Interview: Rapid7’s Christiaan Beek – “After 25 years in this business, we still haven’t solved the basics of security”

If you talk about ransomware, honestly, at first, I was shocked. For my talk about a 10-year overview of ransomware, the room was completely packed! Like, full, people queuing up 30 minutes before you go into the room – so this must be interesting.

I try to answer some questions, like, why is it still successful? How did we as an industry respond? What were some of the influences on some of our day-to-day technology? I think that was definitely of interest to the audience. But I think then, we hear all the rumours about these guys using AI, machine learning, whatever … And just giving them the, I would say, the typical Dutch treatment of “Hey, what is reality here?” There’s a lot of fluff out there, so what is real here?

But I think the final part of my presentation was, what if Christiaan were a ransomware actor, and with his knowledge of ML, AI, what would he do? So I pictured a few scenarios. What about if I stitch together a few vulnerabilities and I write my code, I can put ransomware in the CPU at levels where no technology is doing it. I think that was like an eye-opener for a lot of people, which is great.

I think the angle of firmware security is really underestimated – we’re still building on a very, very weak foundation. After 25 years in this business, we still haven’t solved the basics of security, and now we’re building on top of that new technology. I don’t think that the majority of people who are using this technology really understand this, that this is a complete change of your supply chain or attack factors that can be abused.

And people were staring and gazing at me, like I was talking from a different planet. I took the audience through a few scenarios, and then I find one of them actually being abused. I’m not saying if it’s nation-state, but I was like, “Hey, this is possible. This is unique.”

We found an actor actually doing this stuff.

VIEW ALL

Cyber Daily: Not the kind of thing you want to be right about!

Christiaan Beek: Yeah. This is possible. We saw somebody weaponising this for sure, by injecting code into the machine learning model – we are at that stage already.

Cyber Daily: So, speaking of nation-state actors, that’s something I’d like to explore. What kind of evolutions are you seeing from state-backed actors?

Christiaan Beek: I think they’re still sticking to their old methods, like, it’s spear phishing. It’s old-school stuff, like spear phishing all the time. I think, of course, we have seen a lot of bulletins or reports from attacking edge devices, and that’s, I think, the shift we saw coming, but that has only has ramped up the moment we see vulnerabilities being announced by the Ivantis, the Ciscos, the Palo Altos of this world in their edge devices.

They start to use it and adapt very quickly. I would also say we have APTs that are really buying their own appliances through different channels, do the reverse engineering and build their own exploits.

Cyber Daily: So what I’m hearing is that it’s not so much the speed and skill of the hackers – though that’s there, too – but rather that organisations aren’t staying on top of their patching, and, in turn, making things easier for the bad guys?

Christiaan Beek: Yeah, absolutely. And at the same time, I think if you look one step back, we definitely still face such an amount of vulnerabilities in software … It’s mindblowing, right? More vulnerabilities are being released every year, and that’s still going up in the numbers.

That’s still a big sign on the wall. Hey guys, have you heard of secure coding?

Cyber Daily: Something I’m seeing in this space, both nation-state and criminal actors, is the ability to get around endpoint protection systems. How prevalent is that, at the moment? They have to have tools for that, right?

Christiaan Beek: Yeah, they have their own custom tools community that will be able to actually kill endpoint security tools.

It really depends on how these tools are configured, at what level of privileges they run in the endpoint system. If a threat actor, like a ransomware actor, for example, gets into the network and they are able to elevate their privileges to admin or local admin, they can do a lot, right? And it really depends on how the technology is being coded.

So I know when I worked at McAfee, our security technology really was tough to shut down because we knew this, that if threat actors know what’s going on here, they can easily shut down your endpoint security. So we really wanted to protect it, to be self-surviving in case of these types of attacks and detection. It’s architected like that.

Cyber Daily: Just to finish up, who is probably the most active nation-state out there in terms of this kind of activity? I mean, we know we’ve got China, we’ve got Russia, or Iran, North Korea. But who’s really on your radar?

Christiaan Beek: I would say multiple, right?

It really depends on their motives. If you look for any financial, financial gain, of course, North Korea is still highly active, targeting cryptocurrency – that’s definitely a big one. They’re still doing that a lot, very active. Of course, we’ve heard about this labour workforce kind of thing. So, those are the major things.

And, of course, China is also very, very active, I would say, over the last couple of months; we see a lot of clusters of activity, so we cannot attribute them to the bigger … Whatever APT or whatever the industry calls them, Pandas, all those groups, right? Don’t get me started with that one, with all those naming conventions, but we use clusters of activity. And there you see the tools, the scripts, the kind of things they use, the phishing methods. We know that it must be a Chinese-speaking actor, as we call it. So we call it Chinese-speaking cluster activity. They have definitely ramped up.

I’ve seen a lot of activity in different regions. So, I would say those are the two major hubs.

And, of course, we have the groups active around, of course, the Middle East conflicts. We have groups active around the conflict in Ukraine, and I think that’s mostly … It’s regional conflicts, right? But I think China and North Korea are still the highest active threats, but each has different motives.

Cyber Daily: Do you have any idea why China’s activity may have ramped up its activity of late?

Christiaan Beek: APTs are mostly interested in gathering intel, right? And there’s so much going on from a conflict perspective in the world that they absolutely want to be sure, or want to know, who is an ally of whom? What are the political actions of this country, and what is its point of view on certain things?

So it’s classic intelligence gathering, I would say, that is typical for a secret service in the country.