The company highlighted their key role in taking down the REvil ransomware gang, and how they have enhanced their vulnerability detection organization further going forward.
LAS VEGAS – On Thursday, on the final day of the Trellix Xpand Live event here, one of the highlights of the keynote address was an overview of the work being done by the company’s Advanced Research Centre, which focuses specifically around vulnerabilities and the bad actor organizations and techniques around them. They also made public elements of their strategy in taking down the private Russian-based hacker group REvil [Ransomware Evil; also known as Sodinokibi].
The Advanced Research Centre, which was recently put together from different groups, reports to Aparna Rayasam, Trellix’s Chief Product Officer. John Fokker, Head of Threat Intelligence, leads a group focused on threat actors – how they operate and how they commit the breach. This group builds playbooks and disseminates them to product teams. Doug McKee, Principal Engineer & Director of Vulnerability Research, heads a group focused on the vulnerabilities themselves.
“Historically there was a vulnerabilities team, but it didn’t always tie into what this means for the threat landscape,” McKee said. “With the new organization, we go out of our way now to articulate this to our customers.”
The basic objectives of the attackers have remained consistent since before the pandemic, but they have become better at executing them.
“The underlying themes are the same as before,” McKee stated. “What has changed is the way that they are packaged, and the types of social engineering being used in the attacks. The phishing itself is the same, but now they can spread it more effectively.”
While both executives emphasized that their teams don’t see themselves as competing with the other companies in the space, all of whom have similar research groups of their own, and that the fight is with the bad guys, they do think Trellix’s approach gives them certain advantages.
“Every organization has a research group but not all of them have engineers focused on vulnerability research specifically,” McKee said. “We are not the only company with this focus, but we are in a minority in how we focus on this key area.”
Trellix can take very different approaches to how they publicize their vulnerability reports, depending on their complexity and on the amount of time keeping the findings confidential matters.
“We have multiple products that are used in many tools, and those calls turn around in a week,” Fokker said.
“Threat intelligence also makes inputs that get to the customer on a daily basis,” McKee added. “A blog is actually the worst way of disseminating intelligence, because it often appears six months after the fact.”
There are times, however, when the vulnerability information is deliberately delayed in being made public, with the REvil disclosure at the event being a good example.
“Sometimes in vulnerabilities, we don’t want to be fast,” McKee said. “We will often wait three months or more to release information because we give the bad guys an advantage if we release too early. We want to make sure that the vendor has appropriate protection in place, so there are places where we move fast and others where we take our time.”
Cases where they refer their findings to law enforcement are also likely candidates for delay. The arrests in the REvil case came in November 2021.
REvil was the company that took down Kaseya, and which ran a systematic ransomware business that took in hundreds of thousands of dollars weekly. Fokker outlined the strategy behind their success, the violation of which got Trellix, and ultimately the law, on their tail.
“Successful criminals in this area use a dedicated communications platform rather than email negotiations,” he said. “They also use a leak site for marketing and stolen data, and use stable malware and decryptors.”
Like legitimate businesses, REvil practiced common corporate best practices in bringing people into the company.
“Use strict recruiting and hire the right people,” Fokker said. “Forming strategic partnerships is also important. It is very difficult to control the entire kill chain to a high level. Partnering lets them focus on what they are good at.
Finally, Fokker emphasized the importance of good administration and paying your people well. This wound up being REvil’s downfall. After a senior hacker violated another axiom – don’t brag – and posted that he had just posted $300,000 that weekend as well as giving sufficient information about his bitcoin account to identify him, a disgruntled member of the gang unhappy about his own compensation got in touch with Trellix. They developed a relationship with the person until he began feeding them information about REvil’s activities. Once they had a good knowledge of REvil and how it worked, they took the information to law enforcement, which led to five arrests.
“When they bragged, it all came crashing down,” Fokker said.