Signals, Shadows, and Cyber Threats: Sai Molige on Forescout's 2024 Global Threat Roundup

Welcome to Cyber Focus from the McCrary Institute where we explore the people and ideas shaping and defending our digital world. I'm your host Frank Cilluffo and this week have the privilege to sit down with Sai Molige at ForeScout where he leads the threat hunting team. They came out with a great new report that I advise everyone to read and we'll make sure is available in our show notes. But prior to joining four scouts, I was at Comcast and Snapchat and really excited to sit down with him today. So Sai, thank you so much for joining us. Thank you so much

for having me. So let's start with sort of the big key takeaways and key

findings and numbers and maybe a little bit on the methodology on your 2024 Global Threat Roundup report. Sure, definitely. Again, thanks for having me. The first one is the

methodology side. This data is gathered from the adversary engagement that we have and then we get that data, we feed it to forcecode platform for the threat detection and response capabilities that it has. And it's interesting in our industry sometimes we conditioned to know without believing and believe without knowing. So what we did is we cleaned. Not

unique to cyber. Yes, yes. So we cleaned that data, we processed it and then

we formed an empirical based evidence and submitted to the, you know, share it to the cyber communities in general. The this one is not anything different. Like we do the research and whatever research we performed, we usually submit it to either the government bodies like CISA and ISACS and CERTs so that if there is something that needed to be, they need to glean insights from or make informed decisions and make their entities to know what are the operational risks that need to cover. So those are the methodology side of things. In terms of the key points, if I have three key points that I want everyone to take away from is bulletproofing services are rampant and they're playing an important role. What I mean bulletproofing is the umbrella term they use for any service provider that provides virtual or physical infrastructure with resilience for any complaints or takedowns that they might have. So this becomes a breeding ground for cyber attacks or at least building blocks for it. So matter of fact we did see. A spike in numbers based on bulletproof. It's been a big issue for

a while. Hard one to get our arms around. It is and matter of fact

I think couple of days ago US and us, UK and Australia I guess have sanctioned one of the top ASNs that we have seen because it is associated with the lock bit Ransomware, boom. Let's hope those numbers go down next year. Well one goes down, the pops up. So it's like a little bit of whack. A mole. Yeah. So I'm sorry I cut you off. That was number one. That was number one. The second one we have is the attackers are spending increased amount of time inside the network so to better understand the environment they are in. And the last one is the attacks on cybersecurity infrastructure is always rising. But this time we have seen a specific increase in functionality, specific protocols across the board like wall typhoon, salt typhoon, all the typhoon season that you have here. So we are seeing that increase. So those are the three things if I may are the takeaways. We'll want to

unpack all three of those more as well. And I'm curious with the dwell time. I, I do want to hear more about that. But before jumping into that sort of looking at critical infrastructure in particular, I think you had some disconcerting findings and, and, and, and, and which one of which, which of those are they the same three or are they a separate group in terms of targeting critical infrastructure owner operators?

So I would say the anytime for sure. Yeah, yeah. The salt typhoon season are in general are there but apart from removing the groups itself. Yes the grouping and naming is important for tracking a particular threat actor in terms of their capabilities, intent and all. But if we remove that, most of the intentions that we are seeing is related to tracking personnel that of interest. This became very clear from targeting hotels near basis targeting NGOs or any strategic organizations that work with governments, regardless of which government it is. And then we have seen increased interest in kind of communication devices where security communications usually transfer and exchange. And the last one is using the information that they are getting from the intrusions that they are already performed, using it for either future purposes or using against to find some sort of espionage. Activity against other

targets as well. Other targets are targets in the future on the same entity. Yeah.

So those are the three things but the TTP wise we have seen a shift there. Most of the SO 2024 was notorious for SSL VPN attack. SO if you take the VPN itself but most of them are adapting and also increasingly infiltrating through SSL VPN or Internet face devices in general. The second one is the custom backdoors and living off the land techniques that they are using. And that ties back to the discovery that we had just mentioned because if we have kind of blend into the organization it's not difficult but it becomes difficult for certain organizations or companies to find what is normal and what is not. Absolutely. The last one is that's the blurring line is borrowing tools between each other. We have seen thread groups who are being tracked with different names, but their tools have been similar but with implementation differences. And we have seen that borrowing between the groups too. So that's actually. So you

also, I think and disagree with me if you, if you. You're starting to see nation states also lean more heavily on criminal actors or non nation state actors to, to do some of their bidding as well, correct? Yeah, absolutely. So in that in

general, whenever we think of nation states we think of the opportunity, intent and capabilities that they have and the information that they can use for future. But what we are seeing is cyber criminals who has just the intent are finding opportunities and partnering with either the nation state groups or state sponsored groups. But they don't have the capabilities yet, but they are benefiting from it because it is beneficial for both of them. APT groups or nation state groups, you. Don'T have to burn a source or

a method. Yeah, they reduce one step in their kill chain and then we have

cyber criminal groups who are benefiting either financially or capability wise for them to do.

Something else which does get more complex and difficult to know who's the puppet, who's the master. Because it's got multiple layers of onion and you cry further and further. Every time you peel it a little further you cry a little more. So one

of the couple of examples we can take is the US in Pennsylvania when the PLCs were defaced, that was claimed by a group I believe called Cyber Rangers or Cyber Avengers. Avengers. Yeah. So they are claimed to be an activist group. And then we have another group in Iran which was targeted where the petrol stations and the rail and steel industries were impacted. There there was a quite panic and there was even I think export issues there. And that one was claimed by Predatory Sparrow. Both are claimed to be hacktivist groups. But again reports show that they are backed by either financially or capability wise by nation state groups. So understanding that capability becomes critical so that we can defend the network properly. And, and obviously nation states can bring

more than cyber means to the fight, which is where it gets complex. I do want to talk since you mentioned both, both Vault, Vault Typhoon and Salt Typhoon. Have you seen a shift in TTP tactics, techniques and procedures for most people know ttps. But, but have you seen a shift in. In the modus operandi? So like I

mentioned, the majority of the shift we are seeing is on the custom malware side but discovery side is again is the top one is it's also the top TTP in the report too because that's when instead of just being grab and smash or smash and grab or doing something without knowing the capabilities, what attackers are mostly doing, especially these groups are doing, is gleaning the information and seeing what is the network infrastructure looks like, what is the architecture of the network where sits what. To be

able to plot further. And if I'm not mistaken your report did see a shift in Russian activity escalated pretty dramatically. Yeah, actually Chinese dropped but that doesn't. Mean they're not there. Yeah, if I'm not mistaken it took precedence over Russia. Last time it

was Russia, this year it was China. But you know, again it's a cat and mouse that we are seeing. Yeah, it is a cat and mouse. Let's go to

OT because I know Forescout does some really good work in the OT space and I think it's fair to say that OT is still, I don't want to call it the stepchild but the reality is more needs to be done in the OT environment. Especially since you've got legacy systems that have been around for so many years. What were some of your key findings on the OT side? Yeah, so as we

all know ot whenever attacks happen on that it is not only data breaches, it is physical consequences and it also has life impact. Let's say production line stops are stoppage for gas and oil which we have seen which become and also personal hospitals and other things which we have seen they are, they have its own consequences. The one thing we are seeing here is the functionality specific protocols being an interest for threat actors. What I mean by that, let's take building automation systems for example. In building automation systems in the past we used to see what is a device that has unauthenticated exposure to the Internet and then they used to exploit it or they used to exploit on OT specific like ot generic OT specific protocols and then perform it. But now what we are seeing is increase in specialty or functionality based protocols like your bacnet, your knx which are specific to those devices on how they communicate. We are seeing an increase in there. And yeah, for example and malware specifically targeting.

We recently had Rob Leon who was sharing some of that at Dragos and it's pretty, pretty eye opening. Five years ago this wasn't around. Yeah, I mean even one

of the protocols that we have seen, the KNX protocol that was already being exploited in the real world where a client of German manufacturing engineering firm was locked out of their systems. And also pretty much every device was bricked in the environment. So it has its consequences. Yeah. There. And that's what we are seeing increase in this one specifically. Most of these are disruptions or monetary based but the intentions are clear on knowing the operational capabilities of these devices so that they can do much more than just disruption or just making it as a bot. You know one of the

challenges is just having visibility. So whether it's supply chain issues but, but not many entities are converging and emerging like the adversary is converging and merging in terms of IT ot, do you, do you see anyone doing that? Well from your perspective? Because if, if I'm agnostic to what the intention is agnostic to who the perpetrator is agnostic to even what their capabilities are, you want to be able to have visibility across your IT and OT ecosystem. Do you know anyone who's doing that? Well, so

I mean obviously forescout but, but I think what you're asking is in the previous one too how OT is the stepchild of it and I. Didn'T mean that but

it's got a ways to go. Yeah. So what in this particular one we are

seeing is the perception change. So we need to understand each other's perception. Like OT and IT are converging. We need to converge that perception too. So three points here is understanding each other's capabilities and boundaries, the understanding each other's priorities and then sharing the knowledge between amongst each other. That is the key points. We can go to an example if you. Yeah please do. Because culturally, I mean a

lot of the OT environment if from an owner operator perspective came out of preventing a three mile aisle and I know I'm going to the extreme but at the end of the day it's more of a safety and traditional security approach to things. It very different. But the reality is we need both. Right? Yeah. I mean and we need visibility. If you're, if you're an owner operator, you should have visibility across your entire everything that could potentially be a vector for attck. Yeah, absolutely. So let's

take the example in your scenario, let's say toy manufacturer, the primary business is to sell toys. But because they have sales, it grew and they formed their big organization with basic security controls, EDR and everything. They got hit by a ransomware. They don't know how, but they got hit by a ransomware. So a few months back, let's say the IT has performed some kind of network segmentation in the environment because their pentester told them to perform it and they did it, but they forgot the line between carpet and concrete. What I mean by that is the manufacturing plant and the enterprise. So they didn't do that one. And the OT personnel also rejected some of the security controls because it is interfering with their daily routine right now from the priority perspective in one of the three points I mentioned is if we are seeing priorities of it. You wanted to have your EDRs, you want to have your MFAS user access for phishing, but because there was one vulnerability or an exposure device in OT site, you don't have the visibility. Telemetry was not there from these ICS systems. So we are not understanding the priorities of each other. And once we do that, I think the perception will change and things will come into each other. I hope

you're right. Because if you're, if you're a general counsel, if you're the coo, if you're the CEO, again, it shouldn't. It's risk like every other risk they're facing. But they've got to look at it and it's in totality. Yeah, but there is a public safety side that will always trump anything else when it comes to OT systems.

If you ask 10 people what is important for them, 11 people will say that is our people, our thing is. Important, and everyone that that can be impacted by

that. So hopefully that does change. I'm starting to see people asking the right questions, which is a good start. But. But I still think more, again, just getting the visibility and, and when we think of OT, it's also where IoT and IIoT and all the new OT systems are. But the reality is physical cyber is coming together and we tend to look at the world through our boxes and org charts. The adversary doesn't. Yeah, it's always. We need to, apart from the security controls, we always

need to have a visibility on what assets we have and their classifications and everything. And then we need to have a place where we can place these sensors on different locations of the network to gather that information and correlate them at a single point so that we can have contextual information there. And then we ought to know what network we are defending because like I mentioned, the lines are blurring there. Shared

sometimes. Right. Especially with cloud. Correct. So we need to understand what and what is

important and how the capabilities are stacking up to the network that we have, and so on and so forth. And ultimately, like I mentioned, the strategic intelligence that is shared by either the bodies, government bodies, or the private entities it is there is a partnership there also that can increase this visibility. So from a vendor neutral sort

of perspective, what are some of your thoughts in terms of how do we get better risk assessments around all of these issues? Yeah, so it's hard to see or

be interested in the things that are not happened in your backyard or didn't know in your backyard. Right. So that's yet. So that's why the imperative nature of the research shared by different entities is to provide who is out there, what threat actors are out there, what threat groups are out there, what are they doing and how they are doing it. Are we seeing any intrusions in a particular industry? If yes, what are the capabilities? Once they have it, organizations can pick the data that they need from the bits and pieces of the reports or advisories or whatever and only apply the necessary controls applicable for them instead of going through the abstractions of attackers and threat actors. Defenders can also be helpful in this particular scenario is they can see what are the findings in the report that I'm seeing and am I seeing those findings in my environment then? If not, then they can gather the information that they need like the threat actors that are targeting their industry or the ttps that they are interested in and create a risk profile around it. You can stack that risk against the existing security controls that we already have and then now we have a pretty good understanding of what are our gaps and what are our improvements. And that's where I think the overall intelligence sharing or the research has been performed can helpful in the risk assessment. And along that vein, because I'm glad you said intelligence

led to be able to prioritize investments. But truth is we're dealing with a very dynamic environment. You batten down the hatches here, it pops up over there where we're dealing with a thinking predator who in part bases their actions on our actions. Absolutely. Once we are able to defend X, they either use an old TTP against Y or a new TTP a new tactic against the old target. So how, how do you get ahead of all that? And I do think intelligence is part of that.

Yeah, absolutely. That's a well said one. So like I said, priorities. So the OT side, we need to get back the production as soon as possible and with as less intrusion as possible. And also whenever we are doing incident response or we are performing incident response, we need to reduce the impact. So here in order to do that, organizations must have architecture with resiliency, recovery and reliant three Rs. I like three. I can remember? Yeah. And we need to have information on assets, what assets we have, what is the identification and classification of those assets and how we can get contextual information on that asset. If something is performed, what we need to understand what it is and where it is performing. And to do that you have

to understand your own system first, right? Correct. And that's. Most people don't know what the norm is. So it's kind of hard to differentiate or delineate the abnormal from the normal. Yeah, that's what I was saying. On the visibility side, we need to

place those sensors in order to find this information on the assets classification. And the third point is the intelligence led where typically we wanted to or we see that patch everything and sort of things, which has its own shortcomings. But ot especially we need to have intelligence led. Managing or how we manage vulnerabilities is through intelligent LED and impact led. So it doesn't matter if there is a default username and password, it is there. But if it's never exposed, it is inside the network, no one sees that is not the priority. But the priority is the ones that are hanging out there. Absolutely. So unless the consequence is so grave it requires a little. Correct.

Sweat and tears, right? Yeah. The impact is one intelligence, it will show you on

what are the ones that are being attacked. And the impact is one which shows what it is mean for me in the organization. If let's say there is a. Sometimes it happens. Right. We cannot patch everything or we cannot patch the things that have impact. So at that time we need to understand on the mitigation controls. And I think that's how we can be ahead of the curve. Because ICS attacks, true, ICS attacks are rare, but they are there, but rare. And understanding the.

Industrial control system. Industrial control system, Sorry, Yeah. Understanding the industrial control system and the

network and the attacks capabilities, we can stay ahead of the curve a bit. And

you mentioned in the past automated manufacturing, advanced manufacturing is a big sort of field. In terms of the targets you saw, was there any change year over year in terms of most likely targeted? I think healthcare, financial services, government and

telecommunications are still leading. It's a typhoon really. Open your eyes on telcos. Yes, they was not there before. Like that is the only one that's new. But if you think of the number of impacts that we have, healthcare and manufacturing still are leading on the impact side need not to be number of attacks. But on the impact side, for example, we have identified a group, we identified a campaign back in September called Chaya 2 and it was a typical Remote Access Trojan type of thing where users search for Google Chrome or teams or whatever, and it downloads that Remote Access Trojan. And it quickly shifted from Remote Access Trojan to ransomware in about, I think month. The old Willie Sutton principle. Why rob banks where your money is. Right. So in about a month, which we started shifting that and it became interlock ransomware. And it's the same thing for Ransom Hub too. One of the things that we are seeing, I think not yet at scale, but at least we are seeing it, that we have seen, we have very rarely seen in the past, is a group called Ransom Hub. It claimed almost many of the attacks last year in the top, at least three. And that group uses remote management tools like typical support tools that we use as they are main weapon. But what they did in terms of concealing their origins, instead of using the bulletproofing sites, they actually used the victims who they already attacked, including government agencies. Which is a reminder. Just because you pay doesn't mean you

won't be targeted again, Right? Yep. And yeah, using that to get into future victims,

they're pretty much sealing there. It's not that they are sealing it, but communication is very important between organizations at this point in time. And that's when I think can have better impact. If CISA doesn't know what is impacted, then it becomes tough for them to provide an adversary. Absolutely. And I'm glad you brought that up because trust

is the coin of the realm for the good guys, but also for the bad guys. Right. So maybe we need to be spending a little more time eroding trust and confidence between and amongst some of these cyber criminals and organizations. We have seen

that. I think so, yeah. Yeah. We have seen some of the botnets being dismantled by five Eyes and joined FBI and we have seen. But once they think their

own system, you can't trust. Yeah. The den of thieves also relies on trust, Right?

Yeah. Yeah. So hopefully we see more along those. Those lines. Yeah. Biggest blind spots.

So where do you see those? And I know this is a loaded question, but right now I would say. Three Again, people process technology. Right. In the technology front,

unmanaged devices are your top depends on the functionality, your its Iots, iomts and stuff. Because we don't have the unmanaged. Because unmanaged we don't have the visibility. And then we are also seeing a bit of the trust you mentioned between OT and it where not all devices are collecting the telemetry that it needs in order for the visibility in a. Way that it can even sync up. So sometimes they're collecting, but

it's cats and dogs. Correct. So if you are seeing a particular thing in it

and you're collecting that as a siem, and you're saying that we don't want to collect it on the OT side, then we have essentially a gap and the communication between the team, similar to our organizations work. Teams work the same way. Sometimes it can erode and that is the biggest visibility too. On the process side, the incident response processes, we still see them having a process for it, but not specific to ot or at least make the adjustments from the IT to ot. And I'm glad

you brought that up because from an incident response you also brought up your three Rs earlier. And at the end of the day, resilience is the key word in my eyes. Because we're never going to be in a position. I'm sorry, even if you had all of four scouts technology, we're never going to be in a place where we can protect everything, everywhere, all the time from every perpetrator and every modality of attack. But we sure as heck know that we're a target and that we need to do more and bounce, if not back, if not forward, at least bounce back quickly. Yeah, I mean, that's what we mentioned even in the beginning, right? Like

if we know the capabilities of the attackers, at least from the reports or advisories, if we can stack that up against the security controls that we have, then only then we can say something is suspicious or something is not right here. But if we don't have that visibility or trust, then every attack is an abysmal. So it doesn't matter which attack it is. You know, Sai, you're working on a framework I

understand for threat hunters, which I think is maybe not through force, but in your own. Tell us about that. Because I do think whether it's threat actors, everyone has their own names. At the end of the day, we need a taxonomy that's very simple. But that's me speaking, because I need simple. But at the end of the day, what does this framework look like? Before you do that, I'm sorry, Give us a day in the life of a threat hunter. What does a day look like?

So if I have to say that I need to define what threat hunting is, because it is not something that we usually do. Everyone has their own definition. I'll give you a loaded one that I stand by my principle. So it is a iterative and proactive process to uncover hidden risks and enhance resilience with all in mind, organizational priorities and contextual insights. Each word is the reason I stand by it is because in simple terms, if we don't understand the organizational security goals and gaps, if we don't know the environment that we are working on. It'S

academic, at the end it becomes very tough. And then at the same time, by

knowing the risks and gaps, we can know where to concentrate in the environment or understand the environment better. And that's when we can systematically either reduce the impact of a breach or either reduce the time to detect on the discovery tactics that we have seen. And that's only then we can close the security gaps even from the visibility standpoint. So that is the threat hunting side on what the framework is about. So we have multiple frameworks on different things. MITRE does a fantastic job in attack framework and now Threat informed Defense, that does a fantastic job in letting people know. We have Sigma, we have yara, we have things. But what is missing is that communication between the environments. What is working for you? Can I make it work in my environment? I'm not talking about detections, I'm not talking about IOCs, I'm talking about the patterns that we are hunting for. So if I'm hunting for a particular pattern using a particular statistical method in my environment, and my environment is medical and I have thousand devices, can other people with the same parameters or similar parameters utilize your methods so that they can do it in their environment? And hunting doesn't become a buzzword, but rather a communication mechanism for everyone. So it's not to put words in

your mouth, but it's similar to a system. A systems, A system. So apples are apples and I think that would take us a long way and I would imagine in the threat hunting environment, whether it's government deployed. But, but at the end of the day you're also finding things in the wild where we tend to look at our own world, we need to look at it through the eyes of the, of the adversary as well. Hopefully find something in the wild before it becomes a trend and before it's even a pattern. Right, right. So the campaign that we have mentioned

in the healthcare, the Chaya 02 that one is, was, was a, was a. At that time. That was. No. In Sanskrit it's. It's like magic or a shadow. Okay, so this were in the shadow. Did you come up with the name? Yeah, like it. Good, good. That one actually is relevant to the perpetrator. It sounds like. So they were in the shadows because everything that doesn't come up with a Name like people industry work very hard on this one and they don't just come up with a name right after. Right. They will have the formulated clusters, they'll check a campaign, they'll check the capabilities and then combine them together and see what their evolution is. And that's when we can say that at least with medium conference, this cluster, these are its capabilities and this is how you can defend it. And if you want to hunt for it, same thing is this is my environment, these are the techniques, patterns I am seeing and this is how you can hunt for it and you can. Go to a meta pattern. That's great. What questions didn't I ask that I

should have? You pretty much asked everything. But anything in particular for the benefit of an audience? Audience, because I mean we're meant to be educational, we're meant to shed light, not heat and inform anything. Anything you think for the betterment of an emerging community to take us forward. Like I mentioned, the three Rs that we have, organizations

must have remind the three Rs the recovery, resilience and reliability. Recovery, resilience and reliability. Yeah, they must have. Organizations must take a look at IT defenders in terms of the technology and process. They are merging but we need personnel in both sides of the aisle to understand our perceptions and then formulate a plan in order to better defend the organization as a whole and ecosystem for the environment. Not just internal, not just external. Sai, thank you for spending so much time with us today. Thank you

for what you do every day and thank you for bringing a little bit of science to the art of cyber policy making and operations. So keep fighting the good fight. Thank you. Thank you for joining us for this episode of Cyberfocus. If you liked what you heard, please consider subscribing your ratings and reviews. Help us reach more listeners. Drop us a line if you have any ideas in terms of topics, themes or individuals you'd like for us to host. Until next time, stay safe, stay informed and stay curious.