Most organizations don’t want to have adversarial conversations about cybercrime. They either don’t care enough or they don’t really understand it. But this lack of visibility within your network can result in a huge risk to your organization. Not knowing if you are dealing with an insider threat is scary. You can’t prepare for it or set up countermeasures. If you can’t see it, you can’t protect it.
Join Matthew Stephenson as he talks to Global Security Technologist at VMware, Chad Skipper. Learn what kind of security measures need to be done to protect your network from such internal risks. Discover what his move to digital transformation and multi-cloud means for cybercrime, as well as some tips on how to protect your systems before a major breach. Get visibility of your vulnerabilities right now!
—
Listen to the podcast here
Chad Skipper: The landscape looks partly cloudy with major chances of breaches.
Here in the show, we are bringing you the top experts in the industry to chat about anything that is interesting in keeping our world secure. I always make that “We are excited” thing but now, we got a guy. There is nothing better than having a guy, a gal. We are very excited to welcome Chad Skipper to the show.
He is the Global Security Technologist in the Network and Security Business unit at VMware. In previous lives, our man has spent over 25 years in information security in executive roles as a security technologist and strategist including endpoint, network, cloud, and hosted security services, which means odds are his fingerprints are on something that you have done. Some companies perhaps you’ve heard of are Lastline, Cylance, Dell, Cisco, and Symantec, and he’s a veteran of the United States Air Force. Chad, welcome to the show.
Thank you very much for bringing me on. What an introduction. It’s great to see you and listen to that voice. I missed that voice. I missed the times that we had, and the introduction of the unbelievable tours in the good old days of Cylance. What a security landscape we are in now, and thanks for bringing me on to this show. We’ll see what’s going to happen here.
This is going to be the kind of show where the band invites Slash out on stage and lets him shred a guitar solo for 12 to 48 minutes. We need that but we need a little bit of structure. Your career has been built on battling the bad guys to protect organizations from attacks. Given all that you have seen across the landscape, whether it goes back to your time at some of the massive companies like Symantec and Dell, or these upstart punk rock companies like Cylance that are upsetting things in order to force people to get better. What’s the landscape look like to you now?
The landscape looks partly cloudy with major chances of breaches. The reason I say that is as we move across into this digital transformation and multi-cloud, all of that digital transformation and multi-cloud are creating more of an internal network storm. To be honest with you, the vast majority of network traffic is internal traffic. In some cases, it’s 90%.
The current business landscape looks partly cloudy with major chances of breaches with the move towards digital transformation and multi-cloud.
As we move further into Kubernetes and fast API connections and try to secure the inner workings of those applications as an example, threat actors are beginning to pay attention to this very specifically. Threat actors are not only paying attention to it, they are finding novel ways to gain that initial access. Once they are in, they are staying in. We are seeing things staying in months without being detected as an example.
The thing is once they are staying in, it’s no longer necessarily about that one device. It is now, “I am discovering the network.” In some cases, “I’m able to understand the network better than the network administrators do. I know the ports, the protocols, and the applications your unit is using. I know how to get around segmentation, and those common ports and protocols.”
As they begin to do that, they understand those pathways and they begin to converse. It’s like having a threat actor converse inside your network. From that perspective, they ride remote desktop protocol just like a network administrator does to remotely move or laterally move to other devices. If I’m able to get your credentials, I am now considered somebody that has credentials. Is that an insider? I gained it.
Now, I’m able to use those credentials and if you are not using MFA, I am able to pass the hash over to curb roast to move laterally onto a system. If you are using the Samba service, I’m going to take advantage of that as a threat actor because the Samba service is a great way to move files. I’m going to move files laterally inside the organization that are malicious. Think of remote access Trojans.
I’m going to use PowerShell just like your administrators do to create command and control traffic internally east-west, so that I can make sure I’m communicating with those devices which I have compromised. At the end of the day, it’s not necessarily about moving to hundreds of devices. It’s about finding those unique values of devices inside the organization so that I can exfiltrate that data, but I’m going to exfiltrate that data first before I even ransom you.
Now, I have a copy of that data on the outside. I can ransom you, which is now called double extortion, and I will take a look at that data. If I find information about your partners or whatever, I’m going to extort them as well. Now, we are getting into somewhat of a triple extortion. We have this type of landscape, and the reason I say it is partly cloudy is that the underlying issue that we are seeing in the industry is the lack of visibility. When you don’t see it, you can’t protect it. It’s the lack of visibility within the enterprise and within the inside of the organization. East-west is what we call an insider.
We are talking about the inside. It is paramount in understanding what’s normal and what’s anomalous. From those anomalies, to be able to apply different types of technologies, machine learning, or artificial intelligence to understand that this RDP session, while anomalous, is also malicious because this is how threat actors communicate. It’s over RDP that is different from the normal baseline that we are seeing inside your organization.
It’s the same thing with pass the hash and the Samba service. That is critical for us. How do we become sunny inside of the data center or inside your multi-cloud? The way to do that is to expose it and gain the visibility that we need in order to understand what’s going on so that we can reduce it. At the end of the day, it’s either to prevent or reduce the dwell time of those advanced threat actors that we see residing inside customers’ environments for lengthy times.
I got twelve things I got to unpack from that. Let me roll it back to the first bit when you talk about how they know the inside of the network as well or better as the people who own and operate the network. I will give a shout-out to a previous guest, Kurtis Minder from GroupSense. He was referred to as the alternative businessman.
What can we do to make sure that the people who are in charge are keeping these people out? Once they are in, they are in. You’ve done the north to south. You’ve dug in, but now you start moving east to west. How do they know what the bad guys know? From what you are saying, it sounds like they come in and they have done the research. They know this place inside and out already.
They are not walking around looking for directions. They know exactly where to go, what to operate on, and how to get there from there. How do we help the bosses and the brass and the infantry to understand what their environment looks like, and recognize when these things start to happen that these are anomalies?
We can bring in lots of different zero-trust principles. It is not a product. Zero-trust principles is a stair-step way in which you can begin to provide ways to either prevent or reduce the dwell time of that threat actor once they have gained that inside access. One of the most important ways is what we call segmentation and micro-segmentation. It’s like a highway with lanes. I’m only allowing these ports and protocols to communicate within this aspect. It’s software-defined networking.
In this aspect, segmentation and micro-segmentation might mean this VDI or this virtual desktop cannot talk to any other VDI inside of my organization. What that does is if that VDI gets compromised, I’m going to reduce its blast radius from it being able to move laterally within the organization. That’s like plumbing. I’m plumbing and creating information highways inside of my organization. Nothing can enter or exit that information highway because I have segmented it off from computers talking to computers, and those types of things.
Naturally, there are ports and protocols that are open to all of those segments for administration. You have to have things like an active directory. You have to have things like domain names and service DNS. You have to have things like HTTP and HTTPS. You have to have things like RDP and those aspects. Those are the highways that are still open between segments, and the threat actors know that so they are using those highways to move laterally even though there might be segmentation in place.
That’s why you have to do deep packet inspection within those segmentations and micro-segmentations. Hygiene naturally is segmentation and micro-segmentation, and then deep packet inspection. What that means is a layer-seven type of deep packet inspection where I understand the application, the protocol, and the user. From there, we apply different types of detection technologies.
For example, IDS and IPS or Intrusion Detection Systems and Intrusion Prevention Systems. That is going to be able to detect things like that command and control traffic east-west. If you have an east-west IDS, that’s going to be able to detect, “I see areas of Empire C2 agents.” IDS detects things like exploits and signatures. Log4j is an example of the big huge zero-day vulnerability out there. These examples are commonly known exploits and ways that threat actors communicate over command and control.
There are other areas that you can help inside as well. There are lots of artifacts that are being shared by your users and they might be malicious, or if a threat actor gets inside, he might be able to move artifacts from a compromised device to a compromised device. It could be remote access Trojan. It can be ransomware or something of that sort. You want something to inspect that beyond the endpoint. You don’t necessarily have an endpoint agent on everything inside your organization. Sometimes that’s not the case.
That’s where things like a sandbox come into play, but it’s usually a north-south sandbox. Think about this. Do I have a sandbox inside my organization to detect the insider advanced threat activities to sharing of malware going across the ecosystem? Another one that we can talk about is the visibility of every single packet inside the data center. There are capabilities to do that inside of your organization inside the multi-cloud.
Your organization needs to have a sandbox that can detect insider threat activities relative to sharing of malware going across the system.
What you want to do is apply what we call network traffic analysis. I get a baseline of all that traffic. I have a rolling day baseline. Let’s call it 30 days. I know what normal is. I apply machine learning capabilities on top of that baseline in order for me to understand anomalies. I have seen this anomalous RDP session. I have seen this anomalous pass the hash session over Kerberos. I’m seeing anomalous type lateral movement using PowerShell.exe. These are the types of areas where you can begin to see anomalies in the network that threat actors are using so that you can begin to detect those.
Last but not least is the continuous threat hunt. I can’t say that enough. Spend a few hours a week going in and be like, “I see this private VPN tunnel. What other connections are there?” Go on from there and look for different types of network anomalous capabilities inside of your organization. I know that’s a long-winded one, but there are many ways that you can begin to get that visibility so that you can reduce that dwell time inside the organization.
Spend a few hours a week looking for different types of network anomalous capabilities inside your organization.
It’s not long-winded. It’s the information. It’s the context that we need. Take a walk with me on this analogy and tell me if this is wrong. New York City tap water is supposed to be the best tap water in the world, and it is why New York City pizza is supposed to be so good because it is what people use in order to make the dough for the pizza. We can get into the science of why the water reacts with starches to make the thing, but you also have to have that person back there throwing dough, making the pizza, and spreading it out in order to do that thing.
Knowing the science behind why New York City tap water makes pizza dough taste this unique way compared to other cities around the world. Let’s compare that to this idea of the hardcore tech that you’ve talked about. You are not going to be able to sit down with every employee inside of a network and explain all of that to them in a way. When we talk about the idea where you say that they are passing malicious pieces back and forth, they are not doing it on purpose, hopefully. Some might be.
For what you are doing at VMware or what we’re doing in Elevate, as an industry or a company, how can we put people in a position to toss the best dough? They can make the best pizza without sitting down for a master’s course in, “This is why New York City tap water interacts with the starch of the yeast and the dough in order to make the best thing.”
Don’t click on anything.
Is that it? Are we at that point? It’s the same thing that I tell my 82-year-old father.
Don’t click. Don’t answer phone calls. Don’t reply. Here’s one of the biggest things that have been helpful. We have seen a lot of business emails compromised. A lot of it, and it has continued to do that. One of the things that have been helpful for me personally in my work email is it blankly tells me that this is an external recipient. You get a lot of east-west internal emails. If I know that there’s an external recipient, as a normal user, it’s going to put my radar up a little bit. I’m going to inspect that a little bit.
Do I know this person? Has that person emailed me before? These types of questions scoped through my head. I’m going to user education. I will get into tech later because they don’t even care about the tech. Hover your mouse over to see whether it goes to the website that it says where it goes to. Emails shouldn’t be sending .exes, but threat actors are sending payloads in things like Excel documents, Word documents, PDFs, RARs, and those types of things to get away. When clicking on a link from an external source, make sure that before you click on that link, you know where it’s going. It’s in these types of areas that you can train your users on doing these types of things.
What we are seeing is no matter the technology, in some cases, there are significant evasive capabilities that are out there. I will give you an example of getting in. Our VMware threat analysis unit released a report on exposing the Emotet supply chain. Emotet came out in 2014 around TrickBot. It was a trunking bot remote access trojan.
Emotet was taken down by Interpol in November of 2021. It’s a huge malware as a service. ID as an example is something that was deployed through a TrickBot. It was so big and it did have advanced threat nation-state sponsorship. That’s about as far as I’m going to say with that. In January 2022, we started detecting a beacon of old Emotet or what we saw as a new wave or epoch.
Our threat analysis unit started taking a look at this, and the short of it is we were able to get the payload. We were able to deconstruct the configuration file. We were able to put their own C2 implant in it to where we tricked Emotet to think that we were one of them. We were able to get access to their supply chain or their software development life cycle. We were able to see all the modules which they were deploying out to these endpoints. They were evasive because of the execution change in which they were executing.
In that, we were able to see the timeline, and a lot of these timelines are associated. We started this beaconing, and the beaconing started a couple of weeks before Russia invaded Ukraine. All this goes back to, “This is all about monetization.” It’s all about getting and exfiltrating that data. It’s all about subverting the sanctions that the West is putting on Russia.
These are the types of areas that are evading and getting inside. However, beyond user education, most of them have to execute. They have to execute. They have to get on the endpoint. There are things like app control. If you have a system that you want to harden down, app controls basically say, “I’m not going to execute anything on this system. No .exes, .dlls, and .coms. Only these applications can execute so forth and so on.”
Disabled macros, you should never have those macros. It’s a lot of user education. Naturally, this is hard to do, but it’s patching and keeping your systems up to date. I know it’s difficult. We have seen this in the global incident response threat report. We send out questionnaires to our customers that are consuming our product. We are asking them all types of things. Given Log4j and the six patches that came out after Log4j and the frustrations of deploying those patches, we are seeing a lot of customers deploy virtual patching.
When I see a CVE vulnerability, we might have a signature that detects that particular exploit. They will deploy that signature and prevention mode to prevent those types of exploits immediately. That gives them time to follow their standard operating procedures and to deploy that patch in a timely fashion to make sure that it’s not going to go down or bring the system down. It might be something that they want to test before they deploy it. Of those that responded, 75% said that they were deploying virtual patching in a preventative mode as a way to help with their vulnerability management operations. It’s very interesting.
You said that patching is difficult. The outline is completely blown up at this point. We can disregard everything that I spent hours typing to send out for you.
Patching is part of insider. We are talking about insiders.
This is my question on patching. Is it difficult or is it irritating? Is it another adjective because it’s something that we all know we need to do? We all should always brush our teeth three times a day, and all those sorts of things. When we talk about protecting people from themselves, is patching on the shoulders of the individual users? Where does it fall in the hierarchy of protecting a network?
As an example, VMware owns my system. I get an email from VMware that says, “We are going to make sure that your system is up to date,” on the applications which they control. They are going to keep those up to keep everything up to date. They are going to deploy those types of patches for the operating systems, the KBs, and those types of things in most natural and user systems. That’s been solved relative to areas of automation and those types of things. Where patching becomes difficult is when I have a workload that has to run 24/7 that’s bringing in millions of dollars a day. I have to have some way to keep that up and running, so I have to have some type of redundancy. For all of that, there’s a Log4j vulnerability, and I have to get that updated fairly quickly.
I’m going to have downtime. Before I incur downtime, I have to go test it. Is that patch going to break my application to where then I have to back out of it and I’m losing downtime in my operations? That downtime means money. There’s a testing of the application. Once that testing is done, then there’s rollout and there’s testing of the patch.
Once that testing is done, then there’s a rollout of that patch. If there has to be a reboot, then that’s another standing operating procedure on that reboot of that enterprise application if it’s north-facing, where it’s bringing in monetary value to the company. There are significant risks in doing anything and updating that application.
Yes, it can. As an example, in an emergency such as Log4j, “Here’s this patch and get it out.” You try to get it out and, “By the way, that patch doesn’t work. Here’s a second patch. That patch didn’t work. Here’s a third patch. That patch didn’t work.” You want to make sure of those standard operating procedures as well. You run into those instances where the patch doesn’t eliminate the problem, therefore you are going to have to re-patch and re-patch.
There are all kinds of different scenarios, but patching can be a system or it can be areas in which you can automate and make it very simple and streamlined. There are other areas in which you have to make sure you have the SOPs because if anything happens to that application upon a patch, it can cost the company significant monetary issues.
If anything happens to your application upon a patch, it can cost your company significant monetary issues.
Given the time that you have spent at VMware, Lastline, Cylance, Dell, and Cisco, you have existed on more of the tech side than the human side. You need to explain everything that you have talked about to people who need to explain it to people. How do you get this egghead level of stuff? You are talking about Masters if not PhD-level technology in a way that someone needs to communicate to the rest of the staff who may be new to the industry, relatively junior, or just in general more organic than technological in their approach. How can you get these ideas across so that people understand these little things you have to do are so important because 3 or 30,000 people might depend on you, depending on what size company you work for?
It’s more of an analogy to some extent that I rely on a lot. Imagine I tell everybody has some type of role to play in security. Whether it is the chief information security officer all the way down to the person that is pumping out briefs or whatever it might be inside the organization. They all have a role to play in security. We talked about the business email compromise and those types of things.
If you spend a second and talk to this relative to your computer it is like your house. In your house at night, you make sure that you lock the doors and windows, and these types of things. It’s the same thing with your computer. You want to understand the things that you can do with that computer. The way that I sometimes talk about this, and we are seeing this, is you would feel horrible if a threat actor came into your house and stole your tax returns.
They got your information and all this good stuff, and they are in and out. That’s not what’s happening. What’s happening is they are coming in and staying inside your house for nine months. They’re going room to room, without you even knowing it. They’re sitting on the couch with you or having dinner with you. They’re watching movies, taking a shower, brushing their teeth, and going to bed with you. They are in there.
That’s why I talked at the beginning about how visibility is key. Inside the home or the multi-cloud is where we are not seeing the threat actors once they get through the front door if you have a window through a vulnerable application. If the user clicks on something, it allows them in and says, “Here you go. I don’t know what you are doing, but here is all the information about my house. Go through my cabinets and look at all my pictures. By the way; use my phone to call my friends and my other computers, and start chatting with them. They’ll invite you into their house.”
Now I’m in their house and I get all their information. I’m doing this and I talk to their friends and their friends have friends. Pretty soon, it’s no longer 6 degrees of separation. I am there. That’s how I begin to explain it, whether it’s the CISO or all the way down to I am publishing briefs for the company that gets published on this application so that we can get subscriptions to our analyst report. That’s my spiel on it. Does that make sense?
That makes sense to me. We’ll leave it up to the rest of the audience. Hopefully, it does because I found you to be someone who can explain things, much like Jennie deForest, in a way that I could understand them. That’s an easy joke.
That’s an easy one. It’s like a bunch of chocolates or something like that.
Malicious attacks are like a bunch of chocolates for sure. I understand why we don’t want to necessarily state any names. You have mentioned the fact that it is nation-states, but it is also multinational criminal syndicates that operate in a similar way. When the attackers come in, what kind of tools do these malicious attackers have access to? The insider doesn’t even understand what they did because they thought they were doing everything right, yet somehow these tools are operating on a larger scale.
Here’s the thing and I can tell you this right now. As you take a look at the tools, we talked about the human element aspect of it. We talked about nation-states. We do have cybercriminals. They are leveraging nation-state malware that has been released and modifying it to their own needs like the scripts, using PowerShell. Think of Emotet, CryptoWall, DarkSide, and these types of things from a ransomware perspective.
Cybercriminals are leveraging nation-state malware that has been released and modifying it to their own needs.
They are leveraging these nation-states. They are creating their own as well, and they are collaborating just like any software development life-cycle. They have a software development life-cycle. They have sprints, and we see things that they are updating. We understand that these evasion techniques didn’t work. We see new evasion techniques in the next drop. They are following, and they have gone from 32-bit to 64-bit because they get a lot of advantages in 64-bit code for troubleshooting and making it more stable. They are running this like a software development shop.
They are running it like one, but they are one.
You are absolutely right. They are one. They are contracting folks out. They are getting snippets here and there, so it’s a criminal organization. You’ve got different stacks of ones across the globe. You got automated phishing tools that create Facebook and Instagram accounts that go out that automatically make you a real person, and start sending out these Spams.
Here’s an example. The threat actors will take the malware. They will modify the malware to do the things that they want to do. What happens is when they modify that malware, it changes the signature naturally. We know this. It takes machine learning to understand what those differences are and recognize the code that has been leveraged for that particular aspect of it.
Crypto mining is if I don’t want to interact with users, I’m going to exploit your workload. Linux as an example, and then I’m going to deploy crypto-mining tools on it. It sits there and does crypto mining. It uses your CPU memory resources and you get charged for it. Here’s something that I have been researching lately. You’ve seen it all over the news and I have given quotes out to the news, but this tool lowers the barrier to entry.
You’ve heard of script kiddies. ChatGPT is the next-generation script kiddie type of tool. Think of this. I can go in and say, “I need you to create an email that says, “To my employees, we have had a great year and we have got a bonus. Click on this file to get information about your bonus.’” It’ll pop up there. It looks great. “I want you to do it in Italian, German, and Spanish.” I have got this basis of a great campaign to social engineer, and move all of this. I can then start asking it to innocuously start writing code, “Create me a MIME script that executes command.exe.” There it is.
When you get into certain areas, it does come back and say, “This is seen as malicious,” but at least now I have the ability to create innocuous types of MIME scripts, code C, and whatever it is, then take it and modify just a few things at a time. The entry-level has been significantly reduced to subterranean levels where now we have very quickly this AI-generated bot that is meant for good. I get that it has great value but in it as well, it allows a threat actor to become very efficient, and create things very quickly and cleanly to then compromise and become an even bigger insider threat once I gain that initial access. Those are some of the things off the top of my head as we talk about these things that we are looking at.
Over the course of your career, you have been on the armorer side of things. You were in there leading the teams that found out the shields and the swords and all of that sorts of things. When you are helping to prepare organizations to defend and protect themselves, is there the scariest thing? Is it malicious insiders who are either under informed or undertrained? Is it a full-on assault from the outside? Is it something different than that? Is it just the idea of chaos and anarchy, and we don’t know what we don’t know?
We know the battlegrounds. Knowing is half the battle is what I say, but the scariest thing is the lack of visibility. I would rather know and at least I know and have a battle plan against it, but if I don’t know, that’s scarier to me. It’s the lack of visibility. If you can’t see it, you can’t protect it, especially inside multi-cloud or inside your organization that is what we call insider east-west.
Once they are in, what are they doing? They are in my house. They are eating dinner with me. I don’t even know that they are there. If I don’t know, I don’t know. That’s scarier to me than understanding and knowing I have this vulnerability. I know there are risks against it. I have countermeasures for that vulnerability until we get it patched. It could be a virtual patch or whatever it is. I know I have user vulnerabilities in doing things, so at least I can begin to train them. If I don’t see or understand what’s happening inside my network, I’m blind.
When I start talking to customers about how there are solutions to that, their eyes get wide open around, “Now I can see.” Knowing is half the battle, and from there, at least we know we can apply technology on top of it from a threat-sensing capability depending on the ports and the protocols and things so that we can understand how that threat actor is conversing inside of your organization.
Over the course of your career, you have been a part of organizations that defend against breaches both defensively and even offense with incident response teams. When you look back over the course of things and as you look at the present and even into the near future, once an organization has been breached, can it heal in a way that stays healed?
I have seen organizations breached and breached. It depends on the breach three times. Do they stay healed? They might have healed the area in which they were breached, but they were breached in another way. It’s an open-ended question. I can tell you that there are stair-stepping aspects that you can do to heal inside of your organization. One is the hygiene patch.
If you take a look at this, we have got data. For the first part of the six months in 2022, there are over 25 million Log4j export attempts. That was the top one. From that perspective, if you can patch from a patching perspective, you are defending and being able to heal that aspect. That’s number one.
Number two, we talked about segmentation and micro-segmentation to reduce the blast radius.
The last one is deep packet inspection. That one is around getting visibility into that internal traffic as much as you can. There are ways to do it from a virtualization perspective and apply these technologies on top of it so that you can find that threat actor within the conversations of all that network traffic inside of your organization, and things like IDS, Sandbox, and NTA or Network Traffic Analysis.
Those are the areas and then lastly, the threat hunt. You got to be on the look and on the offensive. When you threat hunt, that helps you understand how your network is doing. What protocols and ports are you using? Is there a beacon out there that all of a sudden I’m like, “Why is this beaconing out this way? This connection is going out northbound to something that I don’t have any information about. I want to investigate it and so forth and so on.”
Shadow IT is everywhere. Who hasn’t downloaded an application because they needed to get it done? They put it on their credit card really quickly and knew they’d get reimbursed for it, and it ends up being some type of pirated copy of something. Just put a little C2 beacon on it and start communicating back and forth. That’s the beginning. I just got in. Anyway, I digress.
That’s the worst thing. When somebody is pirating something, but then they expense on whatever it is that they do something malicious inside. I’m going to go hard right here. We are coming out of the Consumer Electronic Show and we are about to roll into some of the biggest events of the spring South by Southwest and RSA. Given your perspective from what you have done over the course of your career, and the position you occupy right now with VMware, how are you feeling about the state of the industry right now? When you look at the near and mid-future, what are you looking at?
I have got a few things on this one. Cybercriminals continue to seek the keys of the kingdom. They are beginning to further focus on API attacks. We will continue to see this evolution of that initial access tactic to get in and gain that foothold inside the organization so that they can basically move laterally and they are using APIs to do that.
As we go more about that multi-cloud digital transformation journey, API is becoming the new endpoint where the majority of the internal traffic is API traffic, especially from a consumer standpoint and those aspects. That’s number one. Number two, the remote desktop will continue to fuel island hopping. It is the number one protocol used by network administrators. Threat actors know that. It’s very difficult to understand and get full visibility into that. Understand your use for RDP within the organization and include MFA on that RDP as well.
As we continue down, look at this. We’re going to see more and more deepfakes. Based on our global incident threat, 2/3 of the businesses reported witnessing a deepfake attack in the past twelve months. Deepfake is identified in mobile messaging, voice recording, social media, and those types of things, where it’s pliable enough to get those for scammers. We’ll continue to see that as we move forward.
In other areas, critical infrastructure is facing a year of vulnerability as we talked about these toolkits. They are being developed behind the doors and software development life-cycle of these threat actors. We are going to continue to see a target against critical infrastructure. Last but not necessarily least, in 2023, healthcare and education are still going to be targeted. In 2022, more than 1,000 schools in the United States fall victim to ransomware attacks. Telemedicine is becoming the norm. Ransomware and deepfake attacks on the healthcare care industry, we’ll continue to see a rise in that in 2023. Those are some areas that I see happening.
We got about 40% through the things that we agreed that we are going to talk about, but we are rolling up on time. I want to give you a few minutes here. One last question before we go into the Leadership Corner. Is there anything that has your eye right now? Something maybe that’s in your peripheral vision that you think we should be focusing on. Maybe not immediately, but coming soon.
Stay tuned. I don’t want to talk about that one just yet.
You need to call back episode two, Chad Skipper, The Revenge.
Let me put it to you this way. When it comes to command and control infrastructures, we are investigating and understanding the insider command and control infrastructure. Once a threat actor gets access, how are they establishing command and control within your environment? Think of east-west. Think of insiders. That’s something that we are looking at and that we have great insight and visibility into. We are looking to dive deeper into that one. That might be something that we can talk about next time.
I love how vague it was, and yet still somehow a teaser. It’s like the stinger at the end of a Marvel movie. Leadership Corner. What are you doing when you are not doing this? What are you reading? What are you listening to? What’s on your Spotify playlist? What’s in the garden? What’s on your stove?
Land management is mainly what I do when I’m not here, Farmers’ Almanac, listening to my wife, and that’s about it.
We should probably stack rank that in a different order.
We should. Right now, it’s land management, Farmers’ Almanac, and then listening to my wife. If she was standing right behind me, it would be listening to my wife.
I gave you the opportunity to do that twice and you rejected both.
I rejected it. I can do that because I have been married for 30 years. She understands and knows the truth behind it all. I live on 15 acres. I escape by managing a 1-acre pond. I have a significant garden in that I grow all kinds of things. I’ve got an orchard. I’ve got ATVs, UTVs, lots of guns, and a 200-yard shooting range. After this, I could literally walk outside and pick a gun and go target practice, and be back in five minutes for my next meeting.
Let’s talk more about the garden to make sure that we don’t alienate anybody in the community. What’s grown in the orchard? What’s in the garden?
We have peaches, plums, and apples in the orchard. We have asparagus, tomatoes, potatoes, okra, black-eyed peas, and also strawberries in the garden. That’s significant because it’s quite large, so that takes some time to do out there. The land management, I got a couple of miles of fence that I always have to maintain. It’s all fun, good, and relaxing. It’s my way to enjoy the land.
You are absolutely going to be the fourth show in the Yellowstone series. It’s going to be Yellowstone, Skipper. It’s going to be you out taking care of the okra and black-eyed pea. Our man is in Texas. When you hear what’s growing in the garden, that’s what you know is growing in the garden.
Unlike Yellowstone, I don’t have horses. I have miniature donkeys.
Those jokes write themselves. I’m going to save them for episode two. Shameless plugs. You are someone who has been and continues to be present. The video content. What’s going on with your calendar? Where can people find you if they are looking for you?
It’s @ChadSkipper. I don’t Tweet very much. I’m going to be on the road for a few dinners with customers. If you want to reach out to me, reach out to me on LinkedIn. That’s where I’m at.
I have to tell you, he replies. Not because I have known him for years and we have done a few ridiculous things together, but because he has a genuine concern for all of these sorts of things. Are there any speaking engagements coming up? Are you doing any of the big shows?
They are on the radar. I have regional events and then bigger events, all the RSAs, the Black Hats, and the LMNOPs of conferences. We’ll cross paths. I’m sure.
There is a beautiful professorial beard happening right now, although not anymore in our industry. We scratched the surface, but there’s a lot more itching and scratching that needs to be done. Will you come back?
I will. This has been great. This has been fun.
There it is. You heard it, audience. Chad Skipper, The Revenge Part 2. He’s coming back. Until then, thank you for joining us on the show. A friendly reminder, all comments reflect the personal opinions of the participants and not necessarily those of their employers or organizations. Shameless plugs. You didn’t even shout out VMware or anything. Do we want to give them any love at all or not?
Absolutely. It’s VMware, NSX, and Carbon Black. Go to the blogs, Blogs.VMware.com/security. You are going to find lots of threat intelligence and information about what we see relative to lateral security right inside your organization.
He’s so charming and delightful. I completely forgot about mentioning what keeps the power on over there. For all the information that’s good in the world of cybersecurity, make sure that you check us out on LinkedIn and Facebook, as well as the mothership, ElevatesSecurity.com. You can find me at @PackMatt73across all of the socials.
I keep bringing in these amazing superstars. As Chad has already teased, there’s someone else who might be coming in. Hopefully, you have checked out some of the early ones and all the cool stuff that they are up to. All we ask is to subscribe, rate, and review. You will never miss all of the great folks who are literally changing the world and keeping it safe. Until then.
Important Links
- LinkedIn – Elevate Security
- Facebook – Elevate Security
- LinkedIn – Chad Skipper
- @ChadSkipper – Twitter
- VMware
- Farmers’ Almanac
- Blogs.VMware.com/security
- @PackMatt73 – Instagram
About Chad R. Skipper
Chad R. Skipper serves as a security technologist, marketing and sales executive focusing on a broad section of the Information Security space. Skipper continues to contribute heavily within sales, product development, engineering, security research, product marketing and product management. Skipper is a seasoned public speaker of many security topics through a variety of venues and is co-author of “Next-Generation Anti-Malware Testing for Dummies”. Whether at Symantec, Cisco, Dell, Cylance and now Lastline, Skipper has played a significant role in the security design and architecture of endpoint; network; cloud; and hosted security services, as well as in advancements of security prevention; management; monitoring; testing; and intelligence mitigation solutions.