Episode Summary

The so-called Mother of All Breaches recently made headlines with its sheer number of records leaked—26 billion. And while it’s not necessarily as earth-shattering as the headlines make it seem, it brings up important questions about the cryptic ecosystem where this kind of breached data circulates: the dark web. What is the dark web and how did it come to be? Who hangs out there, what can you find there, and how does it fit into the threat intelligence lifecycle for your organization? Nick Hyatt, threat intelligence director at Blackpoint, joins Mac to discuss.

 

Referenced links and articles:

 

Transcript

MacKenzie Brown: Welcome back everyone, to another riveting episode of Return of the Mac.

So the so-called Mother of All Breaches recently made headlines actually in some
dramatic click bait, but honestly it’s Forbes. So I do lean in a little bit more depending on the publisher of some of these articles, but they’re talking about the Mother of All Breaches, or MOAB, being the sheer number of records leaked, 26 billion—billion with a B.

And while it’s not necessarily earth-shattering news to discuss this in the cryptic ecosystem, it does bring light to a topic that I’m really excited we’re gonna focus on today, and maybe more episodes in the future around this topic as well. But we’re going to demystify some of these things and we’re gonna start talking about the dark web.

That’s right, we are shedding light on a dark topic. See what I did there, that was really good.

So basically, whether you’re new to the show, a noob in general, a normie, or an expert, we’re gonna start from the basics and we’re gonna talk about the dark web. What it is, who’s in there, what’s hanging out. We’re gonna talk in a little bit, start with our hot topic around this, specifically this 26 billion record leak or the MOAB is what we’re calling it. And then I also wanna kind of explore a little bit about, we’re talking about these things to understand them, but also from a defender’s point of view, how does this work with a threat intelligence program?

So without much ado, going to introduce my guest today, Nick Hyatt. So Nick is not only a good friend of mine because it is a small cyber world, but also he is Blackpoint’s threat intelligence director. So we’re really excited to have him here today and to be talking about this.

And Nick, we met when you were, well we met in the trenches of incident response and Optiv, but you also were a practice manager for Optiv’s global threat intelligence center. And of course between that, it sounds like you have enough viewpoints in the world between IR and threat intelligence that I’m really excited to dig into a little bit more. So welcome.

Nick Hyatt: Yeah, thanks. Thanks for having me on. So if there’s one thing I have, it is, it is opinions for sure. But yes, it’s, it’s very good to be here. I’m so proud of you. We met when you were the little antelope and now you’re the lioness. So love it. But yeah, super happy to be here. You know, this was one of the cool things that I saw you doing. I was like, I need to be there. So here I am.

MacKenzie Brown: I really do think we’re just going to touch the top of the iceberg, but I really think this topic we may have to dig in even more so back today. But we’re going to start from scratch because I do think that a lot of people have this concept around the dark web. It sounds like a very scary place, but I think what you and I will talk about a little bit is demystifying it in a way so it’s not as scary and it kind of feels like it’s a little bit more of part of our economy and normal social structure in the world and society operates now with the dark web behind it.

Nick Hyatt: Yeah, you know, it’s interesting that you bring that up because we hear about the dark web all the time. Oh, there’s all kinds of spooky stuff on the dark web.

But when you look at what the dark web is, the dark web is literally just the part of the internet that is not indexed by a search engine, right? So you have Google search, you have Bing, you have all these search engines. Duck, duck, go if you wanna use one that doesn’t track what you’re searching for. But it’s just an area of the internet that isn’t indexed by these things.

And so, yeah, there’s some bad stuff on there, but it’s not all bad. It’s just stuff that isn’t indexed.

MacKenzie Brown: Right. And that was the other thing I was gonna preface too in the introduction of this and I didn’t do it, but really it’s also understanding the use of the dark web for anonymous communication. So people who are communicating maybe with journalists, people who are trying to get more information to protect themselves, maybe they live within an area that is under an authoritative regime or a government.

And so I have heard of stories where the dark web has enabled people around the world to also protect themselves, which sounds weird.

Nick Hyatt: Yeah, exactly. One of the key factors in the dark web that comes into play both from a criminal aspect and from just a survivability aspect is its anonymity. So to get on the dark web, you need a specific tool. You need the Tor browser. But once you’re on there, it functions just like any other part of the internet, right? It’s just that door opens the gateway to it.

And then it’s a fully anonymous environment. So it helps and facilitates both threat actors and folks that, you know, freedom fighters, folks that don’t want to have any sort of attributable information to them, things like that. So yeah, there’s all kinds of uses.

MacKenzie Brown: Cool. And bad stuff, right?

Nick Hyatt: Oh yeah, there’s all kinds of bad stuff. And that’s what we’re here to talk about, right? That’s what we find interesting is all the bad stuff.

MacKenzie Brown: This is why I watch crime documentaries too. I really want to know what’s going on in the background.

Well, that does bring us to the to the hot topic too, which is this MOAB. It’s this 26 billion records leaked data set of Dropbox, LinkedIn, Twitter, Adobe, I mean, you name it, someone was clearly more productive than I have ever been in my entire life. It took time to aggregate all of this data.

So in this, you know, kind of in the title here of understanding that security researchers have brought this to light about this database of no less than 26 billion—granted, there was a lot of overlapping data from what I’ve read, a significant amount—that was discovered.

So in this data leak, or what they’re referring to as MOAB, Mother of All Breaches, they have found that, oh, it just feels like click bait, but I know it’s not. It does make sense, but they found in this case a threat actor or data broker—I don’t even like saying the word data broker. I feel like they’re data dealers. A broker sounds like it is above my net worth, someone I could hire, being a data broker.

But essentially, they compiled 12 terabytes of data, 26 billion records into a single open storage instance, and all of this data was pulled from, well, you guessed it, cyber attacks, leaked breaches, phishing schemes, and of course, also an assortment of US and government-based data was intertwined with it.

And really, this comes back to the whole that, yes, from an identity attack standard, password sprays, credential stuffing, these things are still a thing, folks. They’re not going anywhere. And productive bad guys like this managed to put it all together.

So Nick, thoughts? Why is this relevant? I do feel like we’re really desensitized as people right now to things like data breaches or leaked records. But why is this relevant? Why does it matter?

Nick Hyatt: Yeah. So you bring up a good point that we are desensitized to this sort of thing, right? Because not a day goes by that we don’t have another vulnerability or another data leak or somebody else got breached and our data is out there, right?

So I think we need to preface this by saying when you are thinking about credential leaks and stuff like that, it’s not just, oh, you’re on social media, your data got leaked, stuff like that. It’s if you have a presence on the internet in any capacity, your data has been leaked. And when we talk about credentials, we don’t just mean usernames and passwords. We also talk about identifying information like browser data, things that you have stored in your browser passwords, you know, sometimes credit card numbers, things like that.

But what all of this is, is what I like to call the Mother of All Database Joins, right? So a lot of the data in here, you know, tracking back to the 2013 LinkedIn breach, is what’s in here, right? So this is sometimes 10, 15 year old data that’s in this. But what it is now is that it’s all in a singular place, right?
And so 12 terabytes of data is a lot of data and it’s all of these amalgamated breaches just clustered into one. Now there’s very likely some new data in there, but for the most part, this is just yet again, as we often see with these headlines is that, oh, it’s another massive data breach. Now, really what it is it’s a bunch of old data that’s been mashed together and pushed out into the public.

MacKenzie Brown: Right. So it just feels like a really dramatic headline. Like it just feels like it’s a lot and doesn’t actually matter. Even though, but to get a name like MOAB, it does sound like it has to be somewhat important.

Nick Hyatt: Yeah, exactly. And from a scale aspect, it’s 26 billion with a B, right? It’s like, do you think that there’s some threat actor just going through line by line through a 26 billion-line Excel spreadsheet, just of all of this? No, number one, Excel would crash, but you know, it’s still just a staggering amount of data,

I mean, 12 terabytes of data, right? That’s where you can put that. You’ve gotta deal with storage and all this other stuff. But the thing to really take away from this is that these credentials and things like that are really the originator, the originating point of a lot of cyber attacks, right?

So if we look at what’s going on in the news today, not only is this a headline, but just last week, you know, Microsoft themselves were victim to a credential stuffing attack. And it was on a legacy account that had a weak password, allegedly, and didn’t have MFA on it. They admitted it themselves.

And so one of the things you have to remember, and we’re a little bit desensitized to this too, because we’re in this industry, security is hard, right? So one of the biggest companies in the world with one of the biggest investments in security and things like that, still got popped by a credential stuffing attack.

So when you think about it from that aspect, it’s like, yeah, our data’s out there, yeah, we’re desensitized to it. But there are steps that you can take to protect yourself at a basic level to increase that barrier of entry. Because these attacks are real and they’ll use this data for that.

Even if it’s just not, hey, they’re gonna come after Joe Smith that lives in Eureka, Iowa, that, oh, hey, what does he have that the threat actor cares about? Well not really anything, but he has the capability to use the same password in multiple places that could then lead to a cascading effect. Yeah, no, everybody uses password one and it’s the most secure password ever. Just use it everywhere. It’s fine, to this day.

MacKenzie Brown: Man, I just feel like you talk about some things. And it all leads back to identity. Everything is going to come back to talking about password cracking, stealing of credentials. And I just want something new, something fresh and different. But I don’t feel like we’re at that point.
What is the intent of a person, likely a data broker or a bad guy, an adversary putting together this data? Doesn’t it kind of benefit us though if you think about it? If you have dark web scanning technologies and you want to absorb and cross reference some of the data for that overlapping data, doesn’t it kind of benefit them a little bit because now from a technology stance we have even more visibility of what’s already out there, what users and systems are at risk.

Nick Hyatt: Yeah, so really the net benefit to a data access broker or a threat actor is really if you look in the ecosystem that these guys operate in, you really have, you have data brokers which are like, hey, I’ve got this big breach, all of this data access to site A, right? And we exfiltrated this data, we’re gonna sell this data just out on the dark web.

And sometimes even in the clear web, right? So if you look at something like BreachForums, BreachForums is a clear web website that deals in data dumps, right? But clear web, deep web, dark web, any of these areas. So yeah, the three webs, right? The iceberg, you made the iceberg comparison. But so they’re selling this data and threat actors will buy this data to then facilitate their initial attack. So that’s the net benefit.

And when you have all of this amalgamated into one giant area, you can be like, hey, we’re gonna do some rapid testing across all of this data to see what works and what doesn’t. And then we’ll take that and say, hey, this is verified working 10 million email addresses. Pay me $260 US and you can have this.

And then if you even have like a 1% ROI on that, so you buy 10 million addresses and 1% of them end up working for a password spray attack, then you can gain initial access to an environment. You can deploy malware, you can deploy ransomware. You can get a massive cascading ROI on this just by buying that initial access.

So that’s where the value is for these threat actors is that the initial access brokers will sell this, the threat actors will buy it and then turn around and use that for initiating their campaigns.

MacKenzie Brown: Yeah, we were talking about that. One of the case studies actually is what you’re saying on the return on investment. It sounds like we’re gonna become a finance podcast here talking about this particular topic, but we were talking about like, okay, so you could probably get, if you’re lucky, domain admin level type of credentials, you could purchase them, or if it was extremely targeted, maybe you spent a couple hundred dollars.

But if you turned around, got access to the environment, played it low and slow, not a lot of noise, drop some sort of level of persistence, and then resell that access, or resell general information about the environment, you could sell that access for probably more than the credentials, right? If you…

Nick Hyatt: Yep, absolutely. Yeah. And we see these advertised all the time, right? Is that like, I’ve got access to a major US financial institution, $500, you know?
And so the idea of, the brokers resell the list of data, then the access brokers will resell access to an environment and then a threat actor will get in there. And let’s say you’ve got a ransomware as a service operation, right? So they’ll sell the license to use their ransomware, and then this threat actor will get in there, deploy the ransomware. The original developer gets a cut, this guy gets a cut. So you see how-

MacKenzie Brown: Full ecosystem, full syndicate here.

Nick Hyatt: Yeah, you made the joke about a financial podcast, but it’s a business.

MacKenzie Brown: These are your compounding interests, right?

Nick Hyatt: And that’s the thing, it’s like, right, exactly. You’re compounding interest on Granny Smith’s login to Hotmail, right? Because she used the password “ilovemygrandson” everywhere. But you see how this is not really the domain of just some kid in his parents’ basement, right? This is major international crime syndicates, right? And I’m not trying to be alarmist and things like that. It’s just the reality of the world that we live in, right? Is that these are criminal enterprises, it’s a business.

They have HR departments, they have negotiating departments, and you’ve got guys like Evil Corp that are out there with wrapped Lamborghinis and stuff like that, but you’ve got other guys that, hey, maybe they’re just-

MacKenzie Brown: Oh, that’s like one of my, that’s one of my favorite. Have you seen the picture with—Oh, did I mute myself? Can you hear me? Okay, good.

Anyway, did you see the picture with, it was, I don’t think it was, it wasn’t Evil Corp, it was another group, and he was pulled over by a police officer, and this was in Russia, outside his Lamborghini, and he’s just casually talking to him and then gets on his way. Just super casual, wrapped Lamborghinis.

Nick Hyatt: Yeah, exactly, exactly. You know, and so maybe you have some guy that is just pissed off at his boss, right? It’s like, hey, you know, my boss isn’t paying me very much money, I don’t like it here, this place sucks. You know, let me see what’s on, you know, who’s asking for access?

Or maybe they get hit up by a threat actor, like, hey, we’ll give you $10,000 if you give us access.

MacKenzie Brown: Right. Here’s those insider threat programs that no one ever built up.

Nick Hyatt: Insider threats, right? Yeah, exactly.So you see how you start building the spider web of your basic stolen credentials lead to, maybe it’s an insider threat, maybe it’s a access broker, all of this other stuff. So while yes, the headline of it’s 26 billion with a B records and they’ve all been stolen, could you be next, is definitely like, yeah, if it bleeds, it leads, but the core concept of your data is out there and there are things you can do to protect yourself is the message to take away.

Whether it’s a Target breach or, you know, and by the way, all of these companies don’t send your goons to assassinate me. Like I’m just saying, whether it’s a-

MacKenzie Brown: No one’s gonna do that.

Nick Hyatt: I don’t know, maybe, you know.

MacKenzie Brown: I mean, so I was trying to look up the history around the dark web and really how it started and is it true that it was back in the 70s, you know, you have ARPANET, but it was utilized by Stanford students to sell weed to MIT students. Is that really, I don’t know…

Nick Hyatt: Well, you know, there’s a little bit of element of truth to every legend, right? Urban legends don’t become urban legends for no reason. And with the proliferation of weed stores just down the block, right? You don’t need to use the dark web to sell weed anymore, but you’ve got stuff like the Silk Road, right? And this goes into some of the things that you were talking about with like, hey, there’s bad stuff on the dark web. There absolutely is, right?

I’ve done a lot of work in this space around IR and consulting and things like that. As you know, we worked together back in the dark ages, which was like, what, six years ago? But either way. But there’s always this question of, hey, we wanna know what’s out on the dark web. What’s out there about us?

And really, unless you’re involved in three things, which is narcotics, weapons, or abuse material, which we won’t get into because that’s a whole other thing, what’s on the dark web is usually just data. Like what’s in this dump is that, unless you’re actually going out and seeking bad things, much like with any crime, if you’re going out and seeking bad things, yeah, you’ll get involved.

And if you look at stuff like the Silk Road, facilitated by the rise of cryptocurrency and that sort of thing, you know, it’s all narcotics, selling narcotics, things like that. So there wasn’t a heavy information trade on the dark road. It was all narcotics, assassinations, guns, all this other stuff.

MacKenzie Brown: But fast forward to 2010 and that’s where we’re seeing cryptocurrency, post-Silk Road now being utilized though for ransomware attacks too, what we’re seeing on the cyber side. It almost makes cybersecurity less sexy to be honest, is when you start talking about the dark web because you could really accomplish a lot on a target as an adversary just by leveraging what’s being sold on these forums.

Nick Hyatt: 100%. And here’s the thing to remember is that one of the things, one of the recurring themes in our industry is like, what are the big bad guys doing, right? Like what’s Midnight Blizzard doing? What’s APT 29 doing? What are all these cool buzzworded marketing groups doing?

MacKenzie Brown: Right. I was gonna say good job for using the right word of Midnight Blizzard. They’re gonna switch it up again, but yeah. No, that’s perfect.

Nick Hyatt: But what are they all doing? And what they’re doing is they’re not burning zero days on every little target, right? What they’re doing is they’re getting these credentials. They’re probably not buying them. They’re probably just be like, hey, give me. And they’re taking these. And then they’re just doing a password spray attack.

Like what just happened to Microsoft, that they themselves admit it. So it’s not hearsay, anything like that. It’s in their write-up. Like, hey, we didn’t have MFA on this. It had a weak password, got hit by a credential stuffing attack. Boom, and now your CEO’s email is getting wrecked.

MacKenzie Brown: Right. I feel like the one question I’ve gotten asked before by just regular people, and this question was asked by a cop too, and he was just curious. He’s like, so is it illegal for me to get on, you know, the Onion Router? Is it illegal for me to explore the dark web? Like, where does the liability shift though, if you start looking at these forums and you’re doing it kind of recklessly, but it’s purely from a threat research basis?

And we were talking about this internally when we were doing a little bit of this research too of like, hey, can we find some, I need to find some web shells. Like I wanna see some good examples, which I’ve pulled a couple, but where’s that liability conversation as defenders or threat intelligence analysts, you’re coming in and looking across this as, isn’t it gonna come back to you eventually?

Nick Hyatt: So I wanna preface this by saying I’m not a lawyer. This is not legal advice, right? This is just you and me having a discussion.

So it’s not illegal to get on the dark web at all. Anybody can do it, just go download Tor. Like we said at the top of the show, right? You can use it to bolster anonymity. I mean, I know some people that the only browsing they do is via Tor.

So, you know, it’s not that they’re out there doing bad things, it’s that they appreciate the anonymity that the dark web gives them. But there are certain lines that you can cross, right? So it’s not illegal to go join a hacking forum, right? You can have an account on BreachForums, but just be aware that there are bad actors associated with these forums.

And then if they’re ever taken down by law enforcement, you know, maybe your name is popping up there. And you’re not doing anything, you just have an account. But if you start posting on stuff, that can cascade back to you.

So, you know, it’s one of those things where what is your personal threshold for risk, right? So this is not saying go on the dark web and buy guns and drugs and whatever, don’t do that. You know, this is not a Warren Zivon song. This is not send lawyers drugs and guns, or lawyers, guns and money, right?

But you know, there’s a certain amount of, you know, let’s take the aspect of a gun, right? You know, you treat every gun as if it’s loaded. So when you’re dealing with the grayer areas of things, treat it like it’s a loaded gun, right? Don’t point it at anything you don’t wanna kill.

So it’s, don’t point it at your own foot and shoot yourself in the foot because you thought, hey, I’m on the dark web, I’m anonymous, I can click on this, because that’s not how it works, right?

MacKenzie Brown: No, you’re messing with business.

Nick Hyatt: Exactly. What we find, like with the Silk Road being taken down, is that it’s a cascading thing, right? So law enforcement is active on the dark web. You know, they’re on these sites. They’re monitoring these sites. So just use a respectable amount of smarts when you’re doing things that, you know, maybe aren’t kosher.

MacKenzie Brown: Okay, okay, so curiosity could in fact kill the cat in the terms of going on the dark web and liability, and you’re not a lawyer, nor do you want to play one on TV.

So we were kind of playing around though, around this research of, okay, let’s look at the marketplace and see what’s for sale, because I am kind of curious. So we pulled some artifacts and we’ll show some of the screenshots that we were able to pull. But like one of the things we wanted to do is, can I get like a standard cost of supplies for things like a web shell, and being able to find just, I need a good web shell that gets you initial access.

And then we searched a good amount and we actually found a Telegram post, a message selling web shell access. It says, I need .edu, .gov or high DA fresh web shell for SEO. Assuming DA’s domain admin? I mean, I don’t know how to speak dark web talk here.

But it was interesting. So if it’s .edu or .gov, they’re going for about 60 to 120 bucks. And then if it was like an organization.com-based DA level, it goes up to $150 as well. Index fresh, not hacked. Translate this for me, okay? Like what is this? Home dir.

I know directory clean uploads has, looks like some capabilities to actually get system access or pull data, I’m guessing, based on that. Is this just that, this is just step one?

Nick Hyatt: That’s how it’s conducted. Yeah, that’s step one, right? So this person wants access to .edu and .gov addresses for SEO, right? So what are they doing here? So maybe they’re a malware author. Maybe they wanna get an info stealer out there.

And so one of the other things that we’ve talked about from the APG, from the Blackpoint Adversary Pursuit Group, my team, is that one of the things that these folks do is they will go out and they will basically play the SEO game, search engine optimization. And they will look for things that people are searching for, right?

So maybe somebody is searching for how to put a table of contents in Word. And so they’ll put an ad out on Google at a website, maybe compromised infrastructure at an EDU or a.gov, and they’ll put up their malware that is called “WordTableOfContents.exe” right?

And so when that person types into Google “how do I put a Table of Contents in Word,” boom, up comes this ad that serves this malicious software. They download it, they run it, all of their browser data gets stolen, compiled into one of these breaches and then resold to facilitate further attacks, right?

So it’s a very, again, it’s a whole ecosystem, right? And we could spend hours and hours talking about how these ecosystems work, how they started, things like that, but yeah.

MacKenzie Brown: Right, I mean the other one we found too was, you know, password dump, data dump, saying 65 to 75% of these accounts are valid, $500 dash buy, like I’m speaking dealer, I don’t understand any of this, 125 for every 100K and negotiable, so that’s nice, they offer some negotiating power, that’s really nice.

Nick Hyatt: Yeah. Right, yeah, gotta be flexible.

MacKenzie Brown: But it’s kind of what you’re saying too, they’ve clearly pulled from Yahoo, Gmail, Pornhub, Microsoft, VPN services, bank, and they have terabytes of data for sale in this case.

Nick Hyatt: Yeah, and is all of it good data? Maybe not, but when you have bulk data like that, it’s just a matter of like I said earlier, I’ve got 10 million accounts, 1% of them are legit, what’s my ROI on this? So, you know, again, it comes back to, if I spend $100 on buying some account or a compilation of accounts, and then 1% of those are legit, but I make 10 grand off of the data that I take from it, or the ransomware infections that I distribute, things like that, then massive ROI.

So it just, again, it’s a big loop of, yeah, we’re operating on Telegram and be aware, Telegram’s not the dark web, right? Telegram’s just a messaging app you can get on your phone. So, you know, these folks just aren’t only in the dark web. Like it’s all on Telegram, it’s on the clear web, it’s on the dark web. So they’re among us, right? The actors are among us.

But the important thing to remember is that it’s not just you, right? They’re not targeting Mac. They’re not targeting Nick. Well, I mean, maybe they target us because we’re cool, but you know, they’re not targeting individuals. They are targeting credentials.

So what they want is the same password over and over and over again, because Hey, you mentioned somebody had their Gmail or their Pornhub, right? They’re not putting a really detailed password on Pornhub. I’m pretty sure, right? But if they’re using Spring2023 on their Pornhub account and it’s their work password too, uh-oh, you know, that’s what happens.

MacKenzie Brown: Okay, and then that’s where, yeah, that’s where the credential stuffing comes in.

Nick Hyatt: Exactly.

MacKenzie Brown: Okay, so I like to always bring it back to the defenders, kind of broken down like what it is. It doesn’t sound that complicated. It’s not that scary. But we do see a lot of product pitching out there around dark web scanning technologies. I know we’re pushing out our own technology, but tell us about this process where us as defenders are using these technologies and the process around white glove notifications or how we’re supporting our customers, what does that actually look like? How can we build out a threat intelligence program that incorporates this OSINT type of process or capability into it?

Nick Hyatt: So I’m gonna get up on a soapbox here a little bit when we’re talking about threat intelligence and what it can be used for, right?

MacKenzie Brown: I love that. Strong opinions…

Nick Hyatt: Because yeah, strong opinions, opinions with a capital O, I’m not afraid to share them.

MacKenzie Brown: …require strong drinks.

Nick Hyatt: So, you know, threat intelligence at its core is educational. It’s an educational tool, right? It gives you context to the world around you or the environments around you, things like that. So when we’re talking about the dark web and we’re talking about white glove notifications and things like that, what are we helping to protect against? What we’re helping to protect against these low level credential stuffing attacks.

Which by the way, something to the tune of 75 to 80% of all malicious attacks start with the person, whether that’s social engineering or credential stuffing or phishing or what have you. So threat intelligence, when you approach it from that standpoint, is how do we help the organization or the person protect themselves?

And so if we can give that heads up like, hey, this set of accounts from your environment showed up on our dark web resellers page. So it’s all of these accounts with all of these passwords.

What’s your immediate action? Go change those passwords. Put MFA on those accounts, right? Because that makes the barrier to entry for attackers harder. And what is the one thing that criminals are? Is lazy. So again, and I don’t mean that in a derogative term. I mean that in they are gonna go for the low-hanging fruit.

Look at Midnight Blizzard, right? They didn’t burn a zero day on Microsoft. They burnt a password spray attack, which is five minutes in an afternoon. It’s a basic thing, right?

So if we’re saying, listen, these accounts showed up in a dark web credential sale, you need to make sure that these are password protected. They have MFA on all the accounts, not just mission critical stuff, just put MFA on it, right? It’s 2024. Put MFA on every account that you have. Okay. Get your buy-in, whatever. Just do it.

MacKenzie Brown: I mean, we say it in every episode and every single talk. I can’t, I can’t say it enough.

Nick Hyatt: Just do it. Get the MFA on there. And then if you really want to take that next step and you have the cycles for it in your SOC or whatever, monitor those accounts for rogue logins, things like that.

It ties into some of the cloud work that we’re doing. Where we’re looking at, Hey, this person logs every day from New York, and last Tuesday they logged in from Romania. Guess what? It’s probably.not them. Yeah, so it’s probably popped. There’s your pivot point, right?

We talk a lot about pivoting, clustering, and actor, attribution, things like that. None of that matters here. What it is what is abnormal, right? When you look at the normal behavior and environment, if it looks like it’s abnormal, you go look at that.

And this is a way to do that, right? So you know what to look for, because we have, let’s say you’re a company of 1,500 accounts, right? How much traffic are you seeing around that every day? If you’re monitoring it. If you’re monitoring it. You’re seeing a lot of traffic. But if you get a notification that says, hey, these 100 accounts showed up on a dark web credential dump, then you have that targeted area to look at. So that’s what I mean by threat intelligence designed to enable, to give context to things.

Because, Oh, I wanna know everybody that’s attacking us, right? Well, it’s the whole internet, you know, next question. But if it says, which of our accounts have been exposed on the dark web and what should we do? Then that’s something threat intelligence can help you with, because then your intelligence analysts can say, hey, these attacks or these accounts showed up in these dumps on these dates, you know, this is our analysis of what the likelihood of them being attacked is, you know, let’s make sure that we get these MFA enabled, passwords changed, increased monitoring. Those three things, yeah.

MacKenzie Brown: Right. I do feel like that’s also a part of the investigative process. In many ways, we would see, we’d get to the end and we’re doing our after action. And they’re like asking us, them being the victim organization at the time, but would be very curious of how did patient zero get popped. And in many cases, we couldn’t say. We couldn’t determine it.

And I do feel like what we’re kind of even doing at Blackpoint that I find interesting is leveraging these scanning tools to say, well, we triple checked, pulled some of the accounts in question or anyone involved within that attack path just to go back in time and say like, yeah, they are kind of exposed online. So likely it was that.

It feels like we went from the stages of reconnaissance, always not really leaving a footprint, and now initial access rarely leaves a footprint. You automatically have, you know, privilege escalation and then you see everything after that. But how that privileged account got popped, I feel like that’s where we’re starting to see this is where the dark web comes into play because it’s almost creating no footprint outside of immediate priv and lateral traversal.

Nick Hyatt: 100%. So one of the things that people often get irritated with me about when they’re asking me, well, how did this happen? It was because I give the textbook response of it depends because it does. Right. You were, you were an incident responder. You know, how many times did you write a report where you had to come back to a root cause and you were like, I don’t know.

MacKenzie Brown: We could not find the data to support this. Best just to clean it all. Clean it all up. Just reset everything.

Nick Hyatt: Yeah. This is like, you know, shake the magic eight while it says, you know, you know, results unknown.

MacKenzie Brown: Results unknown, I need that magic 8 ball. 404 error.

Nick Hyatt: Yeah, exactly, 404. But it comes back to the fact that if you are spending the time doing historical analysis on these attacks during an active attack, you’re misallocating your resources, right? Because you need to stop the bleeding. IR is about triage. It’s about stopping the bleeding, getting an environment secure and back to business functionality, right? So you can actually make money.

And then you take that time and you’d be like, hey, threat intelligence team, here is all of our data from the last engagement that we did. Why don’t you go through this and see what trends you can find out? And the threat intelligence little gremlins that they are gonna be like, yes, let’s do this. And then we’ll go through there and be like, oh, hey, here’s this, here’s this, here’s this.

Are we gonna find root cause? Maybe not. And sometimes it’s really simple, right? Sometimes it’s, oh, you know, somebody in accounting downloaded this PDF and it was a bad PDF and then the attacker, you know, set up a reverse shell, boom, done, game over. Sometimes it’s that simple. Sometimes it’s not. Sometimes there’s no logging. Sometimes you can’t get an image. Sometimes there’s nothing in memory, all these other things. But when you understand, right, exactly. And we’re just human, right? We’re not computers.

So when you understand the context of how these attacks start, that a lot of these attacks start with, oh, these credentials got stolen and then reused for initial access, things like that, you start to paint this picture of how these attacks work.

So you say, yeah, it seems pretty simple, and it is. It is. It’s a very simple attack path. But once you start ratcheting up the complexity, like if you’re going against a hardened target or something like that, that’s the stuff that always hits the news.

So people are just like, ooh, security is so hard, how do you do it? Well, I’ll tell you what, 90% of my job is I Google stuff, right? I look on search engines for who did what, right?

MacKenzie Brown: The secret’s been told.

Nick Hyatt: Right, somebody else has had this problem. Now, it often is annoying whenever I look for a problem, I go to a forum and it’s a post I made where I just said, hey, I fixed it. I’m just like, past me, what did you do? How did you fix this? I have forgotten, I’m old.

But yes, security is hard, but the more that you understand about attack paths and the nature of these attacks, the more it becomes less difficult, right.

MacKenzie Brown: It’s less complex. Yeah, absolutely, absolutely.

Okay, so we talked about the basics of the dark web. Not that scary, not that complicated. How it’s affected blue teams, threat intelligence efforts, how threat intelligence can help you. If we met again and did this, what are the other layers of the dark web that people don’t quite understand that we haven’t touched on?

Nick Hyatt: What haven’t we touched on? Well, there’s some stuff that we haven’t touched on that we can’t talk about in a polite podcast, right? So we’re not gonna talk about this.

MacKenzie Brown: What’s a polite podcast?

Nick Hyatt: Yeah, good question. I don’t know, it’s not this one.

MacKenzie Brown: Probably not. I’m going to have to tell Patrick to blurb out every time I say pornhub. I don’t even think I’m supposed to say that on this. Pornhub.This is not a polite podcast, yeah.

Nick Hyatt: Let’s just go down the list of words that’ll get us banned from the Apple App Store or Podcast Store or whatever. I don’t know, I’m old, I’m a Luddite, I don’t use these things.

But let’s see, what can we talk about on the dark web? I mean, realistically, I think diving into, when you’re trying to build out a response program or a TI program, how much attention do you pay to the dark web, right? Like is it worth your resources?

Stuff like this Mother Of All Breaches is a headline maker, right? You’re gonna get questions from your leadership. Like, hey, what do we need to know about this? Is this a thing? Are we in this? The answer to that question—

MacKenzie Brown: But they’re so limited information. It’s not that complicated. It’s just like, yep, here’s all the data. A lot of it’s overlapping. It’s our giant scrapbook of breaches.

Nick Hyatt: There’s the key though. There’s the key, you just unlocked it. You just unlocked it, it’s not complex to us. But for people that are not in our world, it is complex.

MacKenzie Brown: Okay. How would you translate? And how would you translate? And maybe this is a great way to wrap up too for the viewers is like, how do you translate this from server room to boardroom of MOAB? Cause they wanna know, they’re like, I read this article. Microsoft’s executives just got popped. Cause CrowdStrike wanted to talk about it.

Nick Hyatt: Don’t panic is the first thing, right? 100% because like, remember, what’s one of the things that you did as an incident response consultant, that I did as an incident response consultant? It’s incident management, right?

It’s, hey, everybody else is running around with their heads cut off, like, holy, holy F, we are screwed, what are we gonna do? And then you, you know, walk in, slinging the big guns, and you’re just like, hey, I got this. Chill.

And then, so if you come in and be like, don’t panic. Use the people that you have hired to be like, ask pointed questions: What do we need to know? Are we in this data set?
The answer to that is yes, 100%. If there’s 26 billion records in there, you’re in it probably, right? It’s more records than there are people on earth. You’re in the dump, right? If you have a presence online, you’re in there. You’re in the dump.

So don’t panic. Understand what you need to understand to make sure that your bases are covered, that your crown jewels are protected, that you’re doing basic security hygiene, right?

So maybe this is the impetus that you need. Be like, hey, boss man, there’s this Mother Of All Breaches. We’re in there, can we roll out MFA, right? Leverage. So leverage news stories like this to help you build your security program to get those basics in place, because I guarantee you, if you do the basics well, you’re in a better position than 75% of the orgs out there. If you do MFA, good passwords, use a password manager, use a physical security key like a YubiKey, something like that, that will help you.

So what can we talk about? We can talk about how much do you need to worry about the dark web? And I have opinions on that, but maybe for another time, yeah?

MacKenzie Brown: Yeah, maybe more of a happy hour situation, because I just, I love the good strong opinions around this. And this has been fantastic too, because I feel like we see a lot of buzzword marketing stuff out there around dark web technologies and scanning and having threat intelligence built in and people don’t even know where to turn from a security procurement side of the house.

And I do feel like just understanding that, hey, this isn’t new, this is definitely a part of our economy, to be honest, the world’s greatest economy. And also stay calm, it’s not a big deal. A lot of this data is probably stale. A lot of it’s not stale, but at the end of the day, the remediation recommendations are straightforward.

Nick Hyatt: Exactly.

MacKenzie Brown: We’re all exposed, we’re all already out there showing ourselves completely naked, but—

Nick Hyatt: We’re all naked and afraid, but here’s your clothes.

MacKenzie Brown: Here’s your clothes. All you have to do is put on a pair of pants, MFA being those pants and other reset methodologies, but I do, I love that.

Thank you so much Nick.

Nick Hyatt: Of course, thank you for having me on.

MacKenzie Brown: Thank you for joining. I think we’re gonna have to dig into this a little bit more. We might have to bring in some friends.

Nick Hyatt: 100%. I think we’ve got some friends. Yeah, we have some friends.

MacKenzie Brown: The threat intelligence side of the house. Let’s let’s get into that more, I wanna see a little bit more of that.

Nick Hyatt: Yeah, absolutely. I have opinions out the wazoo.

MacKenzie Brown: And oh, and so if anyone, shameless plug, we did just drop a blog that Nick of course authored around MOAB to get more understanding, understand a little bit of the links, obviously hit him up. And then you’re doing a webinar, right? I think you have a webinar too.

Nick Hyatt: I am, yes. February 8th, we’re doing a webinar on the dark web. You’re gonna see a lot of recurring themes, both in the blog and in the webinar. I would encourage you to attend them and read them, if not for just my glowing personality, which everybody loves.

MacKenzie Brown: I do, yeah.

Nick Hyatt: Oh, I appreciate that. I’m glad that I was able to come onto the show and be given a platform to give my opinions. It’s always a pleasure.

MacKenzie Brown: Yeah, if all else fails, you can just sell access on the dark web then at this point. You’re like, you know what, this isn’t working out.

Nick Hyatt: Hey, you know, if I didn’t have any morals, maybe I could have a wrapped Lamborghini too, right? You know.

MacKenzie Brown: Oh, yeah, gosh, it’s hard choosing the good side, to be quite honest. Well, thank you so much for joining me today on Return of the Mac, and we will catch everyone on the next episode. Thank you.

Explore the resources we have to offer!

Sharing information keeps cyber adversaries at bay. Stay sharp by checking out our library of blog posts, on-demand webinars, threat research, and more.