In this digital era where cyber threats are evolving at an unprecedented pace, it becomes crucial to stay ahead of the curve in terms of cybersecurity. In an exclusive interaction with Dataquest, Andy Thompson, Global Research Evangelist at CyberArk shed light on some of the most pressing challenges and effective strategies in the field.
Andy Thompson is a seasoned cybersecurity expert with extensive experience in threat detection and mitigation. In this discussion, he shares insights into various cybersecurity threats including biometric security vulnerabilities, intermittent encryption attacks, polymorphic malware, credential theft, deep fake videos, and social engineering techniques. Additionally, he also shared about the role of CyberArk Labs and the Red Team in enhancing cybersecurity.
DQ: What techniques or vulnerabilities are commonly exploited to bypass biometric security measures? And, how this system can be strengthened to prevent unauthorized access?
This is how it works at a high level. They started with a random image and represented it as a vector. This vector is compared to other face vectors in the image database. That comparison is fed to the image optimizer, where the magic happens. The Optimizer outputs a new optimized image vector – which is then used as a seed for the image generator to create an actual face image. This face is compared again to all images. Wash, rinse, repeat.
The outcome of that iterative process, executed multiple times on different face recognition algorithms and different optimizing algorithms, produced 9 sets of 9 faces. The best result the research produced is a set that matched more than 60% of the faces in that DB. This is remarkable! That means that with this set in hand, a threat actor has a 60% chance to bypass face recognition authentication and compromise an identity.
Now CyberArk took theoretical and made it real. By faking our webcam, we sent our image to the PC and bypassed Windows Hello. In the Windows Hello biometric bypass vulnerability Labs discovered, Microsoft made the effort to ensure only approved hardware (built-in camera) was allowed to facilitate the authentication. Relying simply on biometrics is a terrible idea. Organizations should not explicitly rely on biometrics. It’s called MULTI-factor authentication for a reason.
DQ: What scenarios might lead to intermittent encryption, and how can it be addressed?
Andy Thompson: Intermittent encryption attacks can occur under various scenarios, exactly like traditional malware and ransomware events. These types of attacks typically involve the unauthorized encryption of data at irregular intervals, which can make detection by EDR/XDR more challenging. The motivation behind these attacks often revolves around gaining unauthorized access to information or disrupting services.
The key to addressing intermittent encryption attacks begins with prevention. This involves implementing a robust security system that focuses on stopping malware from executing. Application control plays a crucial role in this regard, as it allows for the blocking of the execution of unknown or untrusted binaries. This can significantly reduce the risk of an attack by ensuring that only approved applications can run.
Additionally, we at CyberArk Labs have released a tool called WhitePhoenix that allows users affected by Intermittent Encryption the ability to recover their data. We’ve developed a website to do this automatically for you. No need to download and run the Python script.
DQ: What makes polymorphic malware particularly challenging for traditional antivirus solutions? How can security teams adapt their strategies to combat polymorphic threats?
Andy Thompson: Polymorphic malware poses a significant challenge to traditional antivirus solutions due to its ability to change its code and signature. This is a tactic designed to evade detection. Traditional antivirus solutions primarily rely on signature-based detection, where known malware signatures are matched against a database. However, polymorphic malware can change its signature every time it replicates, rendering this method ineffective.
Security teams need to prevent the execution of unknown or untrusted applications. This is exactly how organizations should protect themselves from polymorphic code. This approach, known as application whitelisting, allows only pre-approved applications to run on a system. By preventing unknown applications from executing, security teams can effectively block polymorphic malware, regardless of how many times it changes its signature.
DQ: What methods do attackers use to steal credentials directly from web browsers? And, how can users safeguard their stored passwords and sensitive data?
Andy Thompson: Attackers employ several methods to steal credentials directly from web browsers. One common method is the use of keyloggers, which are malicious programs or hardware that record keystrokes, capturing passwords as they are typed. Adversary-in-the-middle attacks are another prevalent method, where attackers intercept and alter communication between two parties without their knowledge. Attackers can also directly access sensitive credential and cookie files stored in the browser's local files. Additionally, they can exploit the browser process's memory to steal credentials and cookies. Finally, attackers can use command line arguments such as remote debugging mode to export session tokens and cookies automatically.
Despite these vulnerabilities, users can safeguard their stored passwords and sensitive data in several ways. One of the most effective methods is to use a password manager, which encrypts and stores passwords securely, reducing the reliance on the browser's local file storage. Users should also regularly clear their cookies and browsing data to limit the information available to potential attackers.
One commonly recommended control to protect session hijacking is multi-factor. This is worthless. A session is hijacked AFTER the authentication, so no matter what type of MFA is being used, I won't provide protection.
DQ: What legal challenges arise from the proliferation of deepfakes? How can individuals and organizations detect and mitigate the risks posed by deepfake videos?
Andy Thompson: The proliferation of deepfakes has brought about several legal challenges. Firstly, they can and have led to defamation and reputational damage. By creating false representations of individuals, deepfakes have harmed personal and professional reputations. Secondly, there are issues related to intellectual property infringement. Deepfakes can misuse copyrighted material, leading to legal implications. Thirdly, deepfakes can be used for fraudulent activities, such as identity theft or financial fraud. Finally, they pose national security concerns, as they can be used to spread disinformation or interfere in democratic processes.
Detection and mitigation of deepfakes require a multi-faceted approach. Digital forensic tools can be used to analyze videos and identify signs of manipulation, helping to validate their authenticity. Source validation and cross-referencing from trusted sources can also be beneficial in ensuring the validity of the content. Furthermore, end-user awareness training can help individuals recognize deepfakes and understand the signs of manipulation.
Finally, techniques such as watermarking and digital signatures can be employed to validate the authenticity of digital content. By embedding a unique identifier into the content, it becomes possible to trace its origin and verify its legitimacy. Therefore, a combination of technological solutions and awareness can help individuals and organizations detect and mitigate the risks posed by deepfake videos.
DQ: What are some classic social engineering techniques, and how can individuals recognize and resist them?
Andy Thompson: Social engineering techniques exploit human psychology to manipulate individuals into revealing sensitive information. Classic methods include false authority, where the attacker poses as a person of authority to elicit compliance; scarcity, where a sense of urgency or limited availability prompts individuals to act without proper scrutiny; establishing consistency, where the attacker builds a rapport or trust before asking for sensitive information; and consensus, where the attacker pretends that a request is standard or widely accepted.
Tactics used in social engineering attacks range from tailgating, where unauthorized individuals gain access to a secure area by following authorized personnel; baiting, which involves leaving a malware-infected device for the victim to find and use; personal appeals, where an attacker exploits an individual's willingness to help others; impersonating, where the attacker pretends to be a trusted entity; pretexting, which involves creating a fabricated scenario to obtain personal information; to phishing/smishing, which uses deceptive emails or texts to trick victims into revealing sensitive information.
Recognizing and resisting social engineering attacks requires vigilance and a healthy dose of skepticism. Individuals should be wary of unsolicited requests for sensitive information, unexpected attachments or links, and pressure to bypass security procedures.
Countermeasures against social engineering include sensitive information handling, where policies are set in place to define how sensitive information should be handled and protected; credential management solutions, which securely store and manage digital identities; multifactor authentication, which adds layer of security by requiring at least two forms of identification; access control, which limits access to information to authorized users only; and employee education and awareness, which can help individuals recognize and avoid social engineering attacks.
DQ: What role do CyberArk Labs and the Red Team play in enhancing cybersecurity?
Andy Thompson: CyberArk Labs and the Red Team play pivotal roles in enhancing cybersecurity. CyberArk Labs is dedicated to discovering vulnerabilities in systems. By doing so, they can responsibly disclose these vulnerabilities to the appropriate parties, closing security gaps. The process involves meticulous testing and probing of systems to identify potential weaknesses that could be exploited by malicious actors. Once a vulnerability is found, it is responsibly reported so that it can be addressed, thereby strengthening the overall security of the system. Furthermore, by understanding the tactics, techniques, and procedures (TTPs) of threat actors, CyberArk Labs can enhance the feature capabilities of CyberArk solutions. This in-depth understanding allows CyberArk Labs to foresee potential threats and develop new products to counter them, ensuring a proactive approach to cybersecurity.
On the other hand, the Red Team at CyberArk acts as a simulated adversary to help organizations identify gaps in their security programs. By emulating the behavior of potential attackers, the Red Team can expose vulnerabilities that might have otherwise gone unnoticed. More importantly, this adversarial simulation allows organizations to measure their ability to detect and respond to threats effectively. By identifying these areas of improvement, organizations can refine their cybersecurity strategies, leading to more robust security infrastructures. In essence, the combined efforts of CyberArk Labs and the Red Team contribute to a more secure cyber environment by identifying vulnerabilities and providing solutions to mitigate them.