Kip Boyle: Hi, this is Kip and I'm interrupting the start of the show with a brief announcement for the attorneys in our audience. Once every quarter throughout the year, Jake and I offer a free online continuing legal education session. Our next CLE will be at noon Pacific time on Wednesday, March 30th, and this time we're going to explore the impact of the Pandora papers on the legal industry and the practical cybersecurity lessons for attorneys everywhere. So join us online for a one-hour cutting edge CLE on March 30th, 2022 at noon Pacific time so Jake and I can share what we've learned by analyzing the Pandora papers, a massive collection of over 11 million confidential leaked documents about offshore wealth that were stolen from law firms and then recently published. In addition to one CLE credit, you'll also receive actionable advice that you can use right away. So sign up now on eventbright.com by using the link in this episode's show notes. We hope to see you there. And now, let's listen to the next episode of the Cyber Risk Management podcast.

Speaker 2: Welcome to the Cyber Risk Management podcast. Our mission is to help executives thrive as cyber risk managers. Your hosts are Kip Boyle, virtual chief information security officer at Cyber Risk Opportunities, and Jake Bernstein, partner at the law firm of K&L Gates. Visit them at cr-map.com and klgates.com.

Jake Bernstein: So Kip, what are we going to talk about today in episode 99?

Kip Boyle: Jake, I'm excited that we've reached 99 episodes. It's amazing and I think that not only is that exciting to me, but I think we've got a good topic today too. What we're going to do is take a closer look at a metamorphic malware that's actually going by the name of tardigrade.

Jake Bernstein: Tardigrade, metamorphic. Okay. What is with the fancy tech jargon here, that being metamorphic malware?

Kip Boyle: Yeah, occupational hazard, right? I mean, we don't generally drag tech jargon into our podcast, but man it's just like all these weird squishy overloaded words are constantly trying to worm their way into the topic of cyber risk. And so, every now and then I got to use one, but let's decode it all right, because I don't really want to dwell in jargon. So metamorphic, what does that mean? Well, from a dictionary perspective, it just means highly adaptive to its environment. So, if we're talking about a metamorphic malware, well now we've got like a chameleon. We've got this piece of code that is highly adaptive, and whoever branded this thing decided that because it was highly adaptive that it should be named after those tiny little water bears that we've been seeing little memes about lately.

So, a tardigrade is also called a water bear and it's one of the most resilient animals known to mankind. I mean, these things are amazing. They've survived the vacuum of outer space. They can be irradiated at crazy high levels. They can be totally dehydrated for years. You can starve them for years and they will not die. They will endure. So anyway, so tardigrades are a great model for this malware that we're going to take a look at.

Jake Bernstein: Now, one question I have is metamorphic reminds me of something that we've talked about briefly, kind of the mythical homomorphic encryption. It must be similar, even though it's about changing, right? The key word, or the Latin root here is morph, right? The kind of morphic concept. So that makes this a dynamic risk and not a static one.

Kip Boyle: Correct, yes. And I would expect you to key in on the Latin.

Jake Bernstein: This seems like a situation where it's rather innovative, so I think what's actually going on here is you just want to sell more copies of Fire Doesn't Innovate. Isn't that right?

Kip Boyle: God, I'm busted.

Jake Bernstein: Busted.

Kip Boyle: You can see coming from a mile away can't you?

Jake Bernstein: Yep.

Kip Boyle: Well, okay, so yes I did want to mention my book.

Jake Bernstein: Just make it explicit, make it explicit. Go ahead.

Kip Boyle: Okay, yes. You know, the whole idea of cyber as a dynamic risk is the hidden message in the title of my book, Fire Doesn't Innovate. And yeah, that's really the point that I'm trying to make over and over and over again without turning into a Cassandra, right, is that senior decision makers need to stop treating cyber as a static risk, like fire and hurricanes and they're going to do much better if they manage cyber as a dynamic risk because that's what it actually is, and here comes tardigrade, the metamorphic malware, to make the point.

Jake Bernstein: And despite the shameless hustle there, it is a good point, right? Cyber is a dynamic risk. It's always changing, in some ways like passwords. Let's go back in time 30 years, did you set a password on your dos 5.0 machine or even Windows 3.1, or even Windows 95? I don't believe that default Win 95 required a... neither did the Macintosh. I didn't use them back then, but I don't recall that. But over the years we've started to use passwords more and more with our computers and our passwords have gotten more complex because they've had to get more complex. Do you remember when you only had eight characters for a password?

Kip Boyle: Eight characters and don't even try to type a dollar symbol or a percent sign because it couldn't handle it.

Jake Bernstein: Couldn't handle it, right? And in fact, it's almost embarrassing, there are still systems that cannot handle every ASCII character, which is a problem actually because it means that their entropy is that much less.

Kip Boyle: Not to drag any jargon into it, yes.

Jake Bernstein: No, of course not. they're just going to be that much easier to brute force.

Kip Boyle: They're a boat anchor on the evolution of our inaudible.

Jake Bernstein: They are. But okay, the passwords had to get longer and more complex and they had to be unique for every account. Now we ask people to set past phrases, right? And then to turn on two-factor authentication, which itself has different methods and some people have to get UB keys and hardware modules. Why? Why Kip? And it's because the cyber risks associated with controlling our computer and our increasingly online accounts have grown over time.

Kip Boyle: Yeah.

Jake Bernstein: The digital data has become more valuable and as we're about to discuss, cyber attackers have become more sophisticated. And that is our point. Cyber risk management requires a different mindset because it is a different type of risk. It's dynamic, not static. It is more like the ever mutating COVID-19 causing virus, SARS-CoV2, and less like a fire, flood or earthquake. I suppose if we wanted to drag metaphors way too far, we could say that even floods and earthquakes are becoming more dynamic because of climate change, at least it sure looks that way.

Kip Boyle: Well, that's what's been happening, so that's a very interesting wrinkle. But at least with hurricanes, as I think is a good example, even though they're sort of bigger, more frequent, more devastating-

Jake Bernstein: You can see them coming.

Kip Boyle: Yeah you can see them coming and how you deal with them is fairly well known. We may not like the fact that our building codes have to change because the hurricanes are getting stronger, but we know what we know what needs to be done. It's really not a technical problem. It's really more of a political problem, a resource allocation problem, not a question of, "Well, how do we even deal with it," problem. And that's what mutating flu viruses and COVID-19 viruses really question, what do we do?

Jake Bernstein: And maybe a good way to think about it too, just in case we haven't beaten this horse into the ground, is the idea that hurricanes would be a dynamic risk if there was some mechanism too that like, you know there's weather control satellites where you could cause one to form in a matter of minutes. You know, I'm talking science fiction or superhero comic books. But the bottom line there is that some malevolent force would be controlling and using these things, and I mean let's just think about this, a metamorphic malware, explain more about the metamorphic ability.

Kip Boyle: Let's unpack it because I think this is really interesting. Let's get out of analogies and get into reality. So I think it's reasonable to say it's the latest evolution in never ending upgrade of dynamic cyber risks. So metamorphic, what it means is when you are metamorphic, when you've got those qualities-

Jake Bernstein: You're a butterfly.

Kip Boyle: Yeah, you're like a butterfly. You start out as a caterpillar and then you turn into something else, something with wings. But tardigrade, its metamorphic capabilities extends to even include the fact that it doesn't leave a consistent signature behind. So when it gets into your environment and as it moves around your environment, it's changing itself. And so you don't even recognize it from one machine to the next and that's what makes it so dang difficult for traditional antivirus programs to detect.

And I read a Wired magazine article on tardigrade and there was a researcher that tested the malware almost a hundred times, in other words letting it jump from system to system, and every time the researcher reported that tardigrade built itself in a different way and communicated differently. So it's fingerprints, it's just its way of life, there's nothing that you can say is normal about it because it just doesn't behave in any consistent way. It also has the ability to operate autonomously when it's cut off from its command and control server, which-

Jake Bernstein: That's not so bad.

Kip Boyle: Well, that's like starving a tardigrade, a water bear, that's like depriving it of food and oxygen and water and irradiating it and it's like, "Okay, when you're done, let me know, because I'm just going to hunker down and keep doing what I'm doing." So, all right now where did I find out about tardigrade, the metamorphic malware? Well, it was actually published in an advisory, and you're going to like this, given your background before you became an attorney, the bio economy information sharing and analysis center. So in other words, there's there's this organization, an ISAC, an information sharing and analysis center, focused on the biotechnology industry and they actually found it.

Jake Bernstein: That is distressing. So I assume that means this malware is in the wild then?

Kip Boyle: It is absolutely in the wild. This is not a theoretical idea. It was actually first detected in April of 2021. We're recording this episode right at the end of 2021. So this thing's not even 12 months old yet. And they discovered it, it was behind a ransomware attack on a large unnamed bio manufacturing facility, so think about vaccines and that kind of a facility, and then it showed up in October 2021 at a different bio manufacturing facility. So one thing that it's actually similar to when I was reflecting on it is NotPetya. Listeners probably remember NotPetya caused about $10 billion worth of economic damage in 2017 and it sort of flew this false flag of being ransomware because it dropped ransomware like notes all over the computer systems that it was on. But there really wasn't a ransomware mechanism behind it and tardigrade seems to be doing the same thing.

Jake Bernstein: So, I guess two questions; one, if we know, what is it doing, and then where did it come from?

Kip Boyle: Okay, well I'll take them in turn, but where did it come from? We don't know. It's not clear and that's always a problem is attribution. But you know a lot of malware, like NotPetya for example, there's some signatures in there. There's some so-called fingerprints, maybe there's some reused code or there's just some writing skills that sort of resemble other malware that has been attributed and so you can sort of tease out the lineage, but so far nobody can figure that out. But it's clear that whoever made it loved it because when this thing was pulled apart, it was obvious to the digital forensics people that to do this takes tons of time and money and effort. And so, although it's unnamed, we've got to assume that it's some large cyber criminal gang or nation state or some combination of those two. And so that's the best information we have about where it came from. And so you also asked me, what does it do, right?

Jake Bernstein: What does it do, and I'm cheating by reading ahead here in our script. But I mean I think we can, we can talk about this in a moment, but based upon what it's doing, it feels more nation state, but go ahead and explain.

Kip Boyle: Yeah. So this thing, it feasts on Windows computers, that's the first thing. And it is able to infect versions of Windows as early as Windows 2000, and that's actually significant. Do you know why?

Jake Bernstein: I'm going to guess because one, that's hard to do, and two, it's probably looking for older industrial control systems that are not upgradeable easily.

Kip Boyle: That's right. So we're talking about bio manufacturing sites. They have lots of specialized equipment with embedded versions of Windows. And so whoever decided that they were going to make tardigrade and they were going to target bio manufacturing facilities must have known that for maximum effect, they should make sure that tardigrade runs on 20-year old Window systems so that they're not going to get tripped up, which again speaks to the sophistication, the thoughtfulness, the amount of planning that went into this and think about the testing, right? If you just build a normal piece of software that you're going to sell people, you've got to test it on all kinds of platforms and if it's a web app, you got to test it in all these web browsers. That costs money and it's clear that they did that.

So anyway, what does it do? Well it looks for Windows computers to infect, it establishes itself, it hides itself, it facilitates ongoing access for either espionage or remote access capabilities so that whoever is controlling this thing can access the network and do whatever it wants. Maybe poke around, maybe send a payload over that can be executed. Maybe that payload is some kind of denial of service tool, maybe it's a genuine ransomware infector, or something like that. Who knows? So it's this really powerful kind of remote access Trojan in addition to that. We know that it's been used already to attack two completely different vaccine manufacturers this year. And so that's why the bio ISAC actually released the alert because all the signs were suggesting that there was going to be more infections and so everybody in the bio manufacturing industry needed to assume that they were a target.

Jake Bernstein: So now, I mean, I think you've kind of hinted at that, but why target them? I would assume intellectual property theft is one major component, but it can do more, right? What else can it-

Kip Boyle: Right, because tardigrade can do all those things that I talked about, then it's capable of stealing intellectual property, it can prepare the network to be basically shut down remotely and held hostage for some kind of ransom. And so if you think about this, this is kind of like a layered threat. So if I'm attacking them, if I'm in charge of tardigrade, what would I do? Well, I guess the first thing I would do is I would steal everything intellectual property wise worth stealing. Once I had all of that, then I might start to prepare the network for a ransomware attack because why stop at just getting the intellectual property? Why not also go ahead and extort them for money? And so if it really is cyber criminals plus a nation state, well that accomplishes all goals here doesn't it? It gets you the IP and then it provides money to satisfy the criminals.

Jake Bernstein: Well, and I suppose one thing that's also possible is if it is just a nation state that wanted to do harm, and for example hurt the ability of other countries to manufacture COVID-19 vaccines, you wouldn't bother with a ransom. It would be more like NotPetya, which was just a destructive virus, like it just destroyed.

Kip Boyle: You could do that. You could even do a-

Jake Bernstein: You could do that too.

Kip Boyle: Yeah and you could even do something kind of akin to Stuxnet where you could degrade the facility's ability to produce effective vaccines. You could just spend some time diluting their efficacy. And then when you got tired of doing that, then you could launch a ransomware attack. I mean, just the possibilities here are endless. I mean, let's say it's Russia or China trying to hurt the United States or another Western country, I mean there's a pattern there. This could definitely be used to perpetuate the pattern.

So, now we know about tardigrade and we understand that it's a dynamic risk and it has a lot of capabilities. So Jake, what do you think people should do about it? Like if you were working at one of these bio manufacturing facilities, what would you do? I mean, this seems like a big deal.

Jake Bernstein: Well, the first thing is one, and I know this might seem like a tired, old phrase, defense in depth or layered defenses, but I actually think that concept is strategically sound going back thousands upon thousands of years of military history and it is still absolutely critical. So the first thing you do is, where can I stop it from spreading? And since it spreads apparently due to Phishing emails, USB sticks, drive by downloads, and other common methods, the first layer of a best defense is good cyber hygiene, which of course you do talk about in your book, right?

Kip Boyle: You're warming my heart. It all comes back to my book, right?

Jake Bernstein: It does. And then, again, because you want to have your layered defenses, you want to deploy all of the essential eight controls because those are designed and modified over time specifically to stop malware infections. And I really think that as we move into this age of let's face it metamorphic malware, we're going to have to take some seriously hard looks at the way we do things in companies, as individuals, and the layered defenses is not going to be just some buzzword that security people use when they want to sell additional materials. It's essential. It's not optional.

Kip Boyle: Yeah, it's becoming oxygen.

Jake Bernstein: It's becoming... Yeah. And you know, one of the things that's very concerning is in so many ways the concept of a general computer, as opposed to an ASIC, which is basically a single purpose chip, is so power powerful. Most of us use general computers all the time. The whole idea of the iPad being the glass disappears and it can be anything you need it to be. Phenomenal power, but general computers are, by definition, vulnerable to these types of malware. If you can run almost any type of software, then you can run malware, and one of the essential eights, which we've talked about many times, is application white listing, which basically starts to trim away at the general computing concept. You're basically saying, "No, no, you don't get to run anything. In fact, you only get to run this small subset of applications and code that we are defining that you can run."
And I don't know that there is a much better layer to add into your defenses than that one right now. And I say that even as someone who would be so miserable in an environment that was totally locked down that way. But the reality is that the majority of people using computers in the workplace most of the time probably can get away with not just white listed apps, but thin clients and white listed apps.

Kip Boyle: Yeah. Yeah. I mean, essentially turning their computers into appliances that can do very specific things based on their job description. So, I mean, I think about an accounts' payable person, an accounts' payable specialist, what are they doing all day long? Well, pretty routine stuff. I mean, their job is pretty well defined and so I think you could pretty easily create a so-called terminal where you've got a general purpose computer that has very specific things that it can do to facilitate the work of the accounts' payable specialist and then you just deny everything else. I think that's where we're headed. I don't know how long it's going to take for us to get there, but I think that's where we're headed.

And I think we're also going to have to leave behind some of the defenses. So defense in depth I think is still good, but perimeter networks, the whole idea of perimeter networks, I think that's been bankrupt for a while now. And that's what the whole idea of zero trust networks is trying to do is encourage us to give up the idea that if we just build a thick wall around all of our crown jewels, that that's defensible and represents a reasonable way of protecting ourselves digitally. And I just don't think that's the case anymore. Things like these metamorphic malware I think are just another really strong data point that says no. It's too easy for it to get inside.

Jake Bernstein: One question I have for you on that point is, there's no question that the perimeter network is insufficient, the question is, in my mind, that is not the same thing as saying you can just throw it out is it?

Kip Boyle: Well, no, it's not. I mean, most organizations can't just throw it out, but I will tell you that Google, when they implemented zero trust for their networks, that's essentially what they did. But you think about the financial resources of Google, what they did, Jake, is they built a second network in parallel to their primary corporate network. And you can think about what a sprawl. Google's got facilities all over the world. It's this massive organization. And they built a second production network alongside their first production network.

Jake Bernstein: Not everybody can do that ladies and gentleman.

Kip Boyle: No, not everybody can do that.

Jake Bernstein: Just to be clear.

Kip Boyle: Yeah, and that's my point is they were able to do it and their second production network was built on zero trust principles and they had to do a ton of engineering because guess what? There were no commercially available tools that would let them do a zero trust implementation, but being Google and having all these engineers, they just rolled their own. And so they just stood up a second network, carefully migrated people and data to the second network, and then they shut down and discarded their legacy first network. And that's how they did it. And my point is no, nobody else on planet earth is probably going to do that even the few that probably have the resources to do it. But I applaud Google for doing it because that was a big deal, a ton of risk for them to do that.

But we all benefit because they've actually created a case study for what does it mean to go to a zero trust network and what does a zero trust network actually look like? I mean, what functions do you have to have and so forth? And so for the rest of us though, it's going to take a while and we're going to have to migrate slowly to a zero trust network. And that's actually, I've got some projects with some customers where we're doing some initial proof of concepts, we're writing some preliminary zero trust policies to guide future systems' development projects. I mean, it's going to be one of these proverbial turning the bow of the aircraft carrier kinds of situations.

But in the meantime, what do we do with metamorphic malware? Well, despite the fact that there's some sensationalism here and it is really cool and different that it's metamorphic, this tardigrade stuff, really Jake it comes back to what you said, which is at the end of the day, this is just about malware getting into your systems, just like most malware-

Jake Bernstein: And executing code.

Kip Boyle: And executing code. That means phishing, USB sticks, drive by downloads, all that common stuff, and tardigrade still needs to be able to hop from system to system and so forth. And so you mentioned the essential eight, and I'm not going to unpack the essential eight, I just want people to know that I believe the essential eight is a good strategy for dealing with metamorphic malware and if you want to get into it, we actually covered that in a prior episode. It was episode 63, which we don't number our episodes, that's not very helpful, but we released it on September 29th, 2020 and the title was A Quick Look at the Essential Eight Mitigations. So I would encourage you to go listen to that episode to refresh yourself, but you could also go on the internet and just do a Google search or Bing search or a Duck, Duck, Go search, whatever your favorite search engine is.

Jake Bernstein: Pick a search.

Kip Boyle: Pick a search and just type in essential eight Australia, because that's where it comes from, and you better start studying it because I think that's the future, not some of these other tired old frameworks.

Jake Bernstein: Yeah. Legacy old frameworks.

Kip Boyle: Yeah. They were good when they first came out.

Jake Bernstein: Think of the frameworks that are based on specific control concepts. I think those are the worst.

Kip Boyle: Yeah.

Jake Bernstein: Just because I think that they're-

Kip Boyle: Well, they're managing a dynamic risk as a static risk is what they're doing.

Jake Bernstein: Yeah. Yeah, it is. It's the case.

Kip Boyle: You just can't keep up.

Jake Bernstein: No. And I think it's another thing to point out while we wrap up this episode is just that there's a difference between a framework, like NIST cybersecurity framework, which is almost more of a mental construct to help you define a system, and the essential eight are controls. No one's going to confuse the essential eight with a soup to nuts cybersecurity program framework. That's just not what it is. It's a mechanism for cyber hygiene.

Kip Boyle: It should be self-evident. Well, I'll just say that. It should be self-evident but sometimes, you know-

Jake Bernstein: Oh, but it's not.

Kip Boyle: I know, I know, but it should be. And I know that the cybersecurity people, they're overworked, they're tired, and they just kind of want a checklist just to kind of reduce the mental energy that it takes to figure out what they should do. They just want a checklist. Everybody wants a checklist. Everybody wants the easy button. I'm totally sympathetic to that. Well, the essential eight I think can be your easy button. Some of it's actually very easy. The white listing isn't, that's probably the hardest part, but as I said, we're going to have to get used to it.

Jake Bernstein: Yep.

Kip Boyle: But yeah, even metamorphic malware can be tamed with the essential eight. I think that's my takeaway for our listeners.

Jake Bernstein: Okay. Well, shall we wrap this up and people should get ready for episode 100 of the Cyber Risk Management podcast.

Kip Boyle: Yeah. Oh my gosh, I never thought we'd reach 100.

Jake Bernstein: I don't think I did either.

Kip Boyle: But I've been having a lot of fun planning for episode 100 with you, Jake, and we're going to that one soon and I think it's going to be a lot of fun. Okay everybody, that wraps up this episode of the Cyber Risk Management podcast, episode 99, and today we took a closer look at something called a metamorphic malware that everyone's calling tardigrade. Thanks for being here. We'll see you next time.

Jake Bernstein: See you next time.

Speaker 2: Thanks for joining us today on the Cyber Risk Management podcast. If you need to overcome a cyber security hurdle that's keeping you from growing your business profitably, then please visit us at cr-map.com. Thanks for tuning in. See you next time.