octobre 11, 2022

EP 13 – Cyber Fundamentals: Where Things Fall Apart

Even when looking at layered enterprise solutions designed to thwart attacks and contain them, we must always go back to cybersecurity basics at the individual level. And that’s what, on today’s episode, guest Bryan Murphy, CyberArk’s Senior Director of Architecture Services and Incident Response stops by to talk with host David Puner about. Murphy also dives into the importance of cyber hygiene as an essential preventive measure for protecting identities, as part of a defense-in-depth strategy. It’s a perfect fit for October, which happens to be Cybersecurity Awareness Month (CSAM). Raise your awareness and give it a listen!   

[00:00:00.120] – David Puner
You’re listening to the Trust Issues podcast. I’m David Puner, a senior editorial manager at CyberArk,
the global leader in identity security.
[00:00:18.210] – David Puner
Believe it or not, humans are trusting by nature. Google it. If you don’t believe me, you can trust at
least some of those results, which is at least in large part to blame for our reflex to, among other
practices, click on that link or scan that QR code. To be socially engineered, to be phished. And that’s
why even when looking at layered enterprise security solutions designed to thwart attacks and
contain them, we must always go back to cybersecurity basics at the individual level. Cyber hygiene
as an inherent part of identity security as a part of a defense in-depth strategy.
[00:01:00.500] – David Puner
At their core, the basics are about practicing distrust. Practice scrutiny. Think before you put yourself
or your organization on the brink of cyber apparel. Despite attacker innovation and evolving threats,
cyber attackers often play from an album of well-worn greatest hits. Sometimes they’re incorporated
into a new medley, and sometimes they inspire a new material, but the refrain is the same. And if
we’re individually familiar with the first notes of those hits, we can collectively stop them before they
play through, because these are hits nobody from the trusting realm should have to endure.
[00:01:38.480] – David Puner
On today’s episode, I talk with Bryan Murphy who’s the director of architecture services at CyberArk
and the leader of our remediation services team, and he’ll talk about what that means and what he
does. Bryan’s always fun to check in with and we do so regularly for the CyberArk blog, because he
can talk about enterprise-level cybersecurity initiatives and solutions at a level that’s simple to
consume.
[00:02:02.750] – David Puner
The complex cyber topics are inherently tied to basics, and in our conversation, the first of our
October episodes, October happens to be Cybersecurity Awareness Month, he makes the connection.
If Bryan was a musician performing live, he’d continuously find ways to keep his greatest hits fresh
through evolution. Stay on to hear why.
[00:02:39.070] – David Puner
You’re the director of architecture services here at CyberArk and leader of our remediation services
team. Remediation and response teams, like the one you lead at CyberArk, are one of the first few
calls companies make after a breach. How does that work? What’s that call look like? What happens
in your world?
[00:03:00.310] – Bryan Murphy
First off, let me say thanks for having me. The call can go two ways. Number one is they could call us
before they’ve called a forensics firm. I want to be a little transparent here that we do not want to do
the forensics on these as the IR lead. We want to be like you introed it with the first few calls. What
happens is that we can help them start to contain, start to understand what credentials were used.
But normally we like to work with the forensics teams because what you find is the forensics teams
are good at what they’re good at. They’re good at discovering where they were, what accounts are
used, closing the doors the attackers were using to get in, but they’re not fully versed in identity.
[00:03:48.050] – Bryan Murphy
Those recommendations and solutions they have, they want to lean on the experts in the industry.
What we do is we bring that experience, that blueprint, the framework we have, so that as they recover
from these breaches and incidents they have, the remediation team we offer to our customers fast
tracks anything the full IR team is doing. It allows them to shift their resources to other places
because they already have a plan on how they’re going to control their identities going forward.
[00:04:20.200] – David Puner
So are you about helping to come up with the plan for the plan, or are you about being like the Harvey
Keitel character in Pulp Fiction where you’re cleaning up the mess, or is it a little bit of both or a little
bit of neither?
[00:04:33.400] – Bryan Murphy
I would say it’s a little bit of both because it depends on the attack. Of course, not every attack is the
same, but I like to say these attacks are very consistent, they have a lot of similarities to them. So as
we start to draw from all of our experience, the framework becomes a little more consistent is what
we can recommend. So now at a high level, if you’re facing an incident and you call CyberArk for help,
we already have a high level template to say this is what we’re going to do, and then we can provide
that to the forensics company, we can provide that to the customer to get a baseline, and then we
tweak the baseline based on the actual events that happen. So instead of going in and having to build
from scratch, we’re building from that template or framework and we’re just making tweaks to it so
that we can control identities quickly and it doesn’t become a discussion point, it doesn’t become this
big conversation before any identities can be managed within your organization.
[00:05:31.220] – David Puner
You say « we ». How big is your team and how often are you actually the one receiving that call?
[00:05:37.580] – Bryan Murphy
Our team right now is very small. It’s under five, but we have others within my architectural team that
have experience in this field and have been doing this for years as well, they’re just not fully dedicated.
From the rotation standpoint, the on call, 24 by 7 support, you can call CyberArk just to our standard
24 by 7 number for support. They have a procedure for engaging us, nothing special, that a customer
has to do or a prospect on their side. We do run the globe, we do run 24 by 7. One point I wanted to
make on the « we ». For us, the « we » is the forensics team, customer or client, and CyberArk. So when I
say we make a decision, we’re not trying to come into these incidents and replace anyone’s opinion or
anyone’s decision making powers on how to do things. We really want to be there to provide the best
guidance possible.
[00:06:31.810] – David Puner
What would the first question you would ask be when you pick up that call?
[00:06:36.730] – Bryan Murphy
I would ask, where are we at now, and I would start specifically with asking, was this a domain based
attack? Did they take over active directory? Because right away there’s a few very prescriptive things
we would do if it’s related to active directory. If it’s not related to active directory, we may start at a
different phase than we would have for our standard blueprint.
[00:07:01.490] – David Puner
October when this episode releases is Cybersecurity Awareness Month. This year’s Cybersecurity
Awareness Month theme is about seeing yourself in cyber, which is all about the people part of
cybersecurity. Inspired by that theme, how did you get into the cybersecurity field and when did you
first see or envision yourself in cybersecurity? What led you here?
[00:07:24.220] – Bryan Murphy
We’re going to go in the Wayback Machine, Dave.
[00:07:27.020] – David Puner
All right, I like that. Let’s do it.
[00:07:29.100] – Bryan Murphy
Almost 17, 18 years ago. It started out at my previous job before I came to work at CyberArk. I worked
in, let’s call it IT operations, maintaining a platform doing these type of things. I was brought into a
tabletop exercise for an incident and they were practicing how they would respond if they were
compromised in any way. We went through this and I said, « Wow, this is amazing. This is great. » It led
me down the career path with them to move into security and start to lead some of these and be part
of the actual incidents that happened within that organization. Once I left there and came to work for
CyberArk, I did the normal deployment, standard things that we would do, but because I already had
some experience and interest in these type of engagements, as customers would call us and say, « We
had an incident happen, how can you help? » my team knew that I was the one with experience.
[00:08:26.710] – Bryan Murphy
I got brought into each one of those or I’d be providing guidance to the larger team on what we can
do. Now you fast forward 7-10 years, let’s say that process kept growing little by little. It wasn’t a
business we wanted to have here at CyberArk. But what we realized is it’s not about what we want to
do, it’s about what do our customers need? We figured out that we were getting more and more calls
for customers saying, « Help me recover from this. Help me figure out how to do this better. » And
because of that, we decided to form a team. That’s why the team is small right now, we’re not pushing
to be that forensics company. We’re pushing to really service our customers in their time of need. If
the need becomes larger, we’ll make the team larger.
[00:09:16.550] – Bryan Murphy
In a real short way, that’s how I got involved in this, it was purely out of inquiry, interest on my side and
then just the fact that I was fortunate enough to put myself in a position to work on these early on in
my career, that I was able to turn that into a full-fledged team here at CyberArk.
[00:09:37.990] – David Puner
What kind of attacks are you seeing a lot of or more of these days? We know attacks are happening
everywhere and often, but what particular kinds are you seeing now that are potentially sophisticated
or different than what we’ve seen in months or years past?
[00:09:55.260] – Bryan Murphy
I would say one of the biggest differences we’re seeing now is the MFA bypass. I’ve been saying this
for four years. Other vendors have as well. MFA everything and you’ll be secure. That was the mantra
we were living on there for a while. Now since the majority of organizations are MFAing, we’ll say
everything, the majority of their solutions, we’re now seeing the threat actors being able to bypass
MFA. They’re finding ways to do this, so now, we were looking at it from a strategy before we were
doing Zero Trust, Least Privilege, and those were the big buzzwords, we were saying MFA. Now the
attackers are finding ways around this. That becomes interesting because that’s that first line of
defense into the organization.
[00:10:47.240] – Bryan Murphy
I think the other trend I’m seeing is, back in the day, you would hear this person, John, obviously
keeping the names anonymous here, John attacked this company or this group of people did this
attack. Any more with the dark web and with crypto, you’re starting to see organizations form and
share more information. Maybe in the past they had the skill set to bypass MFA, they couldn’t do
anything else. They’ll sell that access they have to a different group, and now that different group that
doesn’t know how to bypass MFA is already in and then they can do the next step. Our adversaries are
aligning to attack and work against us, and this is making it difficult because they don’t have to be
experienced in everything. They’re specializing in getting into our organizations. We as security
practitioners and experts need to make sure we’re doing what we can to have that defense.
[00:11:46.970] – David Puner
What does MFA bypass look like and is that similar to MFA bombing, MFA fatigue? All these things
that we’re hearing a lot about these days?
[00:11:59.090] – Bryan Murphy
It’s similar but an MFA bypass could be, let’s say, a vulnerability or a weakness in a configuration that
they found where they can truly just bypass MFA. Maybe they find a way to take the cash credential
and move it through without ever being prompted for MFA, but you also have those attacks as well.
We’ve seen recently where they’re saying MFA bypass has happened in some of the organizations, but
really, you do the MFA bombing, these type of things. It’s more about getting the user to be socially
engineered, to trick them into approving it. Humans are trusting by nature. This is shifting a little away
from security for a moment but we’re human by nature and we’re very trusting by nature. It’s very
difficult to get people to flip that mindset to say, « I shouldn’t click on it. I shouldn’t do this. »
[00:12:49.480] – Bryan Murphy
We genuinely want to help in whatever we do. This is where the fatigue comes in, this is where the
bypass comes in that they can just click on something and accidentally let somebody else in because
they want to help make the message go away. This is where security training and everything we’re
doing is teaching them that, no, it’s okay if you get a hundred of these messages. That means that
you really need to rotate your credentials so you stop getting the messages, not clicking on it to make
it go away. This is the educational point that we have to train people on just because of the way the
human mind is built.
[00:13:24.060] – David Puner
MFA is still important, right?
[00:13:27.180] – Bryan Murphy
Absolutely, without a doubt. It still needs to be one of the number one controls we deploy, but the
mindset needs to shift from some of the messaging that’s been out there. I think we’ve all seen it in
the security industry where they’ll say, « MFA blocks 99% of these type of attacks that happen. » And
that number, I think, is going down a little bit because MFA does block, but it also relies on the human
user. If the human user accidentally clicks yes, we’re seeing this more and more, they push someone
through, we have to understand that we need to work on that next layer as well and have that
defensive down.
[00:14:04.270] – David Puner
Let’s say I’m on the receiving end of an MFA bombing. What should I do in that case?
[00:14:11.310] – Bryan Murphy
I can give you a personal real world example here that may be fun for the audience. I was at Black Hat
of all places. Super scary. I say super scary from the standpoint that someone could be hacking your
phone, hacking your account, we’ve all heard the horror stories. They have the wall of shame over
there of people who are giving their credentials up inside the Black Hat Networks. I’m out to dinner
with my team and I receive an MFA push on my phone. I went, « Huh, that’s odd. I didn’t log into that
site. What’s going on? » I didn’t know what it was, it only happened once. I didn’t get a bomb, I didn’t
get multiple attempts. But right away there, I went ahead and I rotated my password.
[00:14:52.840] – Bryan Murphy
The reason I rotated the password was if somebody had my password and tried to MFA in, they would
have to then know the new password to try to MFA in again. I don’t want to leave the story there and
say this is just what I did. The root cause of this was, it was a site that I share with my wife and my
wife is trying to log in, but my device was the only MFA device. She didn’t tell me she was logging in
but this is why the prompt came to my phone. Completely legitimate prompt that came through,
because we didn’t communicate that that happened, I went ahead and immediately changed the
password just to be safe to make sure that the account wasn’t compromised.
[00:15:28.420] – David Puner
What other kinds of attack trends are you seeing these days?
[00:15:32.060] – Bryan Murphy
I think the biggest we’re seeing is a shift from trying to deploy malicious code and having…They’re
executable, running on your systems to living off the land. This is not a new trend as in it just started,
but this is a trend we’re seeing gain momentum. What the attackers are doing is they’re trying to
masquerade as the identities you already have in the organization. They’re trying to masquerade as
standard users. So when you look at traffic, you threat hunt, you do these things, it becomes
increasingly difficult to figure out who’s the attacker and who’s the trusted user on your network.
[00:16:16.430] – Bryan Murphy
As they do this, what you find is they could use their own specific tools to do work. But instead, once
they’re living off the land, if you have a tool in place and they have access to it, they will go read the
guide and figure out how to use your tool, and they’ll start using your tools against you. This becomes
imperative for the defense in-depth that we don’t just look at, we’re deploying security tools to secure
our environment. We need to look at, we’re deploying security tools that we need to secure as well,
because if the bad guy gets it, they’re going to use that tool against us.
[00:16:54.340] – David Puner
You mentioned defense in-depth earlier. How does Least Privilege and Zero Trust fit into this
equation?
[00:17:01.580] – Bryan Murphy
Glad you asked that question, Dave. Zero Trust fits in because in the conversation we were just
having, we said we can’t tell who is our attacker and who is our trusted user on the network, and
they’re masquerading as each other. But if we have Zero Trust, what that means is that users are not
going to have access to anything additional once they’re in the environment. If we never trust them,
they constantly have to reauthenticate or conditionally authenticate to gain access to different
assets. This is a balancing act and I tell all of my customers, the goal is obviously Zero Trust, but Zero
Trust may not be 100% attainable on all your applications that you have. What we should do is we
should be doing Least Privilege as far as we can, and take Least Privilege as close as we can to Zero
Trust, with Zero Trust being the North Star, but understanding we may not get 100% there with all of
our applications in our environment.
[00:18:07.030] – Bryan Murphy
But if we practice this and we think of it as tightening a screw and we keep turning down the
privileges, we remove them slowly but surely, we’ll eventually get to a point where, when an account is
compromised, they bypass their MFA, they do an MFA bombing attempt, they have some way to get
on our network, they’ll have very little access. It puts another control in that defense in-depth where
they can’t get further within the organization to get to the actual data that they’re looking for. This is
where everything ties together, this is why you’re seeing Just-In-Time access. I know you didn’t ask
about that one, but Just-In-Time, Zero Trust and Least Privilege and why it’s so important for everyone
to really start looking at this holistically within their environment and where they can deploy these
controls.
[00:18:52.600] – David Puner
Yes, I think that’s an important point you brought up about the balancing act, and I know we’ve talked
a little bit about this in other places. Do you want to elaborate a little bit on that metaphor? Because I
know you like to go deep on it and I think it’s a really interesting area.
[00:19:08.940] – Bryan Murphy
Absolutely, and I’ll end it with a story of an actual incident I worked years ago on trying to do exactly
this. But yes, the problem I see is that we get excited. We like these new controls and we say, « Yes,
this is going to make our environment safer. It’s going to keep our business safe. We should do this. »
But what we don’t understand initially is either the technical debt that we have to work through,
technical debt being legacy configurations, certain user accounts, the way the business functions,
and not disrupting that, because security needs to make sure they enable the business still to get their
job done.
[00:19:51.190] – Bryan Murphy
This is where the balancing comes in. An example of this I can give you is I had a customer years ago
that wanted to do shared accounts. A shared account would be an administrative account instead of
being personally tied to Bryan, or personally tied to you, David, it would be a generic account, say,
server admin, server admin 1, server admin 2. They wanted to go this route and they were in the
middle of just recovering from an incident. They said, « Now’s the time. We need to do this. » Told them,
« Don’t do it, don’t do it » I said keep everything the same and slowly start turning on these permissions
and gradually move people over to these accounts.
[00:20:30.490] – Bryan Murphy
They just wanted to capitalize on it because of internal corporate reasons. They hadn’t had funding,
they weren’t able to move on. Just to help you with the justification as to why they chose to do this
right away. As they did that, what they found a year later was they ran into a singular roadblock, they
couldn’t figure out how to get a file share access or if I remember correctly, something along these
lines to the shared accounts, and it ended up stopping the whole process. What my message here is
to everyone who’s listening is that if you just make that absolute change and you move over, the
technical debt may come back to stall the North Star you’re heading towards because you don’t know
how to solve one problem or you don’t have time to invest in this part that you weren’t planning for,
and then it never takes off.
[00:21:20.650] – Bryan Murphy
Whereas if we would have done it originally where we said, « Okay, we’re still using personal accounts,
personal admin accounts, let’s remove who doesn’t need it, let’s start removing permissions from
those. » We could have slowly ratcheted this back and then migrated to those shared accounts. Little
technical example, but this is where it can be a trap, where we try to make this big shift and then we
end up not benefiting from any of the security features we wanted to deploy.
[00:21:46.860] – David Puner
I wanted to get back to tax again, briefly. Leveraging hard coded credentials. What’s been going on
with hard coded credentials and how are they being used to unlock high risk access?
[00:21:59.890] – Bryan Murphy
I’m going to start, David, by saying it’s nothing new. This is where many people who know me will
say…In the world of attacks that come, unless it’s a nation-state targeted attack, these type of things,
many organizations are hitting it where the attackers are just playing the hits. They’re playing the
greatest hits of the records they have. They’re using the same types of attacks, so when you look at
this, they know to scan the environment. They know to look for certain places where credentials will
be embedded. For example, you may have software that needs a configuration file, and that
configuration file may hold the credential to something. They’re going to know this. They’re going to
look for it or they’re going to say you’re using this piece of software, look at that software and see if it
contains this in the online documentation.
[00:22:48.420] – Bryan Murphy
This is part of that living off the land and finding what they have access to. It’s really important that
we make sure we remove those credentials from our scripts, from our applications, config files and
places where they live. It’s not just enough to encrypt them. Encrypting helps so they can’t see the
password in clear text, but it’s just an extra step. The idea here is not to minimize the extra step, the
idea here is to have so many steps in the process that our threat actor or attackers here, let’s say, give
up or can’t get any further in the environment. Not give up that they don’t get what they want, they give
up because we detect. They give up because we found they were on our network.
[00:23:37.250] – Bryan Murphy
This is really the goal. The goal is not to say don’t encrypt. The goal is not to say don’t have
credentials in your scripts. If you have it hard coded in there, that’s making the path easier for them to
retrieve the credential, this is why CyberArk recommends using our solution and our capabilities to
remove those embedded credentials because it adds a step in the process, making you more secure.
[00:24:03.270] – David Puner
They rotate the embedded credential, but do you see customers doing that?
[00:24:10.390] – Bryan Murphy
We don’t, and I’m glad you brought this up, David. You reminded me of a great point, which is
customers should take their service accounts and, forget about all the automation we can put in place
for a moment and do this. They should at least rotate their credentials once. Please don’t go in your
organization and rotate them all at the same time. We should methodically do this one by one.
[00:24:34.970] – David Puner
What happens if you do try to do it all at the same time?
[00:24:38.930] – Bryan Murphy
You may inadvertently take down applications you weren’t aware of. We’ve seen this firsthand from
customers where they’ll use CyberArk, they’ll bring in service accounts and they just say password
change. Next thing you know, there’s five, 10 P1 tickets that applications are down. A lot of times it’s
because the developer had access to a credential. They went ahead and built application A, but now
they took over application B, they needed the same access. They leveraged the same credential, but
nobody else knew that they did this, the application just worked.
[00:25:15.510] – Bryan Murphy
What I hear from all of our customers at CyberArk is, « How do I discover where my service accounts
are used at? » We have detection tools, there’s tools out there to detect a lot of places it’s used, but we
can only detect the places we know. It becomes very tricky when they embed it into an executable,
they put it into a script somewhere that you’re not scanning for and looking for the password field, or
they call it in a very unfamiliar way, for how the credential is embedded. If you just do that manual
rotation once, what happens is, let’s say you think it works for one application, you go to rotate the
credential for that one application, you schedule the change and you take down 10. All of a sudden
we’ve created this major P1 incident.
[00:26:02.090] – Bryan Murphy
What you can do is go back in and reset the credential back to what it was before. This goes on the
notion, you know what the credential is ahead of time. Sometimes there’s cases where you don’t, but
this helps minimize the damage because we can restore back quickly so we don’t have to touch and
find every application. Now we know that when we change this one credential, it doesn’t impact one
application, it impacts, in this example, 10. We can start to break those apart slowly through the
process, and that identification and inventory of what you have is very helpful, but it also helps from
the security side by at least rotating those service confidentials once, to start to expire all the hashes
and everything that’s out there in the environment that the attackers would use to move laterally with
those accounts.
[00:26:50.340] – David Puner
Moving on back to Cybersecurity Awareness Month. Your appearance on the podcast happens to
coincide with Cybersecurity Awareness Month, as we mentioned at the top of the podcast, and that
seems apropos considering you live and breathe cyber awareness 365, 24/7, or at least it seems like
you do to us. What’s something simple you’re seeing that both cybersecurity professionals and
regular civilians might benefit from, as far as a little cyber hygiene brush up?
[00:27:19.990] – Bryan Murphy
I would say go look at your passwords. I think every one of us has a specific password that they like
to use or a combination of it in most of the things we do, and we have to set that first password or
passwords to generic sites that we go to. What I try to recommend people do is use a password
manager solution. CyberArk has workforce password management as an example. Anything that’s
out there that can help you randomize those. Because what you have to assume is that when you put
that password into a website, that website, that back end, you’re trusting will not be impacted,
compromised in any way. Once you put the password into that tool, it’s out of your control, where it
lives at, it’s on the company or the website you’re working on’s control. So as you see recent breaches
where they compromise websites and different web applications that are out there, credentials are
being exposed.
[00:28:19.600] – Bryan Murphy
What I try to do is, I don’t want to say it’s impossible, it’s something I do, but a unique password for
every single site you go to, it’s not for everyone. What I’ll say is I try to keep what I do for enjoyment,
such as looking at fantasy football, reading blog posts, those type of things, separate from what may
financially impact me. This is the line I draw between the two. I don’t use anything the same between
the two of those because they’re held to different security standards on the back end, but for me, it’s
more impactful if I lose money versus somebody is able to hack into my CNN account.
[00:29:04.770] – David Puner
What’s your advice for someone considering a role in cybersecurity?
[00:29:09.010] – Bryan Murphy
My advice to those looking for the role is start following cybersecurity groups online. Start following
the blog posts, start following the industry as to what’s happening first. That’s going to help tee up-
[00:29:25.100] – David Puner
Like the CyberArk blog, right?
[00:29:27.740] – Bryan Murphy
Yes, this blog, exactly. That’d be perfect. Start here and start to understand the trends, start to
understand the mindset. I think that the hardest thing to do is to flip the mindset that we have as
security practitioners. Once you start to do that, now you dip your toe into the certifications and
understand the concepts. I think one of the biggest challenges we have in cybersecurity is, you can’t
secure something if you don’t know how it works. You can’t say this is how you have to secure it
without understanding how Windows or Linux or the web browser is working that you’re working
within. It requires a little bit of knowledge about the underlying system that you want to secure or the
password or credential you want to secure.
[00:30:13.670] – Bryan Murphy
Then you can start to see ways to control that. You can read through the settings of the tool to see
what controls they offer. A lot of times some of them will say, this is good, this is better, this is best.
This will help you to get that mindset and to figure out how to secure things further. Then beyond that,
you want to start dipping into an IT role or position.
[00:30:38.130] – Bryan Murphy
As you start in the IT side, you want to align with the security team. Now you’ll start seeing how
internally the security team operates and functions and what controls they have, and that’s how you
can start to make that move into security. It’s not to say you can’t find a security role out the gate, you
absolutely can, but I really feel the balance is making sure you understand the tech before you go into
implementing security controls on top of the tech.
[00:31:04.120] – David Puner
Bryan, thanks so much for coming on the podcast. Appreciate it.
[00:31:07.880] – Bryan Murphy
David, thank you for having me.
[00:31:09.920] – David Puner
Appreciate it. Thanks for listening to today’s episode of Trust Issues. We’d love to hear from you. If
you have a question, comment, constructive comment preferably, but you know, it’s up to you, or an
episode suggestion, please drop us an email at [email protected]. And make sure you’re
following us wherever you listen to podcasts.