What Can Organizations Learn from "Grim Beeper"? [B-Side]
35:51 Share

Why do you need such a long and complicated password? That's a question I often get from new producers at pi media, my podcast production company. Then, after listening to a couple of a militias life episodes, they two start using long and complicated passwords, but remembering and keeping track of multiple strong password isn't easy.

And having to constantly reset your employees forgot and passwords be a real hassle for any business that's where one password comes in with one password. All you have to remember is just one strong password that protects everything. One password combines industry leading security with award winning design.

That's why it's trusted by over hundred thousand businesses and millions of users right now. Malicious life listeners get free to trial at one password, come slash militias. That's two, three weeks at one password that come flash militias. Don't let security slow your business down. Go to one password, become sledge militias.

Hi, and welcome to sab reasons militias life. So this is not going to be your typical malicious life episode. We usually prefer to tell our stories in a narrative matter, but this is going to be an interview based episode. We've done quite a few episodes like this in the past. What we call, besides usually on topics that don't quite fit the usual mode of the podcast, but are still worth talking about.

The topic of this beside episode is supply chain lessons learned from last month Green beeper attack against his belah in lebanon, for those of our listeners, were out of the loop on seventeen and eighteen of september twenty twenty four. Thousands of pages and handheld radio devices used by hezbollah plods simulator ously across lebanon and syria, killing at least forty two terrorists and wounding more than three thousand. Now this isn't an episode on the attack itself.

That episode is still into works and will allow us to dig much deeper into the attack and how the israeli mosad was able to pull IT off. Then what's possible in a single interview? This conversation will focus on what governments and organizations can learn from Green beeper with regards to supply chain attacks.

Because some of you might already know, Green beeper was a result of one of the most sophisticated supply chain attacks in history. Our guest is dara siberians, global head of digital forensic and incident response. Devon is form a special agent at the fbs Operational technology division and served as senior certified forensic examiner for armed seeing collections and forensic analysis.

He is the author of the best selling book diving in an incident, respond as a journey, and creator of about the fear that com, a website dedicated for resources for digital forensic and incident response. In my conversation with devon, we discuss how such traumatic events impact the mindset of hacked organizations, what kind of threat actors are capable of pulling off long term attacks like these, and the three most important steps and organization can take to minimize the chance of a supplies attack. Enjoy the interview. So we are here to discuss um one of the most I think talked about events in the history of cyber security, certainly one of the most um intriguing events that happened in recent years, which is the Green beeper Operation against the his bullet terrors organization in lebanon. Most of our listeners probably have heard about that Operation but maybe, let's know, give them all the basic idea of what happened just a few weeks ago.

This entire Operation that the kind of internet and governments are are dubbing Operation grim beeper was a multi year long Operation, likely by the forces of israel for purposes of one day being able to disabled in dismember members of hezb lah. What we know what a high level is that many years ago, an Operation looks like IT was put into effect to manufacturers and assemble these pages.

And that is what I think probably most of the audiences seen in red. The piece that is interesting is why were pages chosen? That's a piece i'd love to spend A A couple of seconds talking through hezbollah. The years really is since beginning of many of the wars, or a hezbollah ams has been known in the current generation the last ten, twenty plus years as the conflicts have gone through the a least hezbollah.

Other organizations are very aware, as most modern governments are, that there are electors, cyber producers, that is the current scope of the battlefield that and that are there in cell phones, smart phones that we all care, we all rely upon. Iphone to android, back in the data, blackberry, these are targets. I can also track you.

I could potentially install nowhere, a lot of capabilities, even down of the pictures you take in the social media footprint. You leave ez bola. I had put out information in recent years about moving away from monitoring technologies, and they had moved words, kind of the older school technologies that I grew up with pagers right deeply.

We call them back on the day, and you got a text message, really was in a text message, was just a phone number to call gays. We do the clever, and you can send extra digital to the end. IT was its very basic technology.

And so organza like usband had put out directives to move away from modern technology for internal usage. It's now coming to light that israel, a very good Operation and job and mapping. They were gonna move to this older, this more antiquated technology. And they mapped the supply chain from the order process, the manufacturing process. And IT is IT can be Price surmize ed based on the outcome that they clever orly and certification sly were able to take advantage of that supply chain process of the page being manufactured, shipping, delivery and eventually ending up in the hands of the individuals to do. What we now know was the insertion of explodes for later military use.

yeah. So from what we know, probably a few thousand terrorists were either killed or badly injured in that attacks. So IT was a pretty devastating blow for the terrorist organization. Probably we don't know yet what is the impact on his azz military capabilities, but I think we can start to assess the psychological impact of that Operation on his villas Operatives. What do you think is the psychological impact of that Operation?

I have a great question. So let's like in that a little bit to know a network intrusion and the network confusion, which i've worked these now for nearly fifteen, twenty years. Like the company and they think they're secure, they think they're patch.

I think they have the an investment in their technology that they have A A team monitoring ing what's going on, the information flow in out of their environment. But one day, someone does gain an authorize access. And the psychological impact of that is very, somewhat what imagine happened with Operation grim beeper that a device stressed, considered as low tech, was ultimately compromised.

And even beyond just the fact that IT was compromised, IT allowed for attack to happen in places of assumed safety, right? Homes, offices, underground locations. As many of the open source information reporters coming out where these explosions occurred, bad psychological impact on the target was very much how we see in network conclusions where companies victims of cyber crime fill they're safe within their business, they feel they're safe with their email account and someone comes along. You exploit through fishing, ultimately gains access and compromises. That safety net.

from your experience, is somebody who worked with such organizations who suffered an attack. What changes in an organization in the weight Operates in the way its leaders think about security? Once they suffer such an intrusion after having believed that they are safe, does that change their mindset in .

away my guidance and what i've observed with victims of cyber crime has been that nine times out of ten, they never want the thing to happen again, whatever the bad experience was. Well, that was costly. Whether IT was such a significant business interruption event that IT is altered the entire revenue stream, their focuses, how do we do Better? And one of the thing that i've learned is explaining how IT happened is as as important as explaining how to raise the defensive horizon to minimize the likely to have not happen again.

And when you take those two pieces in the conversation and you try to articulate that to something he's been through, what can be a very a alaciel event, you can help form the narrative by explaining how the intruding happened, explain the root cause. And then what i'd like to do is as an engaging or I I walk through the timeline, you many victims of cyber crime realize something's wrong when the proverbial boom has happened and not to continue drag parallels with Operation Green beeper. But you even in investigations, in internet response, we we draw a parallel, there's this moment we call right of boom, where ransom, where happens, where the wired transfers intercepted, where the instead of steals the data.

And you have this moment where we're no longer preparing for the event, we're not proactively working on defenses, we're responding to an event, the boo, right? And so just like Operation Green beeper into your question, clients want to deal with the moment of the boom, and I try to get them and guide them through that. My team does that.

And as everything comes down, we show them how did that happen. So then their day one was the boom, the ransom event, the moment their business stopped Operating. And for us, that's probably day ten, day fifteen, day thirty.

So when the threat actor and their timeline that occur. And so I tried to show that whole timeline, and that really opens the eyes. IT educates. And then we turn that into, this is how we can try to prevent this .

in the future. IT sounds as if that these kinds of traumatic events are also opportunities for security professionals. The ceos of organizations access a to actually make use of the trauma in order to improve the the security posture of an organization is got a true assessment.

I think IT is. And that has been my observation over the years. I think anyone of your listeners who would not be able to raise their and and say i've been through an event, they'd probably all say a very simple thing that what we learned from the event, from the investigation was I opening, and I hold most of those listeners are unable to also say what i've seen, which is we will return what we learn from the event into a Better building block, Better defense measure later, now that sometimes these are said than done.

And what I try to do is say, look, this is not a single solution to fix one, uh, catch all, where you'll never be hacked again. The reactors only has to be right once. And any modern business, any modern enterprise, as thousands, tens of thousands of weaknesses, they may do really good with end point detection and response E D R.

They may do really well with their investment in their firewalls, their premier security. But reactor only has to have one zero day or one excel fishing email to get in, and once there, in that intrusion path starts. And so yes, what we try to do is educate and say this isn't about just putting a Better fishing detection system, is this is about an educational change.

And in the radioing of the defenses as a road map, because whatever of vulnerable is today, there will be a new vulnerability tomorrow and the year from now, there will be a new technology. And so we want to show that there's a journey, there's a value over time in building a roadmap. And then the key the most key thing is properly funding IT.

Many businesses, many clients have been through victim ization of their network of their business. They sometimes things very singularly OS. This event happened.

How do I fix this event? And I can go back to Normal. And what I try to do is show. What my teams try to do is show that this is a security, a journey, where to use this as the baseline. Well, you understand, this is a road map going forward. Work on true, an incident response plan, work on beginning to do table to exercises with your board, with your executive team, with your IT team. And we slowly raise the educational over time and build the budget into the pieces that will make them more secure as time goes on.

And there is a great thing. Every crisis is an opportunity. So even such a traumatic event can be an opportunity to improve things in the future. Have we encountered in in our modern history similar attacks to Green beeper in in their, you know in the way they were implemented or their impacts, or you know something similar .

to grim paper we have. So there have been some very interesting cases over the years. And you know one supply chain attack in recent years was the three cx incident.

They mentioned the three cx attack so here's a quick, weak APP of that incident, which actually deserves a full malicious s life episode de someday. In march twenty twenty three medium, a cyber security firm investigated in incident that affected the three cx.

Discuss APP3 cx is an enterprise communications software that was compromised， so that atrocious ized version of the software became available for download directly from the company's own website. Many in the investigation will real to clear attack involved. For the first time in cyber security history, double or cascine supplies attacker.

The attackers hacked a third party software supplier for a company called trading technologies, which provides an APP called x trade. X traitor was later installed on a three cx employees computer, allowing the hackers to access three cx network, corrupt the three cx installed application, and infect many of its customers. IT was a fascinating attack, which, similar to Green beeper, likely required extensive long term planning. And now like to the interview.

IT was a double supply chain attack. Another irr vender believes and kind of points the finger at a, at A A, A, an asia based government potentially behind that or are a group called lazars and that that group I had a end goal, are likely end goal to get into a particular organization. And they couldn't directly.

So they determined who that organization did business with, business to business relationships. And they ultimately went almost like a ring approach. They said, at this company, who is our target, they do business with this company.

In this company, they also have very good defenses. Maybe we go upstream one more layer, and we want to get to company a. We're going to get throughout by going to head company B.

I start with companies see and IT sounds fairly complex, but what was interesting about IT, and again, you can read much of this, an open source, is that the lazard group actually write about this group in my book. But this group, over time, successfully intruded into company. See, they compromise a piece of of software, they impersonated relationships, and they were able to pass at a malaise sss into company b.

And they leverage that as a trusted piece of software and accepted piece of software, who ultimately downstream business is relative to company a. IT took likely years for this Operation to happen, very probably somewhere to how Operation grim beeper probably took over many, many years. And this is one of the hallMarks, this kind of multiyear um expensive patient Operation.

This is a hallmark, as we call nation state trajectory groups because those groups are very focused on creating long term gains. And those long term gains sometimes aren't a quick win. They take years of planning patience.

And that is very similar to what we saw the three cx and in the customers trading technology, others just like we saw with solar winds. Another example over the years. And there there's very good right ups and open source on these. We've learned from these attacks that when you have a thread tor is interested with regards of the country, right? When you have a when thread tor as a focus and goal, they will take time and patients to achieve that goal.

So it's reasonable to expect that nation state actors such as the lazarus group is filling ated with north korea. We have a lot of apt groups. Even the nsa has pulled off some great Operations in the past, at least according to the snowden leaks. For example, a nation state actor, we can assume that he thinks in in the long term, how about non state actors? Do they have the capacity, the capability, to pull such an Operation of thinking for years ahead to each their goals?

A great question. So as you move on the other side of the pendulum of tractors, and I kind of refer to this as the threat landscape, you have another large group of what I kind of consider e crime or organized crime books.

Now that, does that mean that lan walls aren't typically lumped into this? But organized crime in the sense of financial motivation? And this group, to your question around are they able of sophisticated long term Operations? I would say there's probably a small percentage of organ crime groups that I have a over, over the years are.

But that one of the differences with organized congress is that financial peace they're interested in the payout is the other funding their Operation, you know, for a government, for a nation state reactor, the funded very differently. It's a job for that, right? There are there are part of military.

They're part of an intelligence group that's a very different focus and motivation. But with organised criminals, this is their lively, this is their paycheck. And that to your question of, are there groups within this spectrum that can do long term impacts, long from Operations? I think the answers is, yes, there have been organized crime groups observed over the years that almost turned to these around somewhere as a service models.

And they use the funneling of the money through the missus, prided stolen data and negotiations, the payment cycles to fund sophisticated. Nowhere are IT becomes almost a business model for that. They hack, or they pay people to hack.

They steal data, they encysted data, they receive a payment and they fund that money and to compain for the development of technology. And we've seen certain rejectors who then have levers that to even buy exploits and fund research and development of exploits. So now sudenly a fully touched firewall.

It's not a nation status research on your snowden example research something sophisticated. It's now an actual organs crime group because they they had money and they spend their time the research exploit. And then and now we have a rise in zero days.

You there's a very interesting trend that i've observed in the last ten years. Going back to twenty fourteen, i've been tracking critical vulnerabilities or cds. And these common these vulnerabilities, the trend, if you look at the mappings of them and there's a really good website, C V E details dot com.

That website has a track around every single year from twenty fourteen to present. IT has gone up and even of vulnerabilities being identified, commented and address year over a year, over a year. I don't think it's that we're getting Better reporting them. I think it's the funding of research development to find exploited to continue financial spocs organized criminality. And there is really big groups, large, fairly sophisticated groups, that absolutely are capable of and have shown their capable ball of long term Operations.

We could probably spend a whole hour talking about how to prevent supply chain attacks. But what are, you know, your top two or maybe top three recommendations for organizations wish to mitigate the risks from such third party suppliers attack.

So top two or three, oh, I like this question because, look, I have a whole list of of recommendations. But there are a couple of easier, quicker winds. Now they may not be they may not be easy to implement. They may not be necessarily a the most cost effective. But if you are looking for kind of the the broader controls from a security samp for resilience for for detecting what we have kind of talking about today, detecting and putting road bumps in to identify intrusion.

Then hears my my two or three end point detection and response technologies, or really what is is becoming as standard detection response technologies or X, D, R, is kind of the buzz word regardless of the bus, or regardless of the technology, something that helps monitor not just your computers and servers, but your ecosystem of technologies, your cloud, your virtualization, your parameter logging, something that allows you to singularly pull in the telemetry, the log in the data, Normalize that information, and then respect and respond, right? So less focus on the actual sensor, less focus on who you're buying IT from. Let's focus on the product, the thought, the theme of a detection response capability for the ecosystem of the business.

That's my number one recommendation from a security control standpoint. And a lot of people think of security controls as almost like the physical, dorky or the fob. It's interact of the building or are they using them passed d and look, we can say multifactorial ation as a second as of control. I would open this in age multifactorial rely standard with most the listeners, but i'm going to assume credentials .

multifactorial .

be compromised in some aspect of an intrusion path for a tractor. So that's why I start with a detection responsibility, because if we assume going to be compromise, then we need to have a proper processing place to detect IT, contain IT, eject IT and fully respond to that intrusion path. So that's my first.

My second is planning. If we want to raise the educational and security capability of our people that we have to plan, we have to train. In one of things I learned when I was the FBI is you strain the way that one day you're going to have to react to, no, in law enforcement regularly we do fired qualifications because got forbid.

One day we have to respond to protect life and live. Where to respond with deadly force, we need to have trained. So we trained that's an aspect of enforcing just a the military.

They don't want a tank crew touching the tank for the first time when they in conflict training, you want with the experts. It's the same thing in cyber security, which means is the same thing in business. If we're going to assume that one day we're gonna have an event, why don't we train and not just three or four people in IT the business should train.

Which leads to me to my second one incident response planning and table top exercises. Lots of organizations offer these. I've I guided and delivered table tops for years. It's rewarding as you get to see a client with that light ball moment when they realize who I had thought of that or how are we going to deal with that? Or you mean that's possible.

And so instance response planning, table top exercises give a climate an opportunity to experience the possibility and event before they need to break the glass, before they're actually in the event. So we started with with input induction response. The second would be I R P and tt access, instant response planning and table tox science st.

In my last one, the one that I often see the wider array of audience with is good access controls. Many, many businesses start out with solid, robust. We're gona do this, right? This is a brand new company, and they start with really good concept when they're small and the one person and IT or the one person in management or the one person H. R, they are the holders to the keys to the kingdom.

As the business growth in the organza expands, as IT becomes not ten employees, but ten thousand employees, I repeatedly over and over and over again doing investigations, obo, very poorly managed access controls within the organization for groups of individuals or service accounts or users that have expanded privileges that they don't necessarily need or software is installed that everyone has access to when really only a key group should have IT or wide open or or more open than they should have permissions on file servers or cloud share locations, we need move to a security principle of less. Lester, access is okay. IT may cause the help us to get more requests, but that's okay.

I mean, to move to that type of the discipline where when someone needs IT, they honestly need IT for forever. They need IT for a set goal job portion of their employment and then move on to the next project. So let's contain ize. Let's put controls in the way we access because that's what a tractor is going to abuse when they get in, they're going to navigate and identify how to abuse and misuse existing over provision ed access to navigate to their end goal. So section response capabilities s spraining through instant response planning, through table exercises and access controls, where you help secure org ization by adopting good practice from the beginning, those would be my three recommendations.

Okay, so one of the reasons that the most I was able to attack so many his bela's Operatives. Some multi eusden was because every one of them was using the same pager, the same beeper. And there's always a kind of tension inside of an organization between homogeneity in technology and hertzog ity in in technology.

For example, if everybody uses the same Operating system, then everybody y's vulnerable to a zero day detected in that Operating system. But if one employee uses linux, one uses windows, the other and mac, then you get no single zero day could damage every employee in a sense. But IT becomes very hard to manage. Write me, it's difficult to manage from an IT perspective, so many different systems. But for a security pure security uh perspective, what is Better had a genuine or uh how much generally in technology?

That is a very interesting question. So think got to answer IT like this from a third act or perspective. And to your point, if the entire landscape of my victim's network is the same type of technology than a singular exploit, to exactly your point allows me to do the most damage.

If I do have all these different technologies within the organization, I will likely be successful taking out pieces of the organization of the network, but not the totality or not the totality, without much more time and much more same gap of tooling and processes in the intrusion path. So I think what I would love to see more of the mismatch, mismatch, if you will, the mixing matching of technology and the organza IT is rare that I see IT because in the financial aspect, so in with the organizations, sometimes that is easier, acknowledge management IT perspective. Like you said, when you have one or two or three tech technologies, IT also becomes a financial budget thing.

At the end of the day, that budget to invest the next security effect. You want the bow of proper baLance, ed, between that in the investment in I T side. So ultimately, if you have desperate technology of the organization, IT still comes back to similar fundamental security technologies so that you can help detect and respond regardless of wanted to all encompassing technologies or a smattering of technologies throughout their organization.

David, a man, thank you. Very, very much. Very interesting conversation is .

an absolute pleasure. Look forward to talking to in the future on another topic. Muk music. Muk music.