This is the first of several articles to mark Cybersecurity Awareness Month, an annual outreach begun in 2004 by the National Cyber Security Alliance & the U.S. Department of Homeland Security. The initiative’s overarching theme is “Do Your Part. #BeCyberSmart.”
— — —
In an age of rapidly growing cybersecurity threats — where a hacking attack takes place every 39 seconds, according to a University of Maryland study — the work of Viasat’s Red Team is more critical than ever.
Viasat engineers Jonathan Wyatt and Jim Heyen are a couple of nice guys who get to play bad guys in their 9-to-5. They are members of the Red Team, a group of five who are dedicated to finding cybersecurity system gaps both within Viasat and for customers who contract with the company for the service.
The Red Team’s goal is to penetrate a company or product’s cybersecurity defenses and provide feedback on where and how it found those weaknesses.
Their methods can include a vulnerability scan – an automated, high-level test that shows gaps in security – or a deeper penetration (or “pen”) test. That’s a more detailed, hands-on examination designed to detect and exploit weaknesses in a system.
“We think from an adversary’s perspective about how to find vulnerabilities in systems and exploit them,” Heyen said. “We try to cover all the possible ways someone would attack, and the viability of succeeding at those attacks. Then we document them so others can fix them.”
The Red Team provides its ethical hacking services both internally and externally. Its external clients have run the gamut from a small biotech firm to huge energy companies, both government and commercial. Internally, they check the security of new hardware and software updates.
The team works closely with Viasat’s Cybersecurity Operations Center and corporate IT security. Both are considered Blue Teams, separate groups that resolve security issues by focusing on defending the network through detection and response, mitigation, threat intelligence and analytics. The Blue Team takes the intelligence identified by the Red Team and applies it to their systems.
“We work with those teams by testing their detections systems,” Wyatt said. “We will run attacks that emulate real-world threats to make sure their systems can see them.”
Both men have had ample training for their work. They, along with the rest of the Red Team, have U.S. government security clearances.
Wyatt is a former Marine who specialized in signals intelligence, electronic warfare and cyber warfare. Heyen was a cybersecurity architect for an Arizona utility company. He’s been a speaker at multiple cybersecurity events, including the National Security Agency’s 2017 Information Assurance Symposium.
Conducting critical work
Most hacking attacks are deployed as automated scripts assailing thousands of computers simultaneously, using common usernames and passwords to search for access.
Ransomware is the fastest growing malware threat, targeting everyone from home users to corporate networks. Between 2019 and 2020, ransomware attacks rose by 62% worldwide. This malicious software encrypts a user’s files, making them impossible to access without a key held by the attackers.
Not only can these attacks shut down or threaten critical systems – hospitals, utility companies and pipelines all have been victimized – they can ruin smaller companies, and throw even large ones into fiscal chaos.
“Ransomware is the one you definitely don’t want to get hit by,” Wyatt said. “It’s revenue-generating for the attacker and it’s the most expensive for the company. They may end up having to pay the ransom in addition to the high financial impacts of a breach, and the impact to the company’s brand image.”
But ransomware can’t get into a network without finding access, and that’s often through employees.
“People are definitely the weak point,” Wyatt said.
Hackers most commonly spread ransomware through phishing emails that are designed to trick a victim into opening an attachment or clicking on a link that contains a malicious file. The Red Team has used those same tactics to expose vulnerabilities, which can expose not only a company but its employees to potential damage. Such physical exploits include bypassing tangible controls like locks, cameras and ID badges. Initial access is also often gained through a social engineering campaign using phishing emails, USB drives and even advertising flyers.
“We’ve had a lot of success doing physical exploits,” Heyen said. “Once you get in, if I get someone’s email, I can get access to (travel and expense platform) Concur, take all their credit-card numbers, mileage and more,” Heyen said.
One of the most successful Red Team exploits involved first registering a domain name similar to the client’s company, then sending an invitation that appeared to come from the company’s health group.
It notified employees they would receive a free Fitbit for registering for a contest.
“They all did it,” Heyen said. “We even had CFOs registering for this fake contest. It was one of the most successful things we’ve done.”
“When they logged in, we had their passwords. We had spreadsheets with credit-card and CVE numbers. They were terrified how easy it was for us to do it.”
The team had similar success using fake Subway sandwich coupons. In another campaign, Red Team members left USB sticks labeled “RIF 2018” in the parking lot. RIF is an acronym for “Reduction in Force.” Many employees plugged these sticks into their computers. Those who turned them in to security instead received a reward.
With one particularly challenging system, the Red Team finally found access through a security camera using a default password. With access to the camera, team members could record an employee punching in an access code. They also found photos of a company picnic where employees wore company badges. That allowed them to create a fake badge and a fake employee, ultimately gaining access to the server room.
Weak passwords are the easiest and most common way to gain access, and the Red Team uses multiple, cloud-based graphics processor units (GPU) to help expedite the process.
“We’ve had times where within five minutes of doing research on a company, we had 40 accounts cracked already,” Heyen said. “The cloud-based clusters we used attempted three billion passwords per second. Large clusters can attempt 300 billion per second.”
Strengthening security
Even if the team doesn’t find issues with a client’s cybersecurity, it can still find ways to bolster security.
“For clients that have a robust security program, we focus more on testing their detection systems by emulating a real-world threat against their organization,” Wyatt said. “There’s always something to do even if a traditional penetration test would come up with few findings.”
Both men say they love their jobs, not only the hunt for cyberthreats but because it keeps them at the forefront of technology.
“I like the challenge of figuring out the puzzles,” Wyatt said. “And you have to constantly keep up to date on new technologies, the way things are changing, and everything that’s happening in the market.”
Heyen likes that he has to stay at the top of his game at all times, “because you’re never know what’s going to come out next,” he said. “If you don’t like what you’re doing today, wait until tomorrow.”
He also enjoys that his is not an assembly-line kind of job. “One engagement might be a pharmaceutical company in Jersey,” he said. “The next day we’re attacking modems in our own building.”
Viasat’s history and portfolio make the company uniquely qualified to provide cybersecurity services. Founded as a defense contractor, Viasat has more than three decades of government experience ensuring the security of the products it creates – which include multiple encryption devices and military communications equipment.
And as an internet service provider, Viasat collects data on how hackers operate, and uses that information to build new defenses that can be applied to its customers.
“Our government work, and the fact that we’re both an ISP and a satellite company, gives us an edge over the standard consulting firms that only do ‘pen’ testing against traditional data centers and corporate networks,” Wyatt said.
Viasat’s other Red Team members include Mike Rogers, Andrew LaMarche and Ian Kane.