Crane Hassold is a threat researcher at Abnormal Security who specializes in discovering and analyzing malicious email campaigns targeting enterprises. He also works closely with law enforcement agencies to help bring these bad actors out into the open. Before joining Abnormal Security, Hassold was a senior investigator at the Federal Bureau of Investigations (FBI), where he worked for over eleven years. While there, he focused on identifying and tracking emerging threats such as sophisticated spearphishing attacks against government organizations.
Crane stops by to discuss BEC attacks, romance scams, “Active Defense”, his 1-on-1 with the Demonware Ransomware gang, empathy for cybercriminals and more.
TIMESTAMPS
0:03:05 – Transition from FBI Intelligence Analysis to Cybersecurity
0:05:06 – Cyber Behavioral Analysis Center: Applying Violent Crime Profiling Concepts to Cyber Threats
0:06:47 – Cyber Threat Intelligence
0:08:48 – Threat Intelligence: A Primer
0:12:02 – The Impact of Human Behavior on Cybersecurity
0:14:06 – The Human Side of Cybercrime
0:16:08 – Active Defense in the Fight Against Business Email Compromise
0:17:46 – Active Defense Against Business Email Compromise Attacks
0:21:18 – Demonware Ransomware: A Case Study
0:24:13 – Active Defense: A Conversation with a Nigerian Cybercriminal
0:25:46 – How Financial Motivation Overrides Red Flags in Cyber Attacks
0:31:53 – The Relationship Between Romance Scams and Business Email Compromise
0:34:03 – The Evolution of Social Engineering: From Nigerian Print Scams to BEC Actor Attacks
0:38:18 – The Impact of Automation on Cyber Criminal Activity
0:40:16 – The Impact of Automation on Business Email Compromise Attacks
0:42:32 – The Impact of Ransomware on Business Email Compromise Attacks
0:44:43 – BEC Attacks Incorporating Deep Fake Audio
0:47:24 – The Impact of Third Party Impersonation Attacks on Business Email Communications
0:49:30 – The Evolution of Email-Based Attacks
0:51:25 – The Importance of Cybersecurity Awareness
SYMLINKS
Linkedin
Twitter
Abnormal Security
intelligence.abnormalsecurity.com
Cybernews: Baiting the scammers
FBI Behavioral analysis unit
What is BEC
HUSHPUPPI
DEMONWARE ENGAGEMENT
2022 Verizon DBIR
Deepfake Audio in BEC
DRINK INSTRUCTION EPISODE SPONSOR CONNECT WITH US
Center For Internet Security (CIS)
http://www.barcodesecurity.com
Become a Sponsor
Follow us on LinkedIn
Tweet us at @BarCodeSecurity
Email us at info@barcodesecurity.com
This episode has been automatically transcribed by AI, please excuse any typos or grammatical errors.
Chris: Crane Hassold is the director of Threat Intelligence at Abnormal Security, where he leads a team responsible for researching enterprise focused fishing threats prior to moving to the private sector. In 2015, Crane served as an analyst at the FBI for more than 11 years, spending most of his career in the behavioral analysis unit, supporting national security and serial violent crime investigations. In 2012, Crane helped create the FBI’s cyber behavioral analysis unit which combines the traditional behavioral concepts used for decades in the violent crime world with technical expertise to gain a holistic understanding of cyber adversarial. TTPs. Crane, thanks for stopping by barcode. I’m also joined by Dr. Matt Canham.
Chris: Crane, if you wouldn’t mind talk to us a little bit about your background and how you transitioned from being an intelligence analyst with the FBI’s behavioral Analysis. Working on violent offenders to becoming the director of threat intelligence for Abnormal.
Crane: Yeah, sure. My background, in the, in the cyber realm, I think a lot of people think of cyber threats as these technically sophisticated things, but my background is actually in psychology and behavioral analysis. And that’s what, when I, that’s what I studied in college.
Crane: And then after I graduated, moved over to the FBI where I primarily was doing intelligence analysis, started out in financial crimes and then moved down to the behavioral analysis units where they all do the fun, behavioral analysis stuff, the classical serial killer profiling and things like that.
Crane: Which was really in my wheelhouse. And what was interesting is during my time, my first few years, I started working on leading a team that was working on a database that was meant to compare and link serial violent crimes across state lines. And there was this big migration to move the database from this old school client server system to a web-based database.
Crane: And As I was doing that, we got, I got familiar with understanding how databases work, understanding, what, some of the contractors and the builders that are building the back end of this database were doing. And that was really, my initial foray into quote unquote cyber , which is not too cyber, it’s, it has to do with computers.
Crane: And so that was really where things got started, but, One of the things that I helped do a few years later was build out the FBI’s Cyber Behavioral Analysis Center, which really takes all those concepts that have been used for decades in the violent crime profiling world and applies them to cyber threats and cyber threat actors to really look at these threats from a very different perspective from a more behavioral perspective, from a more human perspective.
Crane: And what was great about the way that we built that team is we built it very holistically. So there were three of us in the, the core when we first started it. And each one of us really had our own subject matter expertise and background. So mine was intelligence analysis and open source analysis.
Crane: We had one of the agents who’s probably one of the best malware agents in the entire bureau. So he canned with the. Technical background. And then we had another agent who I always joke could barely work a computer, and I think he would probably say the same thing.
Crane: But he had decades of experience in the behavioral analysis realm. And so each of us came together to build out the team. And it was really, as we were building out that team that I got the, on the. Training of understanding the cyber threat landscape, understanding how various types of cyber threats work and, as we were building out our capabilities, it was all about on the go type of a learning experience, which honestly helps.
Crane: I preferred I really doing things learning about things hands on and that’s really where we were able to, what we were able to. And I left the FBI back in 2015 and moved out to the private sector and helped build out a first sort of private sector cyber threat intelligence team, primarily focused on credential fishing understanding how those types of attacks work.
Crane: I then was, I was at that company called Fish Labs for about three years. Moved to another company called Agari, where I pretty much did the very similar. Focused on building out a threat intelligence team from the ground up. This time it was mainly focused on sort of enterprise focused fishing threats and BEC attacks.
Crane: And then a few years later I moved over to where I am now at abnormal. Where I am, for the third time, building a threat and tell team from the ground up. Something I really like doing. I love building things. It’s so gratifying to be able to build something that wasn’t there before and have this sense of accomplishment of when you’re able to make an impact, not just within the company you’re working for, but also.
Crane: On a higher level as we work with external third parties, law enforcement and things like that, to try to impact the threats that we’re researching on a day-to-day basis.
Matt: That’s really interesting. I’m curious about threat intelligence and you’ve built you’re on three teams now. So I’m gonna assume that you probably know a little bit about threat intelligence at this point. Can you explain what threat intelligence is and maybe give the sales pitch for why a company might need threat intelligence?
Crane: Yeah so the whole purpose of threat intelligence is better understanding not only threats that an organization may be facing, but also understanding which threats I should invest. Time and money in prioritizing over other threats. So depending on what company you work for or what industry you’re in, BEC may be the biggest threat that I wanna focus on because it could cause so much direct financial loss, right?
Crane: It’s a sort of money is going straight out the door, whereas there are other organizations, like Healthcare, is a great one where at the top of your food chain of list of priorities and risks, ransomware might be on there because as an organization, I need to have constant access to my data, to patient data 24 7, and if I lose access to that data, it’s going to be debilitating for my organization.
Crane: And then you might be in something like aerospace or maybe a defense contractor where. Primary risk is probably not cybercrime. It’s probably a national security risk where you’re trying to make sure that you’re securing your intellectual property. And so threat intelligence is all about.
Crane: Understanding your risk posture as an organization, and then once you’ve understood what you’re prioritizing, digging into those threats to better understand how they not only work today, but how they evolve, how they’re evolving, and what tomorrow’s threats might look like. That I need to start getting ahead of.
Matt: When you talk about threat intelligence, let me ask, is there, because you previously had talked about the human side is there a differentiator there between technical threat intelligence and what you might term human threat intelligence, like looking at the actors themselves?
Crane: Yeah, so I think when you’re talking about threat intelligence, right? So when you’re talking about more technical threat, It’s gonna be more tactical in nature, right? So it’s gonna be about digging into a specific thing. In this case, a lot of the malware analysis you see out there is very tactical in nature.
Crane: It’s about breaking down a piece of malware, understanding how it works, understanding how it’s going to be exploiting a system, and it’s very compartmentalized. Whereas when you’re talking about human threat intelligence or understanding the actors behind certain types of attacks, then you’re moving into more strategic threat intelligence, understanding the bigger picture, understanding what’s motivating an actor to potentially go after your organization or some other organization.
Crane: And so it is very different sort of the human side of threat intelligence, but the biggest component of understanding behavior, understanding people, and how they fit. To various cyber threats is really looking at the attacks from a very different perspective. And it’s about, understanding that regardless of the type of cyber threat you may be looking at, the very first thing that an attacker has to do it almost all circumstances, is exploit human behavior.
Crane: So even if it’s a malware a malicious attachment, a malicious pay. It’s gonna be, you need to get someone to click on that payload to open up that attachment to bypass existing defenses, and then it exploits it technically. So it’s, so at the end of the day, almost every cyber threat is still based in exploiting human behavior.
Chris: Let me ask you this, since your expertise in human and behavioral analysis runs so deep, do you find it difficult to dis. The business side from the personal side, or is there only one side, whereas the understanding of an individual’s way of thinking is a continuous research study for you?
Crane: It’s interesting. I don’t really, it’s, especially because prior to the cyber stuff, I was in the violent crime world and. Living in that world for a number of years, you get really good at compartmentalizing things. I’ve never had a problem separating the personal world and the work world when it comes to everything.
Crane: What I think has been, I think, I don’t think challenging, but probably eye-opening is, especially given the work that that my team at abnormal. Looking at business email compromise attacks and the other types of scams that are associated with those. And we’ve gotten to know much more about the actors behind those scams, and it’s been really eye-opening to better understand their motivations.
Crane: So a lot of these actors are coming from places like West Africa, Nigeria, and understanding why they do what they do. And for the most part, Really how they make a living. It’s how they survive. And you put really a human face on what seems to be just a massively impactful financial attack.
Crane: It contextualizes it in a way that makes you think twice about, how bad of a threat is this really? , right? Because you have people who need to make money. They can’t make money in any other illegitimate way because of the economy, because of their. and it makes you think, it makes you it gives you that empathy for someone, for some of these cyber criminals, which is something that I don’t think a lot of people think about especially the cyber world because, because of its nature, there is no person in front of you committing a crime.
Crane: It is all, somewhat invisible. That’s that. You could have an attacker that’s on the other side of the world. You know nothing about that attacker. You know nothing about that person’s background or motivations or what they’re doing in their life. All you know is what you’re seeing from the actual attack.
Crane: And when you are able to. Understand the human side of it. It’s really, it’s just really interesting and it provides a different context that you don’t really see on a day-to-day basis.
Matt: I’m gonna confess, I was at your demon wear presentation at Defcon , and it was phenomenal by the way, and it segues from what you were just talking about.
Matt: And I’m curious, can you walk us through that? But before you actually tell the story itself, I’m really curious to know a little bit more about the motivation behind. , how you set that up. And what I’m referring to specifically is this idea of soc puppet accounts or active defense that you use to start that engagement.
Matt: So let, if you don’t mind, start there and then we’ll get into the story itself.
Crane: Yeah, absolutely. So what’s really, so active defense is something that my teams have done really for the past about four years Primarily because the world that we are, the threats that we’re focused on are things like business, email compromise business, email compromise.
Crane: BEC is really unique in the cyber threat landscape because, In order for it to be successful, it generally requires an actual back and forth communication between the attacker and the victim. And because of that, it allows us an opportunity to really get in the middle of that attack and collect some really unique intelligence that helps us better understand how these attacks unfold, what happens after the attacks.
Crane: And so one of the things that my team. Is we’ve built an entire ecosystem based on, hundreds of different personas that we’ve built. That essentially whenever we see a BEC attack in, in our collection, we will actually make one of these personas look like they were the target of one of the BEC attacks.
Crane: And we initiate that engagement. And the whole purpose of that is to better understand what happens after. One of these attacks is successful. So many times in in cyber threat intelligence, what we rely on is really what the attackers give us, and that’s usually the initial email. And so active defense allows us to go a step further and have that engagement, have that conversation with an attacker to understand what are they actually asking for?
Crane: What would the potential impact of this attack, what would’ve have been, understanding how they’re going to adapt to certain obstacles we throw in their way. Wouldn’t we say that, no, we can’t make a payment to this account. What are they gonna do next? We also are able to get some good high level attribution by embedding beacons in.
Crane: In these messages that allows us to understand, where the attackers are coming from. So it gives us a much more holistic understanding of things like BEC threats because we’re doing this back and forth engagement. And so active defense, the sort of, the definition that I use is, engaging with an attack or an attacker for the purposes of better understanding that threat and using that intelligence so we can better prepare and defend against those threat.
Crane: And so active defense is really this unique way that we do it. And, because we’ve also scaled it out on our team, we’ve automated about 75% of the entire process. We’re able to do tens of thousands of these engagements. That really gives us a really good representative understanding of what’s actually happening in the global BEC threat.
Matt: Oh, that’s excellent. It’s interesting that Chris and I interviewed Brett Johnson who’s a convicted cybercriminal. And one of the things that he talks about when he was scamming victims online is that he would anticipate. Sort of the barbs or the pushback that they might have if they became suspicious.
Matt: And he would get out ahead of that by putting the onus on the victim of how can I trust you? How do I know you’re not scamming me here? And it’s interesting that you’re using similar tactics essentially on. The criminals themselves by anticipating how they’re going to respond to these things and one step ahead.
Matt: It’s almost like this red queen arms race between the two sides. That being said, can you tell us about the engagement that you had with DemonWare?
Crane: Yeah. So this was this was last year and this was a, most of the time when we’re doing active defense engagements, it is, With BEC actors.
Crane: But last year we actually came across an attack where you had an actor that was, instead of requesting the same, a payment or impersonating a C E O requesting an al outgoing wire transfer. The attacker was essentially emailing employees and soliciting them to try to install DemonWare ransomware on a corporate server.
Crane: And as part of that, They said that if you help me, I’ll give you 40% of the proceeds. And so in this email, the attacker provided a Telegram account and an email account to contact back if any employees were interested. And so this gave us a great opportunity to. Employ some active defense tactics to better understand this attacker.
Crane: Understand how this would’ve unfolded if it were successful. And so I created a persona, telegram account and actually messaged the attacker and within 30 minutes he got back to me and essentially repeating what he said. In the email. And that sort of led to a, an extended conversation back and forth on Telegram where I was able to learn things like, where they got their targeting in information from which he, he said that all the targeting information came from LinkedIn, which is not out of the ordinary.
Crane: Something we see very commonly, especially in BEC attacks where you have legitimate commercial services that the same commercial services that sales and marketing teams. To identify sales prospects or the same services that a lot of these BEC actors are using to identify potential targets.
Crane: So we were able to, I was able to get things like, I know, understanding where they got targeting information from, understanding that the amount that they were asking for is extremely flexible. Based on the amount that they, that he referred to in the initial. Email, you could calculate.
Crane: It’s gonna be about a two and a half million dollar ransom he was gonna be asking for. But over the course of, my conversation with him, it was essentially moving down and down and it eventually got to $120,000 pretty quickly. And so it really shows you that. They are relatively flexible in the amount of money that they’re making.
Crane: A lot of this because it is so significantly financially motivated, they’re just looking to make as much money as possible, as quickly as possible. And regardless of whether it’s 120,000 or two and a half million any in any amount in between, there would’ve been absolutely life changing for this guy.
Crane: Understanding the flexibility and the amount that he’s asking for understanding where the. Understanding where the code actually came from for this malware and under, also seeing what his response would be. So before the actual engagement, I was able to get a copy of demon ware understanding where it’s coming from.
Crane: Demonware’s, actually open source ransomware that’s available on GitHub. And what’s interesting is when, I ended up asking him during. Engagement, where did you get this? Did you make this from scratch? And he said, oh yeah, I coded to myself from Python. And what’s interesting is these are the types of questions that where we already know the answer to them, that we will ask them just to see what they’ll say.
Crane: So we already knew that this was open source malware, but based on his response, it’s obvious that he, was trying to make himself look more technically sophisticated than he actually. And so there were a number of different things that we were able to get out of that. And then the best part about this is at near the tail end of the initial engagement with this guy, essentially as a, quote unquote employee that’s, trying to help out and is a little bit nervous about helping out with his possible ransomware.
Crane: One of the things that I said to him was, I’m a little scared here, how do I know that you’re not gonna screw me over and, report me to the authorities? And, his response was you don’t need to worry about that. Look, I’m just a guy. I’m trying to build out my own social networking company.
Crane: Here’s my LinkedIn profile. Actually was a link to his actual LinkedIn profile. He was based out of Nigeria, had his actual name on it. And the weird thing about that is it makes you think that sometimes attribution is really easy. All you need to do is just ask them who they are, and sometimes they’ll just tell you.
Crane: It’s surprising, but, so at the end of the day, at the end of this engagement that lasted a couple of. We got a lot of much more robust understanding of how a threat like this, how an attack like this would’ve unfolded. We understand much more about his motivation, more about, obviously we understood who he is, where he’s coming from.
Crane: And that’s really at the core of active defense, is to help us better understand the full cycle of a threat and not just the initial email.
Matt: I’m curious. What you took from that engagement, both in terms of, professional knowledge or I should say threat intelligence. And then also on the personal side, you mentioned that this is how people basically make their livings and that they’re, they are disadvantaged economically pretty severely.
Crane: Yeah, absolutely. So from a, from an overall, from a, just a pure threat intelligence perspective, it’s super helpful for us to understand, overall, what they’re asking for and how this deployment would’ve worked, right? So that’s like pure tactical defense. But then from a strategic perspective, it helps us understand, we know where the gaps are externally where that might be a threat to us.
Crane: Obviously, when we’re talking about impersonation attacks, an attacker needs to get the basic information about certain identities, whether it’s targeted employees or executives, that they’re gonna be impersonal. And so what’s helpful about this, and this has been reiterated over and over again in previous engagements that, that I’ve done, is, these external data brokers or even things like LinkedIn are essentially the primary source of where a lot of these guys are getting their targeting activity.
Crane: Making sure that from a strategic perspective, that, making sure to advise executives or high value targets at organizations to make sure that they are, not exposing information as, as much as possible out there on the internet, because that’s what these guys are gonna take advantage of.
Crane: And then from a sort of a human perspective, from a, from an understanding the attacker and the adversary perspective, understanding what their motivation is, right? So when we talk about this guy’s motivation or pretty much any other financially motivated, It is so heavily driven by making money.
Crane: In this case it’s as a way to just go on with life to provide for themselves and their family. There are certainly actors out there, in the BEC world hush puppies, like the best example that’s more recent where it’s more of a lifestyle thing. They wanna make a ton of money and be flashing it.
Crane: Social media and things like that. Honestly, a majority of the BEC attacks and the actors that are behind BEC attacks that I see are pretty much in the other camp that are simply doing it as a, essentially as a job, but understanding the fact that these are so heavily financially motivated, they’re two things behind that.
Crane: One is consequences are only relative to the benefits, right? So if I have to do. To make money to survive, then it’s not really gonna matter if u US law enforcement may try to arrest me, because quite frankly, it’s not going to ha there’s so many of these actors out there. That their actual exposure and potential risk for law enforcement intervention is relatively low compared to an actor that may be, here in the States, for example.
Crane: So number one, you have the, the takeaway or understanding how motivation drives consequences, and then, What can we actually do about these attacks? The other side of it is really, the reasons why active defense works. because these attacks are so heavily financially motivated in the same way that they try to get their victims to ignore potential red flags that are usually gonna pop up in some sort of scam or cyber.
Crane: This we’re also their financial motivation is overriding any red flags that may ca come up in an enacted defense engagement. As I mentioned, the personas that we’re using to communicate with them, they didn’t actually email to begin with. So we’re sending them an email from an email account that they’ve never seen before.
Crane: And based on our experience, very few of these guys actually compare. Who they receive emails from and to who they sent actually emails to. But so even if they did some checking and the reasons, when we have these engagements that sometimes last a month, right? And we are collecting dozens of mule accounts from these guys that are never getting paid because we have excuses about why our transactions aren’t going through as long as there is a sliver of hope that they’re gonna make something out.
Crane: They’re gonna go on and they’re gonna stick with this engagement. And those are some pretty significant red flags that someone has to completely ignore in order to continue with these engagements. And that’s really shows you how solid the financial motivation is for a lot of these guys.
Chris: Does the criminal’s motivation affect your level of empathy and has empathy ever helped or hurt your analysis process?
Crane: No, not really. So we can stay pretty much level-headed on, under sort of decoupling the people behind these attacks and the attacks themselves. Like most cyber threats, it’s a cat and mouse game.
Crane: It’s always gonna be about, defense and, making sure more, like more important than anything else. We’re protecting our customers, right? And making sure that our customers are protected against the. That we’re stopping for them, but also understanding how these attacks are evolving through, and through our active defense intelligence collection to help them help protect them against future attacks, right?
Crane: And while you have a certain level of empathy for some of these guys, you do have the other side of these scams. And so that really removes some of that empathy from the equation. And the greatest example of this, Or romance scams, romance scams at business email compromise are very closely linked because most of the mule accounts that are used to receive funds from BEC attacks are usually gonna be victims of other types of scams, which are primarily romance scam victims.
Crane: And so what we’ve also done, I’ve done a lot of research and done a lot of engagements with ransom, with romance scam scammers as well. . And when you look at those scammers and what they do to their victims, your empathy will go out the window because they, not only do they steal all of the money that a victim, a romance victim has, they steal all of the money that they could have through loans.
Crane: And then once they’ve essentially dried up that well from a financial perspective, they then convert those. To convert those mules into mu those romance victims into mules, and then continue to use them in other ways. And these victims are sometimes victimized for years, and it is so psychologically traumatic for some of these victims that you’ve seen, suicides, attempted suicides.
Crane: And when you see that understanding how. The same scammers that are running, you know what look to be very basic BEC attacks are also running these romance scams. It really provides that additional layer of perspective that you’re like, okay I my, I’m not that empathetic towards you. Understanding how the sausage is made, understanding what else you are doing behind the scenes that is so debilitating and so damaging to a lot of other victims out there, individual victims.
Matt: So I’m so happy that you brought up romance scams because this is something I’ve also looked into a bit and I’m curious if you can talk a little bit about some of the psychological tactics that these threat actors are using. , and I’ll just a quick example.
Matt: I also have worked on a lot of gift card scams and, going through the transcript of the back and forth between the criminal and the victim, it amazed me the level of I, I wanna say sophistication in how they knew how to push certain buttons to get the victim to move in certain ways. At certain times when they needed to be.
Matt: And I’m curious what you’ve seen on the BEC side. Have you seen this kind of back and forth pushback and what are your thoughts on their expertise as psychologists?
Crane: So one of the things about today’s BEC actors is they essentially come from the same group of individuals for the most part, that were behind the old Nigerian print scams 30 years ago.
Crane: And funnily enough, Nigerian print scams are the scams. I think you should show most people out there and they’d be like, what is this? Who would fall for this? Those scams are still around today. because the ROI is still there that they’re still making some money. The success rate is clearly not high.
Crane: But if I’m sending out thousands of emails and I get one hit that nets me a couple thousand dollars, that’s pretty easy to do. And, the ROI is still there. And so one of the things you gotta keep in mind is, This the reason BEC actors flipped the switch over to BEC, which was around 2015, 2016 is for 20, 25 years prior to that, they had gotten really good at social engineering individuals.
Crane: And when you think about what happened around 2015, 2016, there was this big. Evolution within the overall cyber threat landscape that shifted away from individuals and toward enterprises and businesses. This, we saw the exact same thing happen in ransomware where in 2000, late 2016 some the bigger groups, the bigger ransomware groups, Locke was the sort of the most prominent one back then pivoted over to enterprises, primarily hospitals and healthcare centers.
Crane: And we saw the exact same thing happen. In in social engineering where you had these actors, these West African Nigerian actors that had been focused on romance scams, unemployment scams and things like that sort of saw the same thing and said, let’s use these exact same tactics to target institutions and businesses.
Crane: And so they’re, we’re now in essentially the second generation of social engineer. In Nigeria that are do, that are running these scams as a way to make a living. And there’s a very a very broad sort of underground communication system where these actors are sharing information with each other, understanding what tactics are working, what tactics aren’t working.
Crane: They call them. And so what updates are hitting now that are being successful? The most recent big one was right around the time when Covid hit with the CARES act. When that was passed, we saw a lot of these guys pivot over to unemployment fraud, cuz that was the big update that was n netting them literally billions of dollars at the time.
Crane: And so social engineering is, what they’ve grown up with. What’s really interesting. When you look at social engineering, when you look at Phish, when you look at any type of cyber threat and what’s being exploited, it’s the same thing every single time, right? It’s, exploiting the human, a human being’s inherent desire to trust what they see, right?
Crane: A, exploiting anxiety, exploiting fear. This is like the telltale signs of nearly every Phish attack that’s out there. And what’s really interesting, It’s the exact same thing that has been used to con people, human beings, for literally thousands of years. As long as human beings have been on this planet, and as long as we’ve been communicating with each other, we’ve been socially engineering each other.
Crane: The only difference is now we’re doing it through a computer or over email instead of doing it face to face or over the phone or through the mail or something like that. But the same concepts that are used in BEC attacks today are the exact same. That have been used in romance scams in four 19 scams that are the same concepts that are used in credential phishing attacks.
Crane: That are the same concepts that have been used for Ponzi scams, a hundred years ago. So that’s really when we talk about their ab, like these actor’s ability to understand how to exploit human behavior and what buttons to. It’s because they’ve had literally decade, decades of experience and there’s a really robust ecosystem of information sharing among the community.
Chris: How does automation come into effect when you’re talking about cyber criminals either performing recon or actually. Carrying out an attack. Is there tooling involved or, through your investigations, have you been able to determine how an attack like BEC is executed.
Crane: You know what’s really interesting about this, and we’ve had this discussion on my team for a number of years, is the scale of BEC would make you think that there is likely some component of automation behind the scenes.
Crane: However, based on what we’ve seen directly, indirectly having conversations with some of these guys overtly and, covertly almost all of this activity, regardless of whether it’s the recon to identify and then process and validate sort of their targeting leads to the actual attacks themselves.
Crane: When they may be sending out hundreds of emails at a. that is almost always done manually. So you have someone who’s there at a computer sending individual emails to various employees working off of a list, changing the display name manually over and over again. And it’s always been so surprising to us that’s the case because I think most people who have.
Crane: An in an entry level understanding of just basic scripting could probably automate a lot of this activity. But for some reason they don’t, and I don’t think it’s because. They, these, a lot of these actors don’t have the technical sophistication. A lot of these guys are actually graduates of good universities with really good DEG degrees.
Crane: Sometimes they’re technical degrees in places like Nigeria for some reason they just don’t automate it. And I don’t really have the answer to why that is. We just know, just based on everything that we’ve seen, there is very little automation behind the scenes in a lot of today’s b. C. . That’s interesting.
Matt: Have you looked at G P T three or some of these other natural language generators that are becoming available?
Crane: We have not, no. And really, I don’t think a lot of these other guys have looked at them either. When it looks, when you look at the complexity of most BEC attacks, they keep it as simple as humanly to maximize their profits. They share templates with each other, what they call formats, where, they’re sharing these templates that are essentially the first, second, third communications back and forth between the attacker and the target. And that’s about as complex as they get.
Crane: You could really tell as you draw some of these engagements out where those templates end because you can see the structure of their communication really starts changing as they have to actually improvise on the fly. I don’t think that they would ever get into the, at least today’s BEC actors, I don’t think would ever get into the game of, using.
Crane: Natural language processing or trying to use machine learning to craft super sophisticated emails because quite frankly they don’t really need to. Now that being said, we do see some new players, I think entering the BEC space player, actors that are coming from places like Russia and Israel that are much more sophisticated.
Crane: They’re still entrenched in. More pure social engineering aspect of it. I think it’s certainly gonna come a time where you have, actors that may be involved in things like ransomware that might pivot over to the BEC space here in the next 12 to 18 months.
Crane: Primarily because, ransomware’s gotten so much attention over the past year or so, and because cryptocurrency drives so much of that activity, not because of its value, but because it allows for relatively frictionless transactions to go back and forth of large amounts. And because there’s been so much attention paid to ransomware, how countries all over the world that are proposing, dozens of various cryptocurrency regulations, which is gonna insert more friction into that into those transactions.
Crane: And I think the more friction you insert there, the less of an ROI ransomware will actually be. And it’s all based on the financials of it. So I, and what, my opinion, I think we’re gonna start seeing some actors that have been in the ransomware space pivot over to BEC, where they’re essentially, Adapting their malware to instead of looking for initial network access, look for email access, and then you have scaled essentially vendor email compromise attacks, which can be, which are the most impactful and lucrative form of BEC B C today.
Matt: When you look at the stats from Verizon, D B I R and IC three, it’s BEC and ransomware, like neck and neck in terms of the top revenue producers for criminals, it seems a question I get a lot is about deep fakes and do you have any sense on if this is one of those technologies that might be incorporated in the near.
Crane: So we have seen instances where deep fake audio has been used in in BEC attacks. Essentially as a way to pivot off of email onto the phone and validating the voice of an executive we’ve seen. A few examples of that. It is nowhere near widespread or used very frequently. Obviously when it happens, it gets attention because it’s really interesting, but it’s not something that’s being used at scale because again, this goes back to thinking of cybercrime, thinking of BEC as a business, and in order for them to pull something like that off, you have to be able to.
Crane: Prove that the ROI is there, right? So if I can just send somebody an email, ask ’em to send me money, and they send me $10,000 that’s really easy. But if I have to, Send someone an email, ask them to pivot over to the phone, make sure I’m getting a voice print of the actual executive. So I have to go out and get that work and find the audio of an executive.
Crane: I’m gonna be impersonating that. I’m gonna be using deep fake audio against there’s a lot of work that goes into those types of attacks. And so unless the ROI is there, you’re not gonna see that, to, to any certain degree. And I, I still think, I think it, we probably will continue to see it, here and there in the future, but I don’t think it’s gonna be something that is going to be super widespread anytime soon.
Chris: How cognizant are the attackers of the defense mechanisms that organizations here are implementing or even software solutions that are being developed currently to prevent or slow down? An attack. Do you feel like they have an intel into that, that shifts their approach as they, develop their attack method? Or do you feel like they are just, taking a shot in the dark?
Crane: I don’t think they’re taking a shot in the dark. They definitely pay attention to tactics that are working and what are not working. We see actors all the time testing. New things really just to see if they’ll sticks to see if they’ll work, really obscure things that, you never would’ve thought of.
Crane: We’ll see here and there. That never really become anything. But we’ll see them test things out and, it’s very, it’s also very similar to the evolution. We’ve current, we’ve recently seen. in in the BEC threat landscape, so there is, there’s this big sort of shift that’s happened over the past year where you have actors that, since BBC’s inception have impersonated internal executives, employees and things like that.
Crane: And we’ve seen this interesting shift where third party impersonations have become essentially the most common form of BEC. . So whether it’s through vendor email compromise attacks, or even blind third party impersonation attacks where an attacker is just impersonating a random third party, sometimes it’s a, like a law firm or a debt collector.
Crane: While BEC attacks are still getting through existing sort of traditional email defenses, it’s pretty clear that there’s been an acknowledgement and, some attackers have taken. That, some of the training that we’ve done to teach people to look out for these executive impersonation attacks may be working to the point where they’re not as successful.
Crane: So now they’re moving to these third party impersonation attacks. The other great example of them sort of understanding and trying new things is the sort of the, one of the other bigger threats that I think we’ll start seeing here in the ne near future that we’ve started to see more recently.
Crane: In cases like with Twilio and with Uber, where you have attackers that are using non email attack vectors to compromise accounts and then pivoting those compromised accounts back into email compromise and email and other cloud applications because. All of those sort of, whether it’s SMS or whether it’s WhatsApp or whether it’s some other messaging app, the ability to detect inbound attacks to those to those forms of communication is not nearly as mature as all of the defenses we have on email.
Crane: And also now that we are seeing more and more legitimate business constantly go back and forth in things like SMS and WhatsApp. It’s not outta the ordinary for an employee to get one of these messages on their personal device. And then the defense is on something like a mobile device is.
Crane: To detect phishing pages aren’t there like they are on corporate laptops. And so that’s the next evolution that, that we’ve seen some attackers start employing that I think all comes from the, the recognition that they’ve seen that email-based attacks are, they’re still obviously successful, very successful as we’ve seen as Matt mentioned with the D B I R and through the F B I IC three.
Crane: We could see how many billions and billions of dollars are being lost through email-based attacks. But as those as those defenses mature, the attackers are always going to be pivoting in another direction to try to increase their profits, increase their success rates, and always stay one step ahead of defenders.
Crane: Because that’s what the name of the game has. For decades at this point. It’s always been this cat and mouse game and trying to, they make a change. We then we then patch that up and then they make an em. They adapt and it’s always back and forth.
Chris: The endless arms race.
Chris: So you mentioned pivoting and since we’re running up on time here, I want to pivot this conversation just slightly. are you able to share with us what region of the world that you’re located in?
Crane: Yeah, so I’m down in South Carolina of the US down in Charleston, South Carolina.
Chris: Awesome. So say if I were traveling to that region and I was looking for a unique bar experience, where would you direct me to?
Crane: Oh my gosh. I’ll tell you. Having two kids going out to bars is something that I have very little time. Time with in, in, in my life these days. But I’ll tell you, there, there’s probably not one to one to recommend, but downtown Charleston is, we’re talking about culinary places of the world.
Crane: There are so many great places to eat downtown and drink that I don’t think you would ever have a hard time finding a good spot to land.
Chris: If you decided to open up a cybersecurity themed bar, what would the name be and what would your signature drink be called?
Crane: Oh man. So I’ll tell you. So we’ve always, so internally we’ve always talked about. Naming conventions for threat groups that we that we track. And, one of the things that I always hate about a lot of naming conventions and names of it’s like threat groups is that they don’t make any sense.
Crane: They have no relationship with what they’re actually talking about. So whatever I would name my bar, there would be some actual meaning to it. I would say, something around we call, So our internal tool set Artemis after the Greek God of the hunt primarily because we, a lot of what we’re doing is hunting for actors and stuff like that.
Crane: So I would probably, it would probably be some witty Greek mythology. Take on cybersecurity, maybe something around Artemis. And then my, my drink. Oh, that’s a real tough one. Gosh, I don’t know what my drink would be called, but it would definitely have to do something with probably.
Crane: Some amount of Mountain Dew, which is so stereotypical of a of a cyber researcher. Yeah. But mountain Dew got me through college and got me through a lot of the boring times the first parts of work and still gets me through work today. Because I’ve always, we always needed a good pickup.
Crane: Yeah, that, that would be my answer for that one.
Chris: I love it, man. Cuz as a threat researcher, you have to be alert 24-7.
Crane: Absolutely. All the time. I don’t know. I don’t know what kind of liquor actually goes with Mountain Dew, so I don’t know if I would advise anyone to actually drink it , but if I had to think about it that’s what I would, that’s what I’d say.
Chris: It could be a non-alcoholic bar. You could just serve Mountain Dew!
Crane: I’ll tell you, I went to a place when I was working for the government. I went to a place that was stocked with, had vending machines stocked. Every flavor of Mountain Dew you could ever imagine. And it was so stereotypical given the building I was in that you would, I’ve never seen it anywhere else, but it was just a mountain dew vending machine with six different flavors of Mountain Dew.
Crane: It was interesting. That’s serious. Yeah. So maybe it was like Yeah, just Mountain Dew shots at the bar. That’d be interesting. , don’t just be wired. Yeah, exactly.
Chris: Awesome Crane. Thanks so much for joining me and Matt today. Where can our listeners find you and connect with you online?
Crane: Yeah. So you can always connect with me on Twitter. I’m at Crane has also, if anyone’s, interested in learning more about the research that my team does at Abnormal Security we actually have a website called Abnormal Intelligence where we post all of our sort of external content, whether it’s, strategic blog posts or more in.
Crane: Threat Intelligence reports or tactical attack library samples at intelligence dot abnormal security do.com. It’s a place where it’s purely meant to be a community resource where we’re sharing information. So it’s not a place where. You’re gonna go and sign up and then get hounded by sales guys afterwards.
Crane: It’s all about sort of information and intelligent sharing which is a site that I’ve wanted to build for some time now and we just released it a couple of months ago. So that’s intelligence.abnormalsecurity.com.
Chris: Thanks. Take care and be safe, man.