No Starch Press's blog

Cracking Cybercrimes with Threat Analyst Jon DiMaggio


Our illuminating Author Spotlight series continues this month with Jon DiMaggio – author of The Art of Cyberwarfare: An Investigator's Guide to Espionage, Ransomware, and Organized Cybercrime (March 2022). In the following Q&A, we talk with him about the difference between traditional threats and nation-state attacks, the reasons that critical infrastructure is an easy target for threat actors, the emerging "magic formula" for defeating ransomware, and the fact that just because you're paranoid doesn't mean they aren't targeting you on social media.

Art of Cyberwarfare cover Jon DiMaggio headshot

DiMaggio is a recognized industry veteran in the business of “chasing bad guys,” with over 15 years of experience as a threat analyst. Currently he serves as chief security strategist at Analyst1, and his research on Advanced Persistent Threats (APTs) has identified enough new tactics, techniques, and procedures (TTPs) to garner him near-celebrity status in the cyber world. A fixture on the speaker circuit and at conferences, including RSA (and this month’s CYBERWARCON), DiMaggio has also been featured on Fox, CNN, Bloomberg, Reuters TV, and in publications such as WIRED, Vice, and Dark Reading. He continues to write professional blog posts, intel reports, and white papers on his research into cyber espionage and targeted attacks – insights that have been cited by law enforcement and used in nation-state indictments.


No Starch Press: You’re known as one of the first intelligence analysts to focus on attacks executed by nation-state hacking groups – referred to as Advanced Persistent Threats. What’s the difference between traditional cyberattacks and APTs?

Jon DiMaggio: Traditional cybercriminals conduct attacks relying on a user to click a link in an email or visit a specific website. If the attack fails or security mechanisms defeat the threat before it can successfully infect a victim, the attack is over. That's why, with some exceptions, traditional attacks are geared at targets of opportunity, and not tailored to a specific victim.

Nation-state attacks, however, are the exact opposite. Nation-state attackers target specific victims, and are not only motivated but well-resourced. These advanced attackers have the backing of a government, and often develop their own malware and infrastructure to use in their attacks. Also, unlike traditional threats, nation-state attackers are rarely motivated by financial gain. Instead, they seek to steal intellectual property, sensitive communications, and other data types to advance or provide an advantage to their sponsoring nation.
 

NSP: Governments and militaries are no longer the only targets of nation-state hackers – private-sector companies are now under attack as well. Most of them already have automated security mechanisms, but are those an adequate defense against APTs?

JD: No. Due to the human element behind nation-state attacks, automated security defenses are not enough. Human-driven attacks simply return to the system through another door. And unlike other threats, nation-state attackers are in it for the long game, which is why the attacks continue even if initially defeated by automated defenses. For these reasons, you must handle nation-state attacks differently than any other threat your organization will face – ideally, by deploying human threat hunters.
 

NSP: Another disturbing trend is the growing list of advanced cyber threats targeting the industrial control systems (ICS) of critical infrastructure, like the U.S. power grid. In terms of cyberwarfare, are we getting closer to seeing intrusion campaigns against our electrical, water, and transportation systems escalate from espionage or reconnaissance missions to highly disruptive attacks that could paralyze entire cities?

JD: Not only are we getting closer to attackers getting closer to our critical infrastructure, but it has already happened in other countries. In 2015, the Russian government conducted cyber attacks that resulted in shutting down power across critical areas of Ukraine.

In 2017, when I worked at Symantec, our team discovered a Russian-based nation-state attacker we dubbed "Dragon Fly," who infiltrated the U.S. power grid. The group was very close to gaining access to critical systems responsible for powering cities across the United States. In this case, security companies and the federal government worked together to mitigate the threat. This was a close call, but it just shows that nation-states are targeting our power grid – and likely will continue the effort moving forward.
 

NSP: In early October, the FBI and Cybersecurity Infrastructure and Security Agency (CISA) issued a warning that ransomware attackers, in particular, have been targeting water treatment and wastewater facilities. Do you have any insight into why ransomware attackers have recently moved from banks, local governments and healthcare systems to utility companies? Moreover, why are these critical facilities still so vulnerable to compromise given what we know about the threat and what’s at stake?

JD: Critical infrastructure appeals to ransomware attackers because they likely feel there is a greater chance the victim will pay. Additionally, the breach will be very apparent to the public, like in the Colonial Pipeline attack, when fuel stopped flowing and it resulted in a gas shortage across the East Coast. The effect of this type of attack is meant to be dramatic, and attackers know there will be high pressure from the general public to recover quickly. Usually, the fastest way to recover is to pay the ransomware and obtain the decryption key.

Also, critical infrastructure often provides an easy target to savvy attackers. For example, when a cybercriminal attacked the water system in Florida last year, he did so by taking advantage of technology and infrastructure that allowed workers to remotely access the critical controls used to regulate the system. In short, the ease of access for city workers was more important than the system's security. This, unfortunately, is a common problem. To address many of these existing vulnerabilities will require building systems based on security – and not ease of use. While this may be less important to a retail provider, it should not be an option for industries involved with our infrastructure.
 

NSP: Over the past year you’ve focused your expertise on nation-state ransomware. One thing I’ve learned from your work is just how long sophisticated intruders spend in a victim’s network before kidnapping their data and sending a ransom notice, often lurking for weeks if not months. Why is attacker “dwell” time an important security metric?

JD: Yes, that's a point many security analysts are unaware of. Enterprise ransomware gangs spend between 3 to 21 days on a victim network, with the average time being around 10 days. During this time, the attacker enumerates the network, obtains and escalates their privileges, disables security services, delete backups, and steals the victim's sensitive data. Finally, once the staging and data theft phase is complete, they execute the ransomware payload throughout the victim's network.

The reason this timeframe is so important is that the human attacker is active on your network. The takeaway is that the longer the attacker engages within your network, the better chance a good threat-hunting team will have to find them. This is why I keep emphasizing that you really need a human team to hunt for advanced threats, not simply rely on automated defenses.
 

NSP: As ransomware has evolved and diversified, AI has found its way into the mix, turbo-charging attacks that can automatically scan networks for weaknesses, exploit firewall rules, find open ports that have been overlooked, and so on. But machine learning works both ways. What role could AI tools play in threat hunting?

JD: The combination of both artificial intelligence along with human threat hunters creates the magic formula necessary to defeat ransomware attacks. AI is one of the fastest and most accurate ways to identify suspicious or malicious activity, and make quick mitigation decisions.

Based on the level of success ransomware gangs have had in recent years, current identification and mitigation capabilities are not working. At least, not consistently. In fact, several security vendors already base their technologies on artificial intelligence to mitigate threats. For example, the cybersecurity company DarkTrace recently used their tech – which relies on AI – to defeat a LockBit ransomware attack. (LockBit is a particularly pernicious ransomware-as-a-service gang that specializes in fast encryption speeds.) Using AI, DarkTrace identified and mitigated the attack in mere hours of its presence within the environment.
 

NSP: Sounds like the AI future is nigh! Shifting tracks, let's wrap this Q&A up in the present. You chase bad guys for a living. And not just any bad guys – the kind who could bring an entire nation to its knees. But you’re also a dad. Do you talk to your kids about what you do? If so, how do you explain things like nation-state attacks, ransomware gangs, or cyberwarfare on their level (or at least in a way that sounds less scary) when they ask about your day?

JD: I do talk to my kids about what I do. I actually try to get them involved, and spend time teaching them and explaining some of the work I do at a high level. My youngest son Damian and I even did a podcast together on ransomware. My oldest son Anthony is a freshman in high school and just started taking cyber security classes this year.

They think what I do is more like what they see in the movies, so they will be in for a disappointment when they figure out its more research, analysis and writing than hacking bad guys. However, it’s very rewarding that they have an interest in what I do, and often brag to their friends about it. At the same time, they've seen me working with encoded text and malware, and make comments that I stare at “gibberish” all day and pretend to be working! But overall they are really proud of me and think what I do is “cool."

NSP: Part of your objectively "cool" job entails thinking like the adversary. While it seems unlikely a nation-state actor would hijack a home webcam or set up a fake WAP attack at the local cafe, are there any lessons you've learned from a career spent analyzing cyber criminals that inform your personal online security habits outside of work, or that you try to instill in your children?

JD: Yes, due to my work I have a very different, limited online life. For example, outside of work-related social media, I have no personal accounts. And even with my limited social-media presence, I do not ever connect with family members – only work colleagues. I've used social media to map out relationships with adversary accounts, and know that someone could do the same to me. For that reason, I don’t use social media and, unfortunately for them, at least for now, my kids don't either. It’s not that I'm over-protective, but I don’t want them targeted by an attacker in an effort to get to me. And, to be honest, I think it's healthier at this point in life to let them just be kids. They will have an entire lifetime to be engulfed in social media, but for now I want them to just be kids.

As for my personal habits online, I use three different identity monitor and protection companies to keep an eye on my accounts. I never use the same password twice, nor do I use real “dictionary words” – and I always use two-factor authentication in addition to a hard-key (Yubi-key). I am religious about updating my passwords frequently, and you will never find a device in my home with a camera that is not covered. I also do not use traditional cloud-based services from vendors like Apple and Google.

To be honest, I live a pretty paranoid life because of the work I do and the fact that I put my name out there. At the same time, I think I need to be a bit paranoid, because if there is anything my job has taught me it is that anyone and anything can be hacked and compromised.


Cyber Defender Bryson Payne Takes Us to School


We continue the Cybersecurity Awareness Month edition of our ongoing Author Spotlight series with Bryson Payne, PhD – author of Go H*ck Yourself: An Ethical Approach to Cyber Attacks and Defense (January 2022). In the following Q&A, we talk with him about training the next generation of cyber defenders, why there's never been a better time to get a job in infosec, the security benefits of thinking like an adversary, and whether ransomware could soon be coming for your car. (Spoiler alert: it's already here!)

Go Hck Yourself Cover bryson Payne

Dr. Payne (@brysonpayne) holds the elite CISSP, GREM, GPEN, and CEH certifications, and is an award-winning cyber coach, author, TEDx speaker, and founding director of the Center for Cyber Operations Education at the University of North Georgia (an NSA-DHS Center for Academic Excellence in Cyber Defense). He's also a tenured professor of computer science at UNG, teaching aspiring coders and cyber professionals since 1998 – including coaching UNG’s champion NSA Codebreaker Challenge cyber ops team. His previous No Starch Press titles include the bestsellers Learn Java the Easy Way (2017) and Teach Your Kids to Code (2015).


No Starch Press: Cybersecurity Awareness Month is a great time to talk with you, because your career's been dedicated to making people aware of common and emerging security vulnerabilities. Recently though, high-profile hacks have hit the headlines like never before, with attacks on public utilities, government agencies, and customer databases causing real alarm among the general public. Are we starting to see a shift in the way mainstream society thinks about cybersecurity? If so, how can this be harnessed to make infosec stronger across the board?

Bryson Payne: All of us are seeing cyberattacks and breaches in the news, in the companies we do business with, and even in our own families. It’s a scary time to be so dependent upon technology, but there’s a bright side, yes –regular people are becoming smarter about how they use their devices, how they secure their information, and what information they share.

By understanding the threats that are out there, and how cybercriminals and cyberterrorists perform simple to complex attacks, you and I can protect ourselves and our families from cybercrime (or worse). And by training a new generation of cyber defenders, we can better protect our nation and our economy from future cyber threats.

NSP: You’re the founding director of the Center for Cyber Operations Education at UNG, where you’re also a tenured professor of computer science. So perhaps it’s no surprise that in 2018 UNG began offering a bachelor’s degree in cybersecurity – one of the nation’s first. Considering there are already a number of academic pathways that can lead to successful careers in the infosec world, what’s the benefit of pursuing such a specific major?

BP: The hands-on experience our students gain from real-world ethical hacking, forensics, network security, and reverse engineering in the classroom, in competitions, or in industry certifications, is more like what they’ll see in industry, government, and military cyber roles than traditional computer science or IT programs. In fact, the NSA and Department of Homeland Security are certifying more National Centers of Academic Excellence in Cyber Defense, like UNG, each year in order to give students the real-world skills needed to fight cybercrime, cyber terrorism, and even cyberwarfare for the next generation.

NSP: Does the addition of this degree program reflect a growing demand for cybersecurity pros in the workforce? And, for anyone reading this who’s considering going into the field (or going back to school to get credentialed), what are some of the career options you encourage students to explore?

BP: According to cyberseek.org, there are over 400,000 positions in cybersecurity open right now in the U.S. alone, with tens of thousands of new postings appearing every month. If you’re considering going into cyber, there’s never been a better time to get a certification, take a course, or study on your own.

If you like police dramas or mysteries, forensics could be a good fit. If you like taking things apart and (sometimes) putting them back together, reverse engineering or ethical hacking might be fun for you. If you like making sure everything works like it’s supposed to, you might make a great network operations or security operations center analyst. There’s a job for everyone, from trainers to managers to technicians – and the pay is growing faster than for many positions in non-security fields.

NSP: Studies have shown that at least half of college-age adults don’t pursue tech-related careers because they believe the subjects are too difficult to learn. What do you say to people who are interested in cybersecurity but don’t think they have what it takes?

BP: There are so many paths into cyber, whether you start out in psychology, journalism, international affairs, criminal justice, business, math, science, engineering, even health sciences. Cyber is a team sport, and we need people who understand not just the technology, but the people, processes, and even the cultures and languages involved in cybercrime, cyberattacks, and cyberwarfare. Every organization, from Fortune 500 companies to city governments, schools, and healthcare institutions, needs people like you and me thinking about cybersecurity and how to protect employees or customers.

But, while it's important to know that not every cyber job is a technical role, the more comfortable you are with the technology, the farther you can go.

NSP: Your upcoming book, Go H*ck Yourself, teaches readers how to perform just about every major type of attack, from stealing and cracking passwords, to launch phishing attacks, using social engineering tactics, and infecting devices with malware. Some critics might find it ironic that a champion of cyber defense would write a book that literally teaches people how to execute malicious hacks. Explain yourself!

BP: Just like in a martial arts class, you have to learn to kick and punch while you’re learning to block kicks and punches – you have to understand the offense to be able to defend yourself. By thinking like an adversary, you’ll see new ways to protect yourself, your company, your family, and the devices and systems you rely on in your daily life.

For too long we’ve been told what to do, but not why we need to do it. A great example is the password cracking you mentioned. When a reader sees how quickly and easily they can crack a one- or two-word password, even with numbers and symbols added to it, they finally have the mental tools to understand why we’re advocating for passphrases of four or five words. It’s the same with all the other attacks – once you see what a hacker can do, you understand how important good cyber hygiene is, and how small steps to secure your devices can really pay off.

NSP: One type of attack that's really skyrocketed lately is ransomware. Your home state of Georgia is just one example – city and county governments, state agencies, hospital systems, even local election systems have fallen victim to ransom demands. With hackers hammering away at our institutional weak spots, something as simple as not installing a security patch right away, or clicking on a link in a socially engineered email can usher in a potentially devastating attack. What do you think can be done to prevent the human errors arguably fueling the current ransomware rage?

BP: Ransomware is definitely one of the most serious threats to your business, your family, and your own financial security. But the good news is that you can keep yourself from being an easy target. While the news often refers to humans as the weakest link, I actually see us as the best first line of defense. Employees and leaders who can spot phishing emails, who install updates and patches regularly, and who use good cyber hygiene can block more than 99% of known attacks before they get into your organization! And smart security-minded computer users can also apply these practices at home to protect themselves and their loved ones from online adversaries on the prowl for easy vulnerabilities.

NSP: Along those same lines, a lot of organizations have started backing up their files as a failsafe. But hackers being hackers, they’ve already adapted: double-extortion ransomware is now the norm, where the data’s exfiltrated before it’s encrypted so it can be released online if the ransom is not paid. How bad is the problem, and what's the solution?

BP: Double-extortion malware can have the most devastating financial impact short of cyber-physical attacks (and by that I mean when malware takes over a manufacturing facility, critical infrastructure, or medical facility and causes real-world, physical damage to real equipment or even endangers human life). It's true that backups used to be enough to recover from ransomware without paying the ransom, but these double-extortion attacks can steal data for months before locking down systems and demanding payment.

The best defense, in addition to those backups, is having well-trained cyber professionals doing what we call "active threat hunting" – looking for suspicious activity, like small file transfers overnight or to unknown networks, and tracking down systems that show indicators of attack or compromise. That’s why it’s important that we train more cyber defenders. Every organization needs cyber heroes now, so it's the perfect time to develop these skills.

NSP: Dr. Payne, you have arrived at your final destination. (Well, my last question anyway.) Over the past decade you’ve done some very cool conference presentations on car hacking, and have since turned them into a tutorial on your blog. The cool factor aside, this is an increasingly relevant skill set for aspiring white hats – since 2016 there’s been a 94% year-over-year increase in automotive cybersecurity incidents, including remote attacks that can control your steering, pump your brakes, shut down the engine, unlock your doors, open the trunk, etc.

1) Is it only a matter of time before ransomware infects this realm of life, with people, say, unable to start their car until they pay a hacker? 2) In the future, should automakers be pentesting cars at the level they perform crash tests? 3) Does this keep you up at night, or are you optimistic that your UNG graduates will have a solution?

BP: It is only a matter of time before we see ransomware and similar attacks regularly affecting smart cars. Today’s automobiles can have more than 40 computer chips, dozens of systems, and networks and connections from USB to 5G, Wi-Fi, Bluetooth, GPS, satellite radio, and more. We call that the “attack surface” of a system, and with so many ways for hackers to try to get into your vehicle, we’ve actually already seen successful remote attacks in the wild – and we’ll continue to see new ones. The good news is that every make and model is slightly different, so a hack that works on a Honda might not work on a Ford, and vice versa.

That being said, auto manufacturers have a responsibility to secure the networks and computer systems inside your vehicle and mine from malicious hackers, which is why I happen to believe that teaching young people how to test and secure these systems – starting within a virtual environment like we do in the book – is one of the best ways to protect our vehicles and our personal safety from ransomware on the roadway.

Article-19 Activists Mallory Knodel and Ulrike Uhlig Reimagine the Internet

For Women’s History Month, No Starch Press is spotlighting the contributions and individual achievements that female authors have made in the world of tech and on our bookshelves.

Mallory Knodel How the Internet Really Works Ulrike Uhlig

This week, the focus is on two of the co-authors behind How the Internet Really Works (Dec. 2020), a collaborative work produced by Article 19 activists. Mallory Knodel is the CTO of the Center for Democracy & Technology, co-chair of the Human Rights and Protocol Considerations group of the Internet Research Task Force, an advisor to the Freedom Online Coalition, and former head of digital for ARTICLE 19, where she integrated a human rights-centred approach to communications and technology work for social justice movements. Ulrike Uhlig is a (comic) artist, graphic designer, front-end web developer, and Debian Developer. She works with non-profit organizations at the intersection of technology, arts and human rights.

No Starch Press: You both work in technology and human rights – and gender equality is one of the most fundamental guarantees of human rights. Given that ICT is an area where women commonly experience discrimination, exclusion and harrassment, what role does internet governance and/or protocol standards play in achieving a more equitable and inclusive global cyberspace?

Mallory Knodel: Gender discrimination is present in internet governance, too. That is to say that, while setting standards and building governance mechanisms presents the opportunity to provide guidance on best practice, efforts to address inequality are undervalued. Rather than getting trapped in the endless loop that starts and ends with the demographics of participant data, there are two things that should be ubiquitously understood by now: 1) inclusion is everyone’s responsibility, and 2) participation is, in some part, related to interest. I hope that my work on human rights and the public interest in standard bodies and internet governance is sufficiently interesting to attract experts who are also feminists, anti-racists, and social justice advocates.

NSP: Your work has brought attention to the theme of the “digital gender divide.” How does gender affect the way women access, use the web, and benefit from internet technology?

MK: The digital gender divide is the result of compounded inequalities that all derive from access to the internet. There is inequality in access to literacy, devices, mobile data, in-home internet subscriptions, information that is censored, paywalled, filtered, and blocked. On the other hand networked mobile devices can exacerbate stalking, police surveillance, harassment, and economic harms such as theft and private data brokerage. At the same time, the offline world of bookstores, government services and public spaces, is disappearing. For initiatives like e-commerce and remote jobs aimed at women to work, ubiquitous, cheap and quality internet access is a fundamental requirement.

NSP: “Alice & Bob” – fictional characters used in discussions about cryptography to make complex concepts more understandable – have been a popular archetype in CS since the ‘70s. But in How the Internet Really Works, you made a conscious decision not to use the “couple” for explaining cryptographic protocols and systems; instead, Alice talks about these topics with a friendly dragon. What inspired you to do this, and what was your intent by recasting “Bob”?

MK: I credit Ulrike with the creative side to our book. She was able to bring to life the everyday objects, characters and mythologies from technology and retell them through her brilliant illustrations of reimagined and more contemporary archetypes.

Ulrike Uhlig: While making the book, we’d come across a very interesting and well-researched work by Quinn DuPont and Alana Cattapan: “Alice & Bob. A History of The World’s Most Famous Cryptographic Couple.” There we learned, for example, that Eve, the person who listens to, and eventually tampers with Alice and Bob’s conversations has sometimes been depicted as Bob’s rejected ex-wife, and that Alice and Bob are not only longer names for representing “A” and “B” (in cryptographic transmissions) but we understood there was also an assumption of their role, related to their gender. We found this to be a bit too heteronormative. We want all sorts of people to be able to identify with our characters, and to, sort of, pass the (non-existing but self-imposed) Bechdel test for books.

However, when writing the text for our book, we noticed that there seemed to be one advantage to using gendered characters – it makes it a little bit easier to explain complex systems, because we can use two different pronouns so readers can more easily follow who is doing what. At first, we had the idea of simply inversing the assumption that Bob is a man and Alice is a woman, and wanted to call those characters “Aob and Blice.” Later we had the idea that Alice could just be talking to her friends, Catnip and Dragon – like, that we accidentally got rid of her assigned role as Bob’s partner. Finally we realized that we didn’t need to use gendered pronouns to make the text easy to understand, we could simply repeat the characters’ names.

Actually, creating the characters of our book has been a challenge for similar reasons. While we knew from the start that we wanted the main character to be a cat by the name of Catnip – an acronym for Censorship, Access, Telecommunications, Networks, and Internet Protocols – we initially thought our secondary characters would be the commonly used ones for explaining cryptography. When we did the first sketches though, it became clear that it would be hard to be inclusive and diverse using “human” characters. So we turned to the imaginary animal world to represent Eve, Mallory, and Catnip’s friend, Dragon. There is now only one human character in How the Internet Really Works who has a name: Alice. With the image of Alice, I encoded a bit of ourselves – women in tech – into the book.

NSP: Women were key to the development of computing in its early history. But in the decades since, they’ve been increasingly marginalized throughout the industry. Are there any notable actions being undertaken right now to help solve the persistent problem of gender inequality in tech and governance?

UU: That’s a good question. I have the impression that ever since I started working in tech, this question has been turned into all possible directions, with a bit of change, but not significant enough change that I would call it progress. I personally think that we need to open up the gender inequality discussion and talk about diversity. To me, this means first of all to question ourselves: How do we encode inequality in our systems? How do we (often unconsciously) reproduce patterns of classism, sexism, ableism, racism, and oppression? How are privilege and social reproduction part of our spaces, organizations, perceptions? Those questions are collective ones, not questions that can be solved on an individual level.

We can ask ourselves similar questions about the technologies that we produce. Technologies, such as internet protocols, are inherently political, as they shape how we interact with each other. How do we encode bias and power into those technologies and how can we do it differently? I would even dare to ask: How can we bring empathy into the technologies that we create? To that end, the Human Rights Protocol Considerations Research Group at the IRTF, that Mallory is a chair of, aims at researching whether standards and protocols can enable, strengthen (or threaten) human rights, and therefore gender diversity.