime investigations since the Civil War. As money has now become digital, ever since 1995, they are the ones investigating all the bank heists. The North Korean cryptocurrency money laundering events, etcetera.

Putting Pressure on the Cyber Cartels

Tom: They created this board for the first time in the history of the Secret Service to do two things. One would be to modernize the mission of the Secret Service. Both from a cybercrime investigations perspective as well as a protection perspective.

Tom: Then the other was really how do we disrupt and dismantle the dark web, the economy of scale, put pressure on the cyber cartels that are merely growing in power. The pandemic has been gasoline to the fire of the Silicon Valley of the East.

Eric: You always think about the FBI when you think about the dark web. But, you're saying the Secret Service many times will take the lead on this.

Tom: They take the lead on all financial crime investigations that don't have an intelligence or counterintelligence dynamic or component.

Eric: That division or a group of the Secret Service, I would imagine it would have to be exploding with headcount, with budget and taskings and problems and everything else that comes with it.

Tom: Part of the board's job is to advocate that they be given greater authorities and greater resources. The challenge of the Secret Service is that special agents have to maintain both roles, both protection and cybercrime or financial crime investigation.

Tom: One thing they're doing that's quite unique is that they've merged the financial crimes task forces. They've merged the electronic crimes task forces, which exist in every major city in the country. They're expanding them internationally.

Tom: That way, you’ll have a public-private partnership between Secret Service, local law enforcement, and heads of cybersecurity for both financial sector participants and IT firms to go after and create a collective force to disrupt the dark web.

The Cyber Cartels of Eastern Europe

Rachael: As part of this advisory board, I see that your team have put together a report called Modern Bank Heists. You mentioned that you can look to the sophistication of how cybercriminals attack financial markets or financial institutions. These are indicators of what's to come for government agencies or enterprises.

Tom: It is insightful and it creates foreshadowing. It relates to the Russian-speaking threat actor community and cyber cartels of Eastern Europe. They are the most prolific adversaries of the financial sector. But as we've seen over the past seven or eight years, there is a pox mafioso.

Tom: It exists between the cyber cartels of Eastern Europe and the regime. They are used and treated as national assets and they act out as cyber militias, targeting the West. In order to maintain their untouchable status but also to pay homage to the regime.

Tom: I wrote a report just last week called Iron Rain which describes this phenomenon. The Modern Bank Heist report, it's going to be issued in two weeks. It is a seminal report, produced four years in a row now. I interviewed over 126 CISOs at major financial institutions around the world.

Tom: I challenged them to describe to me what's keeping them up at night. How their architectures are failing against the threat and what they want to do to prioritize intrusion suppression going forward.

Eric: Unlike Capone, Bugsy Siegel and the mobsters, the cartel of old days. What you're saying is, they have nation-state support. Leveraging them almost as a cut-out to allow for behaviors, then they just don't pursue and prosecute.

Targeting the Financial Sector to Offset Economic Sanctions

Tom: They're used as traditional proxies for the antics of the regime. They're also used to offset economic sanctions. North Korean crews, Russian crews, Iranian crews are regularly used to target the financial sector to offset economic sanctions from the West.

Eric: In North Korea's case, "Hey team, go get me some money so I can do what I need to do."

Tom: North Korea is technologically sophisticated. The organization of their cybercrime community has been dramatically enhanced thanks to technology transfer from Russia. Same reason you see the missile specs on their ICBM's mirroring that of old Russian tech. The same reason that their military is carrying close to cost on the rest of it. It's the same premise, it's just tech transfer from their ally mother Russia.

Rachael: Very big business. The different countries seem to have a different rationale for attack. For example, you'll often hear about Russia and China. Recently, Microsoft has attributed China as part of their business email compromise. They're calling it Hafnium if I'm saying that correctly.

Rachael: Sometimes that gets lost for folks in each country who have their own perspective of why they're making attacks. What does that different landscape looks like? So when we see Russia, China, what are those differences really as it relates to the US? What benefits do they get from executing these huge blast radius attacks to define their high-value targets?

Tom: So the Russian modus operandi is specific to a stratagem imposed by General Garrison who runs strategic command. He was tasked by President Putin to come up with a strategy to get revenge against the West for Glasnost to reassert their hegemonic powers in the world and the region.

The Achilles Heels of the West

Tom: The two pillars of that strategy were, one is the Achilles heels of the West are dependents on technology. This is back in 2013 he gave this speech, at a resort in the Black Sea. The other part is public opinion, our institutions are only as strong as public opinion.

Tom: Both of those things have been successfully undermined and exploited. They knew that they didn't have the technical firepower to go toe to toe with the NSA. Or toe to toe with Silicon Valley, but they knew that they also had these assets. They had these cybercriminal cartels and crews that were successfully targeting banks.

Tom: They called upon them and they explicitly rolled out these three rules. You will not hack anything within the sovereign boundaries of what was the Soviet Block. You’ll share anything of interest or access to anything that is of interest to us. Then when called upon to be patriotic, you will go after these targets. In exchange you're untouchable.

Eric: When you say within the boundaries of the Soviet Block, you're excluding Ukraine now in the modern time.

Tom: Although there are some hacker crews who miss being part of Russia. Just like you have Ukrainians in the South and other places. Crimea who are more aligned with the historical relevance of Russia.

Eric: It came across to me as almost past tense, but this has been going on for a while. It continues today.

Tom: It does and viscerally so. They've truly utilized the construct of island hopping, or as people are saying supply chain attacks, to their benefit. I call it island hopping and not a supply chain attack.

How Cyber Cartels Use Your Digital Transformation to Attack Your Constituency

Tom: No matter how they get to you, they will use your digital transformation to attack your constituency. You don't need to be part of the software supply chain. When you're government agency X and you've been penetrated that way.

Tom: They're going to turn your website and your network to attack citizens of the US and other government employees. That is happening 38% of the time. When organizations get hit, their infrastructure is being commandeered to attack their constituencies.

Eric: Meaning their website, their emails, you name it.

Tom: Their email environments commandeered to target significant executives and politicians. Their website or their mobile apps are now becoming watering holes. Watering holes aren't limited to websites, mobile apps can be turned into watering holes as well.

Tom: Then the networks themselves, because of the implicit trust through the program of specific ports and the traffic that moves through them. They're using our own trust against us.

Eric: What do you recommend then as we continue with digital transformation? We're probably the most advanced nation in the world digitally, putting us most at risk. What do you recommend? What do we do?

Tom: Let's begin with what we shouldn't do. Most of the standards out there for cybersecurity are backward looking. They are specific to creating the ideal fortification, and they're really focused on prevention models.

Eric: And compliance, building big walls, we're saying the same thing.

Tom: The architectural model that we should espouse to is more of that of a supermax prison where the prisoner is resource-constrained, where they can't freely move laterally. It's difficult for them to get out of the infrastructure and you have complete visibility and telemetry into all their activities.

Beyond Identities and End-Points

Tom: That is the model that we need to subscribe to. That's really extending zero trust beyond identities and end-points all the way into the infrastructure. But manifesting security in a very clandestine way. Such that the adversary is not aware that the environment is shifting and suppressing them in real-time.

Tom: If the adversary becomes aware that you're onto them they will become more punitive. Destructive attacks are up 118% and they are typically not the singular purpose of an event. They are actually part of what's called the counter incident response.

Tom: Where, "Hey, you just disabled my command and control. I'm going to drop a wiper in your system." Or "I'm going to drop a piece of ransomware, not Petia style, in your system to cripple you, because how dare you come on to me. Not only that, I'm going to punish you going forward."

Eric: You attacked my friend, you burned the city. I'm going to drop paratroopers in your homeland and burn it down. Take us through that then. If you're restricting the capabilities of the users, you're really saying what you need to do is control what comes out of the infrastructure, correct?

Tom: You need to inhibit lateral movement within the infrastructure, you need to apply things like just-in-time administration, and you need to integrate your endpoint protection platforms with your network detection platforms. And you need to have the capacity to deploy deception technology. And you need to make sure that workloads defend themselves against threats.

Tom: You need to assure that all of your VDI environments can be created and manifested through secure cloning. Then even device management systems, they themselves need to become more intelligent.

Where Do We Start With These Cyber Cartels

Tom: They shouldn't just manage a device, they should dynamically manage a device-specific to risk. Not only to the device but of the device to the infrastructure, and specific to behavioral anomaly.

Eric: So the average listener who is in InfoSec, his head probably just exploded. They're probably like, "Where do I start? That sounds awesome Tom." Where do we start because we've got all this legacy crap that we've got to keep running. I can't just bring in VMware to solve all of our problems or any vendors.

Eric: Who cares who the vendors are. How do I put a five or 10-year strategy out there, and then execute against that?

Tom: First I'd like to state that those poor folks at InfoSec who are under-resourced and who don't have sufficient authority, who are still being governed by the CIO team and the IT team, they need to promulgate a new message. Worst case scenario is all the work we've done to digitally transform will be used to attack our customer set.

Tom: Success in that is limiting that from happening, but success is also decreasing dwell time. To achieve that, the first thing they should do is conduct robust, weekly threat hunts across their infrastructure. Threat haunts that will justify greater authority, greater budgets. Those thread haunts should be the primary focus of any additional security spent.

Eric: How many of the customers or organizations you deal with do threat hunting? If they do, what percentage of their spend or time is it in your estimation?

Tom: It depends on the sector. In the financial sector, close to 70% of the banks are doing weekly threat hunts.

Invest More on Threat Hunting Not Just Wall Building

Tom: Those same institutions are going to increase their cybersecurity budget by 10 to 20% this year because they get it.

Eric: They're spending it on threat hunting, not just building bigger walls.

Tom: I'm giving you a little preview of the Modern Bank Heist Report here. The primary focus of investment or XDR workload security and container security as of the way things are changing. That all being said, conduct the threat hunts.

Eric: Number two.

Tom: Then segment your networks. You can't have static segmentation, you got to do that ASAP. Number three, make sure there's some sort of seamless visibility between your network detection response capabilities and your endpoint protection capabilities.

Tom: Number four, pay attention to container security. Kubernetes is amazing but if misused it could create a systemic threat or a wildfire in your infrastructure. Lastly, just-in-time administration. No one should have administrative rights in perpetuity.

Tom: This isn't about just limiting privileges. Even CIS admins should only have administrative rights specific to a period of time and a task. In the end, as we all know, the adversary is going to hunt that super-user and take over their account. Now you have a digital insider running amuck.

Eric: They're creating new accounts. As an admin you can do anything. Is the two-person rule an effective technique to reduce the amount of admin, lateral movement, or reduce the power of a single admin?

Tom: I think it's effective. There are technologies out there that allow you to apply just-in-time administration in a scalable fashion. I do believe that after a security event, administrative privileges should immediately be toggled down. Much like after a security event.

The Challenges Cyber Cartels Need to Face

Tom: If you're going to deploy EDR on a system that maybe didn't exist before, you should put it in monitor-only mode. Because if you turn it fully on, the adversary knows that you're on to them. There’s one thing that I find crazy but I guess emblematic of our dependence on technology.

Tom: I see IR teams using Slack or Teams to communicate vis-a-vis an event, which is nuts to me. But they're like, "Yeah, but we're not using email to do it." And I'm like, "Are you crazy?"

Eric: No, after UNC2452, that's what I'll call it this week. We saw a number of our customers and prospects say, "I can't communicate with you over email. Unless we can do encrypted email." Like that was, "So call me." But I agree with you, what about Slack? What about Teams?

Tom: I wouldn't do it. I really recommend Signal or Wicker or phone calls, something out of bound, but it is what it is. The other challenge that we need to face is that adversaries are now part of counterintuitive responses. They’re more likely to manipulate the value of timestamps and they're more likely to delete logs.

Tom: You're like, "How do I deal with that?" Well, look across. If you think a device was compromised, are there any gaps in the logs? Because then you're really, dealing with an adversary that has deleted the log.

Eric: You're almost looking. Instead of looking for something in the log, you're looking for the absence of something. You're looking for blocks of time where somebody wiped, and from a hunting perspective that could be a tell.

The More Interesting Facets of SolarWinds

Tom: Look at Cosmic Gail. It's one of the more interesting facets of SolarWinds. This code basically automated the deletion of logs specific to when the adversary was active on the host. Then automatically deployed or provisioned a secondary C2 on a sleep cycle in image files through steganography, that's bad.

Eric: Take us through that. What did they do? Why did they do it? And why was it so important to us? Will we see it again?

Tom: We keep talking about the other elements or pieces of malware associated with that campaign. But this was the secondary payload deployed in the system to make sure that they always could get back at.

Tom: So how do you deal with that? Well, you look for gaps in logs. You look for PNG files that are large, that are sitting in the outlook mailbox that shouldn't be there. But no one ever looks for that.

Eric: PNG being an image file?

Tom: Large PNG files specifically though, they weren't using JPEGs. That basically was their C2 infrastructure, their secondary C2 that was on a sleep cycle. And that goes to my other point, do not immediately terminate command and control if you find it.

Tom: I know that sounds sacrilegious, but trust me. There's going to be a second C2 on a sleep cycle when you're dealing with Russia or China. What comes next will become more punitive.

Eric: I can't tell you how many exercises I've been involved with, both real and drills, the military's the best at this. The general officer or the colonel will come and say, "Disconnect everything, take us off the net."

Getting Visibility and Full Telemetry

Eric: That is the immediate reaction, it's such a kinetic binary type of visceral response. But it's like, "Unplug everything and we'll figure it out then." So what you're saying is don't disconnect command and control, allow that C2 to continue. Watch, understand what's happening so you have a better idea.

Tom: You need to get visibility and full telemetry on how far they've spread in your infrastructure. It's not limited to power so they're misusing WMI and corporate G drives, the whole nine. The name of the game for these adversaries, the reason why traditional antivirus won't stop them or even IPS systems. It's all about compiling on hosts and executing a memory.

Tom: When they do that, they get around a number of security capabilities that exist out there. It's all about automating the dismantling of security agents and tools. So to the simple point, how many times do you come across a government agency? Or a major commercial entity that's been hit and then they say, "Well, they deactivated your security agent."

Tom: Well what do you call the security agent? We named it Falcon. Why'd you name it? What are you doing?

So we need to become better at our own OPSEC, how we defend. We need to become more clandestine in how we hunt. Those are the real starting points for dealing with the insurgency that government agencies are facing right now.

Eric: We talked about UNC2452, let's call it holiday bearing, this segment. I think that was detected on the ninth, disclosed by the 13th of December. I don't think we have a report for any of the nine government agencies. The US government agencies that have announced they were susceptible.

How Far Did the Cyber Cartels Go

Eric: I don't think we have a single report that I'm aware of to this date three months later of what happened. What do they know, what did they do? Like publicly available. I could be wrong, you may know of something.

Tom: The question that we should expect to be answered by those government agencies is not did they get in. It’s how far did they go?

Eric: No, it's what happened?

Tom: How can you guarantee me that your agency infrastructure isn't being used to attack other agencies right now? Or that it hasn't been used to attack other?

Eric: I don't think they can. I'll break it down to basics, like first grade level. What happened? I suspect we don't know yet or we may never know. Are they still in?

Tom: That is what's concerning. That's why I always call it a home invasion. It's not a question of the house being burglarized. Are they still in the house and do they want to escalate when you're having your family dinner?

Eric: The industry came back with all these IOCs and patches. We're going to look for blah, blah, blah, to prevent them from getting in. I just want to scream sometimes. Maybe I'll do it on the podcast one day. It's like, "They're in, they're already in, they're likely, still in. Highly likely by the way. What are you doing about it? Do you know?" It's crazy to me.

Tom: I am hardened though that we have real leadership in cyber now, in the US government. They're being given the authority to take the gloves off and how they manifest that. God bless them for doing it.

The Limitations That We Have as Private Sector Companies

Tom: But there's a lot of limitations that we have as private sector companies. For example, why can't I destroy my data when it leaves my environment? Why can't I track my data when it leaves my environment? Or why can't I encrypt and harden my data with a new algorithm when it leaves my environment?

Tom: You can't because of existing law, but I'm not talking about active defense right now. We can do these things with our cars and our iPhones. But we can't do this with our data and our intellectual property or international secrets.

Eric: Hopefully we get there. The new administration has definitely made some good strides, initial opening strides I would say. In this race.

Tom: Very thoughtful personalities at the top now for cybersecurity specifically.

Rachael: I read a quote today too. It said, the good guys are getting tired, and having this conversation I'm actually tired as well. There's so much to be done. When we look ahead, how many years are we from getting to that clandestine place where we are one step ahead of these guys here?

Rachael: Especially when there's so much hyper aggression. From your incident response report, it was what, 82% of adversaries fight back to maintain persistence. They are gunning for it. So how many years do you think, if you wanted to ballpark before we get ahead of them?

Tom: Four or five, but a large part of the success will involve the cyber command, the NSA, and the FBI. The Cyber Fraud Task Force is really taking it to the adversary.

The Trust That Exists Between Cyber Cartels

Tom: We have to stop playing defense as a nation and begin to put pressure on them to improve their own OPSEC. Then dismantle some of their capacity to tendril indoor infrastructure and colonize American cyberspace. I'm hoping that's going to happen, from the perspective of the industry, we're getting better at visibility and telemetry.

Tom: We're getting better at sharing information and becoming more collaborative for threat Intel. But I still think we have a bit of blinders on in terms of what we share, how we share it and our perspective of the worst-case scenario. Did they get in? No, I don't think that's your worst-case to my earlier points.

Eric: It'll have to be somewhat non-linear. It's not cyber on cyber, it's diplomatic. There are others, whether they're financial consequences or whatever it may be, we are stronger in other areas where our adversaries are weaker.

Tom: We can take a page from Putin's playbook on disinformation. We need to begin to undermine the trust that exists between these cyber cartels. Whether it makes it look like they're CI's for the US government, confidential informants.

Tom: How do we put pressure on the alternative payment channels? As well as the virtual currencies that are associated in cybercrime conspiracies and cyber spy conspiracies? How do we modernize forfeiture and any money laundering to take that money to fund critical infrastructure protection?

Tom: To fund the hiring of more special agents for the Secret Service, et cetera, et cetera. We've touched it, we've begun to do some interesting things. But much more aggressive action must be done to follow the money.

We Should Become Criminal Actors

Tom: To forfeit the money, and put pressure on the trust, the ephemeral trust that exists in those communities.

Eric: I love that, my mind wouldn't have said that. My mind said, "We should become criminal actors, almost impersonate them and discredit them." Like go after Russia, make it look like they're targeting indiscriminately. Make the governments of these nations who take advantage of organized crime question supporting organized crime.

Tom: Again, not the private sector, but the government, the US government.

Eric: I'm not thinking Rachael and I are going to, "Let me go and buy another cable. I'll boost the cable modem access in this house I'm renting right now, we'll take care of it for you. Don't worry about it."

Eric: Yes, the government. Not the private sector, hacking back should not be a private-sector function, but I love that idea. Discredit, like a disinformation to a disinformation campaign.

Tom: I would love to have a whole episode just on that.

Eric: Voice of America, we'll call it Cyber America part two or something, I don't know. I've never thought about that, but that is a great way to look at helping with the problem here.

Rachael: With that, I think, where do you go from there? We're going to call today's episode, episode 125 with the awesome Tom Kellermann. Thank you so much for the insights. This has been a fascinating conversation. A part two here in the next few months that I'd love to revisit.

About Our Guest


Tom Kellermann is the Head of Cybersecurity Strategy for VMware Inc.  Previously Tom held the position of Chief Cybersecurity Officer for Carbon Black Inc.  Prior to joining Carbon Black, Tom was the CEO and founder of Strategic Cyber Ventures. In 2020, he was appointed to the Cyber Investigations Advisory Board for the United States Secret Service.  On January 19, 2017, Tom was appointed the Wilson Center’s Global Fellow for Cyber Policy.

Tom previously held the positions of Chief Cybersecurity Officer for Trend Micro; Vice President of Security for Core Security and Deputy CISO for the World Bank Treasury. In 2008 Tom was appointed a commissioner on the Commission on Cyber Security for the 44th President of the United States. In 2003 he co-authored the Book “Electronic Safety and Soundness: Securing Finance in a New Age.”