3rd Party Risk Management , Business Continuity Management / Disaster Recovery , COVID-19
17 Scenes From the IRISSCON Irish Cybercrime ConferenceRansomware, Incident Preparation and More Accurate Language Dominate Discussions
Cybercrime in Dublin: Information security experts, IT professionals, executives and others flock to the annual IRISSCON conference, run by the Irish Reporting and Information Security Service, every November.
See Also: Live Webinar | Breaking Down Security Challenges so Your Day Doesn’t Start at 3pm
IRISS is Ireland's first computer emergency response team and was founded by cybersecurity consultant Brian Honan in 2008. The next year, he launched the conference as a fundraiser for the nonprofit CERT's activities, and it's run annually except for a pandemic pause in 2020.
The all-day conference "focuses on providing attendees with an overview of the current cyberthreats facing businesses in Ireland and throughout the world and what they can do to help deal with those threats," organizers say.
Here are 17 visual highlights from the event:
1. Aviva Stadium
For the first time ever this year, the conference was held at Aviva Stadium on Lansdowne Road, not far for the city center.
The venue has a seating capacity of more than 50,000 and regularly hosts large soccer and rugby games and outdoor concerts. The choice of venue suggested the potential for next-level social distancing outdoors, if not a lunchtime scrum.
But as befits November in Ireland, the event was held entirely indoors, in a series of function rooms, including talks in a room able to hold 1,000 people, although configured for just 300 - again, to help with social distancing. Honan said the event had been set to recur at its prior venue, Jurys Hotel in the Ballsbridge area, until the U.S. government bought the premises to turn into its new embassy.
2. Proof of Vaccination
All attendees had to show a valid vaccine certificate to gain entry to the event, fill out a contact-tracing form and wear a mask when not eating, drinking or presenting from on stage.
3. Capture the Flag
"It’s a quiet Capture the Flag this year," one participant told me of the annual competition. Perhaps so, but the CTF also enjoyed the best view in the house, being set up in a bright, airy space just behind the glass-walled entry. Given that most CTFs I've seen have always been held in windowless conference rooms, lit mostly by the glare of laptop screens against participants' faces, these digs would have represented a marked step up for many, overlooking the massive Aviva Stadium pitch.
4. Pandemic Days
Earlier this month, right before IRISSCON was to be held, the Irish government announced additional lockdown measures, to be instituted the day after the conference. Whether the conference would have been allowed to continue had it been scheduled one day later wasn't clear.
"One of the most stressful things you can do is try to organize a conference in the middle of a pandemic when the government continues to change the guidelines," Honan told attendees.
5. Breakout Time
Honan urged attendees to visit the tables set up by IRISSCON's sponsors, who help fund not just the CERT but the annual conference. Attendees also pay 50 euros to attend. Honan said entry used to be free; the nominal cost is in place now to help ensure registered individuals do attend, or if not, that they cancel so someone else can take their place. He said this year's conference was at capacity, with a handful of people canceling the night before the event and another handful seeking last-minute tickets.
At the breaks - coffee, tea and snacks, or lunch, only to be consumed when sitting at a table, per government guidelines - many attendees told me how good it felt to be back at an in-person event.
Not pictured: the annual lock-picking workshop, a regular favorite of attendees, because it wasn't included this year. Martin Mitchell, who attended this year's event and would typically have hosted a lock-picking table, told me he had opted to put it on hiatus for the time being, given social distancing and hygiene guidelines.
6. Ireland Not Immune to Cybercrime
Ireland has of course never been immune to cybercrime, and this year was no exception, as cybersecurity journalist and conference moderator Gordon Smith said in his opening remarks.
"Everyone remembers the attack on the Health Service Executive this year," said Smith, referring to the country's national health service.
In May, HSE was hit by the Conti ransomware group, leaving numerous systems crypto-locked. The health sector saw serious disruptions as a result, leading to appointments having to be canceled, an inability to access blood tests and much more. The government called in the army to help wipe and rebuild systems, and it was a massive undertaking. By September, HSE told the Irish Examiner newspaper that 95% of systems had been restored. That same month, Irish police said they'd retaliated against the attackers, knocking a significant amount of their infrastructure offline.
7. Ransomware, and Then Some
What were the conference's sessions about? The short answer: ransomware and how to respond to it. Almost all presenters came prepped to discuss ransomware, given the disruptive impact it's been having on health systems, corporate networks and more.
But of course, ransomware is just one of many different types of attacks targeting organizations, said Ciaran Martin, who ran Britain's National Cyber Security Center from its launch in 2014 until 2020.
"Maybe the ransomware thing will come and go, maybe it will become a little less hectic than it was before," said Martin, who's now a professor of practice at the University of Oxford's Blavatnik School of Government.
Organizations can be assured, however, that so long as they have intellectual property, money or anything else of value, criminals and nation-state attackers will try to find a way to steal it, he added.
Such harms, for example, are "often chronic, rather than catastrophic," resulting in such things as "getting robbed," as in the case of Bangladesh Bank; "getting weakened" via online espionage, such as the 2015 U.S. Office of Personnel Management breach; or "getting hurt," such as the attack on TV 5 Monde that resulted in an 11-hour disruption.
Martin said accurately describing harms and the risk they pose remains key to reducing the harms your organization faces.
8. Know Your Enemies
Despite cryptocurrency's importance to ransomware-wielding attackers, presenters were careful to not call for its decline and fall.
"What we have not seen, and what we'll hopefully not see, is that cryptocurrency is an evil and we must kill it ... but we do need to think about the role it plays," said Jen Ellis, vice president of community and public affairs at Rapid7 and a co-chair of the Ransomware Task Force.
To keep things in perspective, she noted that "cybercrime equates to less than 1% of the business conducted with cryptocurrency." She also lauded ongoing efforts to "reduce opportunities for attackers to get paid," for example, by enforcing existing financial services regulations on exchanges.
An audience member asked about banning ransom payments.
Ellis said she's not a fan of the idea. "If you ban payments today, you're drawing a target on your most critical and most vulnerable," she said.
9. Extra Extortion
Especially for combating ransomware, preparation pays because attackers are bringing to bear a variety of tactics, including various types of extortion, to try and get victims to do what they want, as quickly as possible. Accordingly, "Define your plan and response without the emotion of this going on in the background," said Proofpoint's Alistair Mills.
10. Far Beyond the AIDS Trojan
Bob McArdle, director of Trend Micro's Forward-Looking Threat Research team in Europe, standing in front of a slide showing the lock screen for the AIDS computer virus from 1989, said conference presenters love to talk about how the AIDS Trojan was the beginning of ransomware.
Ransomware as we now know it, however, "didn't really start with the AIDS virus," he said, in the sense that malware of that era would try to lock systems, encrypt data or perhaps wipe hard drives.
But today's ransomware-as-a-service model, with its focus on extortion, is "fundamentally different from the theft-based crime that came before," especially with the addition of leak sites and other types of blackmail, as well the sheer variety of tactics being wielded by ransomware groups' affiliates, he said.
"It can be really hard to put together a kill chain, because there can be two or three kill chains" as different groups gain and trade access to victims' networks, he said. To better the odds for defenders, he recommends focusing not on the ransomware so much as affiliates' efforts - to try and stop the attacks at an earlier, less damaging stage.
"The reason for that is the affiliate is responsible for maybe the first 70% to 80% of an attack, and ransomware itself then for the last part," he said.
11. Business Email Compromise Still Booming
If there's a cybercrime constant, it's that attackers keep innovating, and thus it never stops evolving.
"Bob did mention the 1989, first-ever ransomware attack, and it's true, this is light-years away from what we see now," said Philipp Amann, the head of strategy at Europol's European Cybercrime Center. "But there are no black swans, or only rarely those types of curveballs. That's why it's important to look back and say it was the first attack to encrypt data," Amann said.
Serious challenges today aren't just ransomware but also, with the COVID-19 pandemic "how quickly criminals have adapted" to using it, as well as the continuing huge number of business email compromise attacks, he said, and of course the use of encryption and cryptocurrency by crime gangs as well as child sexual abusers.
But law enforcement agencies can find innovative new ways to take down criminals too, including via intelligence sharing. "We've been very lucky that we've been able to go after some ransomware groups and had successes, and that is ongoing," Amann said.
In addition, thanks to participation in Europol's "Trace an Object" campaign, which asks the public to help identify objects that appear in the background of footage of child sexual abuse, he said Europol had received more than 26,000 tips. Thanks to those leads, "We've been able to rescue 23 children," Amann told the audience, to applause, as he thanked everyone for their help.
12. Supply Chain Threats
As noted, most presenters were set to talk ransomware, and most of them did. So give extra points to Blessing Usoro, an information security manager at JPMorgan Chase & Co., who switched on the fly from ransomware to "the rise of supply chain attacks," spending no small amount of time on the SolarWinds campaign that came to light last December.
"A supply chain is the combination of resources that are needed to make a product or a service," she said in her introduction. She also said, "Trust on the network is like opening the door to a friend."
Attackers attempt to abuse that trust. "When you bring a trusted third party like SolarWinds into your network, then what do they do? They infiltrate your trusted supplier's access into your network," she said.
Her recommendation: Use a third-party risk management framework to manage your organization's suppliers, your supplier's suppliers, and so on, backed by fine-grained monitoring of who's touching what, when and how. "You have to have a third-party risk appetite. You have to know how much you're willing to lose, or if you're willing to lose anything at all," she said.
13. Cybersecurity's Image Problem
We need to get away from "faceless hackers in hoodies," said Victoria Baines in a presentation on "cybersecurity's image problem and what we can do about it." Baines, a visiting fellow at both Bournemouth and Oxford universities, drew from research conducted for her new book, "Rhetoric of InSecurity," looking at inaccurate portrayals of information security in mass media and by vendors and others.
What might be a better way to portray cybersecurity? Baines votes for the 2018 film "Ralph Breaks the Internet," in which Wreck-It-Ralph attempts to save his best friend Vanellope from an addiction to the game "Slaughter Race" by going into the dark web - depicted as an underworld - to buy a virus named Arthur, who looks like Jabba the Hut and "sounds like Russell Brand's fey Cockney gangster." Of course, viruses don't always do what they're told, so Arthur begins taking over "insecurity clones" of Ralph and running amok.
14. Be Incident-Ready
One "how to survive a ransomware incident" takeaway offered by Joseph Carson, chief security scientist and advisory CISO at ThycoticCentrify, is that organizations must be prepared not just to be attacked, but to know how they'll respond.
"There's a big difference between incident response and being incident-ready," he said. "In this organization, they had a plan, but they were not prepared when the incident happened." He shared a case study of a Crylock ransomware attack against an organization - unnamed by agreement with the victim, which has allowed its attack story to be told - that had no plan for how it would gather evidence, or do so in a consistent manner, and also had no ability to use clean accounts, instead having to use the same accounts criminals had compromised.
Carson recommended that anyone who might have to respond to this type of incident keep a "go bag with everything you might need" for sitting in a data center for a long time, including "huge amounts of clean, sanitized disks, and alternative means of communications," since ransomware tends to scuttle an organization's VoIP phone system.
15. Chinese Language Rules for Malware
What's the number one language seen in malware code? That would be simplified Chinese, followed by Russian, Spanish and Portuguese and Turkish. So said Eugene Kaspersky, head of Moscow-based security firm Kaspersky.
Of course, that's malware. Unfortunately, many of the more advanced cybercrime attacks are launched by Russian speakers, he said, "thanks to the Russian technical education system" and the skills it imparts.
Kaspersky recounted being on a panel with American diplomat Condoleezza Rice, who told him that "Russian software engineers are the best." Maybe so, but thanks to their technical acumen, "Russian cybercriminals are the worst," he said.
What's needed in part are better ransomware defenses, he said, calling on other security vendors to protect their customers from crypto-locking malware, backed by the type of resources that he says he's brought to bear on his company's own software. "If I see that someone is badly hacked by ransomware, I know that they are not my customer," he said.
16. Be Ready to Respond
Responding at short notice, Honan took to the stage to fill in for a presenter who had been unable to make it. Honan used his presentation to urge attendees to think ahead about how they'd respond to an attack if it happened tomorrow.
"The HSE attack happened Thursday at 7 o'clock at night - that's when, right?" Honan asked two attendees who had been part of the government's incident response team. They nodded. By Friday morning, he said, the head of HSE was on a news shows discussing the attack and what was being done, and noting that it would be paying no ransom, he said.
One lesson: "Have your crisis and communications plans ready; have your incident response ready," he said.
Honan also echoed prior presentations focused on the need to more accurately describe not just attacks, but cybersecurity itself. "It's too militaristic; it's too macho," Honan said, referring to the use of network DMZs, or doing red-teaming. In the case of the latter type of quality assurance exercise, for example, "We're QA-ing a system that hasn't been developed properly. That's what we're doing. I know it doesn't sound exciting, but that's what it is," he said.
One audience member, during a question-and-answer period at the end of Honan's sessions, noted that choice of language was sometimes a matter of job security. "A lot of times, the reason why we call it a sophisticated attack is because it sounds better than saying, 'My idiot boss clicked a link,'" the audience member said.
17. That's a Wrap
As with prior IRISSCONs, the conference wrapped with a well-attended drinks reception.
Will there be an IRISSON 2022? If there's one constant throughout the pandemic, it's that it's impossible to predict what might be happening in a few days, to say nothing of weeks or months.
But in the closing words of emcee Gordon Smith: "Stay positive, test negative, safe home and hopefully see you next year."
Photographs by Mathew Schwartz.