Sign-up for the latest Lookout news and threat research
First uncovered by Lookout and Citizen Lab in 2016, the Pegasus spyware was confirmed to have been used on targets such as business executives and government officials. Veteran of the cybersecurity industry, Joseph Davis of Microsoft, walks us through how spyware came to be, its implications and how you can protect yourself and your organization against Pegasus.
Hank Schless 00:08
Hi, everybody, and welcome back to Endpoint Enigma. I'm your host, Hank Schless. And I'm very excited for today's episode. We've got a particularly interesting one today, in my opinion, both because of the content and the guests we have on. So before we get to our guests, as many of you have heard, Pegasus, which is probably I would argue the most highly sophisticated, mobile spyware out there, which was first uncovered by Lookout in the Citizen Lab up in Toronto back in 2016, has resurfaced in the news. It certainly hasn't gone away in the real world. But it's now at the top of the headlines for the last couple of weeks, and this is because in a joint investigation, about 17 media groups in conjunction with Amnesty International and, I believe, Untold Stories was the name of the other organization, basically confirmed that Pegasus was used on a number of targets, such as journalists, business executives, and government officials –– something that we've all kind of speculated about for a long time. And here to talk about why individuals and organizations alike need to be aware of mobile spyware like Pegasus, we have Joseph Davis with us, who is a chief security adviser at Microsoft. And Joseph works closely with the security and compliance leadership at some of the top U.S. health and life sciences companies. So, Joseph, glad to have you here today. Thanks so much for joining me.
Joseph Davis 01:27
Thanks for having me, Hank.
Hank Schless 01:29
It's a real pleasure. I'm excited to jump into this with you. And before we dive into the meat of everything here, would love if you could just kind of give our listeners a brief summary of your background and how you ended up in the security world.
Joseph Davis 01:39
Oh, yeah, it goes way back. So, when I was a kid, I was an emerging hacker phone freak in the early 70s and 80s. Of course, that was before any of that was sort of frowned upon, right? My parents, they distracted me with STEM and pushed me into a career in life sciences and medicine. So I did go through medical school, started practicing medicine. But then around that time, I decided a career in medicine really wasn't for me. And one of the closest computer companies to my location at the time was IBM. And then I started working at other companies in a security and IT capacity later. But just more recently, I had the pleasure of building a cybersecurity compliance and IT risk organization at a large multinational medical devices/supplies/pharmaceuticals company. And then, after that large company was acquired in and around 2014, 2015, I went on to become a CEO of a multinational sensors and controls company.
Hank Schless 02:31
Wow. Okay, so you've covered the gamut here. And this is part of why I'm so excited to have you on here. But before I ask you anything else? So,for me, I'm a bit younger, the whole early, emerging hacking, the whole phone thing is something that I really only read about. So my question to you is, were you what, in one of my favorite books, is called “The Dead Cow.” Were you part of one of those groups? I don't know if you can tell me or if it's top secret.
Joseph Davis 02:55
Nothing's really top secret. One of the things I go by is that some of the best hackers in the world have never been recognized because they stay kind of under the covers. And that's something that I tried to do early on, and not so much my career but in my hobby days. But yes, I mean, I was very, very much obsessed with SS7 switching. And for all those techies out there that understand what that is, it essentially is the packet switching backbone, if you will, of a telecommunications or phone network. And that was something I was really, really focused on when I was a kid, trying to understand them, trying to understand how they worked, understanding how to do administration around them and things like that. And many times we would gather –– we being the hacker community –– would gather around a bulletin board system BBS, and we would share information that we had gathered ourselves. So yes, I mean, long story short, that evolved later on in the 90s, becoming a part of those emerging teams of security researchers.
Hank Schless 03:52
So it sounds like parents’ attempts to redirect you in the life sciences are not totally for naught. But seems like it's led you to a place that you're pretty happy with, which is the important thing. As someone who's been in the security industry for such a long time, what's kind of one threat that's persisted through your career, any new ones that have popped up recently. I always like to kind of hear about how things are the same but different or different but the same.
Joseph Davis 04:14
Yeah, not to name drop, but Cliff Stoll and, I think, Kevin Mitnick would agree with me that social engineering has never gone away. It's the tip of the spear activity to get users to do things you want them to do as a threat actor, right? So, install malware, give up their username and password or give up other sensitive information that will lead as a pretext to other, you know, large fines, right? So social engineering plays on the sympathy of the… in the sense of urgency portrayed by the attacker and it instills in the victim, right? Like the attacker will say, “Hey, can you help me, you know, I'm the only one here in the office today. I really need to get this done. My boss is putting a lot of pressure on me. And it really forces the person on the other end of the phone or other end of the email or other end of the whatever, that you know the text message to respond right then from there, the attacker simply uses and impersonates that user with their credentials to simply log on, not breaking in. So it's much, much easier than hacking a web server or hacking a database, as you know, as you'd hear in popular culture; it's really impersonating the user and then performing system network and cloud services reconnaissance, right? So as this user, what can I see in the environment, right? You know, what can I see within my scope and then I can later elevate my privileges through other means –– right? –– meet, exploit, etc. And then gather sensitive data and enough intelligence to remain persistent, you know, in that organization, in that whole ecosystem, basically gaining access to, like, Active Directory or some other kind of directory services.
Hank Schless 05:49
So it sounds like even though this whole social engineering thing has always been around, it's able for attackers to kind of get more discreet in the way they do things. It's no longer, I mean, like you said, trying to, you know, for lack of a better term, hack your way in or brute-force your way. And it's more about entering in almost like a very sneaky fashion, and trying to keep yourself unknown,
Joseph Davis 06:06
Right, compare and contrast the two methods. So if I'm impersonating a user, the security operation center, if there is, indeed, a security operation there at the organization, is probably not going to take a real deep look at what I'm doing, because they assume I'm an employee. Maybe I'm kind of a mid-level employee to have access to what I have access to. And unless I'm about to leave the company and take proprietary or trade secret data with me, they're usually not going to be looking at what I'm doing. So as an attacker, if I can impersonate a regular employee, then I'm not really gonna get all that attention. But if I start, you know, chipping away at a database, doing SQL injection, or I start chipping away at Active Directory, there are tools in the environment that are going to pick up on what I'm doing. And you know, the security operations center the sock, they're gonna find out right away that there's somebody doing something they shouldn't be doing. Right? So it's so much easier to log on than to hack in. Right?
Hank Schless 07:00
Right. Absolutely. Even though I've never actually done the hacking part, I do know how that's usually a password. So I think if I could do that, someone who's a bit more advanced than me can probably do the same thing. So what about, I mean, obviously, I looked at the topic of our conversation today is Pegasus and spyware. I'm curious to know sort of where you've seen that, over the years, you know, how it's evolved a lot of what you just discussed with social engineering, it doesn't seem totally related to something like spyware. But obviously, there is a connection there. So maybe could you talk a little bit about how the two are connected with each other. And then also a little bit about how you've seen spyware evolve over the last couple of decades?
Joseph Davis 07:35
Oh, they're definitely connected, right? So in order to get that spyware onto a device, I have to really convince a user to install it, typically. I mean, if all of us in it have had that problem, where we have a new application or an upgrade to an application, and we're trying to get users to install it. Sometimes we have, you know, software distribution systems, etc. But they're not always effective, especially when users are remote. Or when users say, “No, I don't want it; I don’t want those updates right now. And they keep pushing it off. But if, as an attacker, if I can convince somebody to install something, basically saying, “Oh, this is going to help you or I'm going to… this is going to assist me in helping you. I'm a support person.” They'll go ahead and install that. And it'll seem like normal software. It'll behave like normal software, support software, remote desktop, etc. But what really is happening behind the scenes –– spyware, right? And we've seen spyware since the 80s and 90s. I mean, they were once known as rats, or remote access tools, things like Back Orifice, etc. And, you know, I've seen these tools used to track people of interest, right? So people of interest can be anybody. It could be a spouse, a child, or it could be a threat to a nation state, right? So journalists, dissidents, etc., and criminal organizations who are either tracking people within their criminal organization or tracking other people that they're trying to get in touch with for nefarious reasons, right? And the thing is, with spyware, the interesting thing is, it's at the endpoint. So when you see, okay, this transaction is encrypted end to end, it really doesn't matter, if it's spyware. Because the spyware is gonna see exactly what the user sees, GPS position, calendar information, sensitive information transmitted via secure text. Because that spyware is acting as the user, it's seeing all the things that the user is going to see –– has full access to that endpoint. So encrypted or not, it really kind of throws all that protection out the window. And once the attacker has planted that spyware in the endpoint or mobile device, they can see or read everything that user can see or read. And it makes it quite dangerous because now you're essentially –– everything is up for grabs. You know where a person's going to be or where they are right now, because the GPS coordinates are going to give you that access to a wall calendar, Office 365 calendar. It'll give them: Oh, it looks like this person is going in for a procedure and they'll be walking out of this doctor's office at 2 p.m. I'll just meet them out here.
Hank Schless 09:52
So before getting into Pegasus, which is kind of the extreme end of the spectrum, a lot of snares just walk through that seem more, like, pedestrian than something like Pegasus. Any examples of other types of spyware or even just other incidents where you've seen maybe a little more basic level spyware kind of be in the conversation or anything like that?
Joseph Davis 10:13
Well, yeah, well, the more basic it is, the less likely it's going to be detected. One of the types of spyware I saw early on in the manufacturing and R&D world was a little piece of malware I thought was really a genius. And I was like, wow, why didn't I think of this? Not that I would monetize it. But it was just so brilliant. But it was so simple. It essentially took components of, you know, Greenshot or Snagit, and basically took screenshots every time a user hit a keystroke or the mouse would move. And it was targeted, really, at our R&D engineers in one of the organizations, because they're going to have CAD drawings up there, they're going to have emails where they're collaborating with other engineers, they're going to have trade secrets up in front of them –– you know, things that are protected under ITAR, etc. And essentially, what it would do is it would take the screenshots, wrap them up, encrypt them, package them and send them off to some random, let's say, server or service on the internet to be collected later. And I thought that was pretty pedestrian, but pretty clever at the same time. But it had major major impact, right? Because it can be a competitor looking to get an advantage over somebody that's doing what you're doing. And it's basically spying. It's reconnaissance, espionage, and surveillance. And you know, that's the name of the game. It's, like, I want to get a leg up. I don't want to invest anything in R&D. I just want to grab all that R&D data and then manufacture it in my country, right? Because I, you know, I'm not going to pay for somebody to create it. I'll go ahead and manufacture it because manufacturing is quite easy.
Hank Schless 11:38
That is an interesting example. And with sort of the simplest things you sometimes sit there and like, “Man, why didn't I think of that?” So to get to Pegasus a little more when it does come up, and whether it's Pegasus specifically, or just kind of, you know, advanced spyware scenarios, when it does come up, whether it's kind of in your role now, you know, in Microsoft, or in previous roles, how those conversations usually go, what is sort of the course of it, and what sorts of concerns are really expressed around it?
Joseph Davis 12:04
Well, one thing that surprises me, and it shouldn't surprise me at this point but um, many of our customers aren't aware of it. So we're not going to bring it up unless they do. I had a large health and life sciences customer reach out to me and one of our security executive salespeople. It was about two weeks ago, and they were very concerned about Pegasus spyware and access to data in Office 365. What I said was, basically, you know, once Pegasus spyware is installed, it's access to data anywhere, right? So if I'm simultaneously running 365 on my iOS device and Dropbox and Box and G Suite, the Pegasus spyware is gonna see it all. So that's a big concern. And so what we typically say is that, you know, we have a combination of first party Microsoft technologies and partner technologies like Lookout to detect that spyware is on the endpoint. And that becomes part of the zero trust process, where the risk of a device is evaluated along with the risk of identity before access to resources is granted. At Microsoft, we call that conditional access. But you can leverage Lookout to say, basically: Create a policy on Pegasus or any other spywares detected on this endpoint to not allow this endpoint to gain access to specific resources that are either high value information assets or maybe, you know, just block all access and force that user to send their device back into get re-imaged.
Hank Schless 13:27
So beyond the conversations on your role, the ones that you just went over here, you touched on mobile security. Where do you find mobile fitting into the greater security conversation? Do you think people at this point, recognize that these devices are something that need to be monitored, secured just the same as desktop? Or a laptop? Or do you think the education process is still kind of taking place?
Joseph Davis 13:50
The education process is still taking place. But if you really want to achieve modern workplaces –– right? –– and by a cheap, modern workplace, what I mean is, you're gonna get the exact same user experience or very, very similar user experience, regardless of what you're using –– right? –– your laptop, your tablet, your mobile device; whether that's, you know, an Android tablet or an iOS like iPad or just, you know, a basic iPhone. That identical modern workplace experience has to be backed up by an identical security approach, because the user is accessing the exact same types of data. It's not like years ago with a flip phone or a Blackberry where you really couldn't get at everything, right? You couldn't, like, submit a request in TNA or you couldn't, you know, check on your pay stubs or check on your health care information, right? But now, with mobile devices, you can do all the exact same things on a mobile device that you can do on a laptop running Windows or Mac OS. And that's why I think it's really critical that the security remains consistent between all of those platforms and all those modalities. The modern workplace is really pushing that. I've lived in the modern workplace for about five years, meaning I don't have to be tied to a desk in an office In order to get my work done, I basically have the same user experience, whether I'm on GoGo in-flight wireless on a Delta flight, or, you know, sitting in a hotel somewhere, or I'm sitting at home. And I think COVID and work-from-home –– the pandemic –– has really pushed that modern workplace experience, pushed a lot of our customers, especially our strategic customers, to make that available to their employees and their other users. So we really emphasize the importance of having equivalent endpoint protection, not only equivalent to what they would potentially have on their Windows or Mac OS, right? So it's got to be equivalent on their iOS or Android as well.
Hank Schless 15:36
My last question for you is given, you know, you did go through the medical and life sciences field for a little bit, but obviously, with what you do now really focusing on health and life sciences. That's an industry that's obviously been in the news a lot due to ransomware attacks during COVID. And for someone listening to this who's maybe in this industry, do you have maybe just some broader guidance you'd offer them as things kind of evolved now, as we're hopefully emerging out of the pandemic and looking towards the future, anything that you'd kind of offer up to them?
Joseph Davis 16:06
Yeah, usually, when dealing with either health and life sciences or the financial sector, you're dealing with a sense of urgency –– things that have to get done, right? So a surgical case that has to happen Monday at 7:30 a.m., that you know all the surgical equipment has to be in or, you know, the sterile field has to be set up, etc. And when you have that sense of urgency around the services that you're providing, as one of Microsoft's customers, sometimes you're desperate to keep things operational, right? Many times we find, you know, with ransomware, they'll pay the ransom with med devices. They might end up using med devices that aren't completely clean, that might still have, you know, some sort of malware on them, but still can function. And that's when things get pretty dangerous, right? Because it can affect the health and life safety of a patient potentially. The same thing with finances, right? It doesn't necessarily affect life, but it affects livelihood, if you will: “Well, I didn't get paid” or “All my money was stolen.” The other thing is, too, we've seen threat actors go into clinical systems for providers like hospitals, etc., basically looking for medical records because they can monetize them. And unfortunately, they end up on clinical networks, because a lot of medical devices, medical equipment, are now interconnected, right? Ethernet, WiFi, Bluetooth, you name it. And they're not always engineered to the highest standards, especially what we call the Brownfield devices that were manufactured, you know, five, 10, 15 years ago, but yet still are connected. And what those threat actors accidentally do when they're in there looking for that patient information, they might step over or trip over a life sustaining piece of equipment like a respirator or something else. So especially with health and life science providers, we make sure we emphasize the importance of protecting those clinical networks, and that it’s on par with protecting what is mandated in HIPAA and high-tech, which is basically medical information about a patient, right? So those things almost become equal, because one problem can lead to another problem, because those networks are so closely tied together.
Hank Schless 18:04
So, Joseph, I think that's most of what I have here for you today. Anything else to add?
Joseph Davis 18:10
Oh, if anybody wants to reach out and connect with me, I have a vanity URL for LinkedIn which is aka.ms/securityJWD, or Twitter, @securityJWD.
Hank Schless 18:24
Awesome. All right. Hopefully some people reach out. And thank you, everybody, for joining us today on this episode of Endpoint Enigma. As always, you can find the latest from Lookout on LinkedIn and Twitter. Thanks for listening, and we'll see you next time.