Introduction:
1、FirstBank hired hackers to breach its systems. It took them three years.
2、FACT CHECK: Did Bill Gates Say, ‘I Choose A Lazy Person To Do A Hard Job’?
FirstBank hired hackers to breach its systems. It took them three years. ♂
SAN FRANCISCO — Brenden Smith, the chief information security officer of FirstBank, hired a group of
to try to break into his bank.
Over the course of three years, the attackers made numerous attempts to sneak their way in. At first, the attacks were difficult for FirstBank staff to detect; the hackers largely exploited previously undiscovered vulnerabilities in the software and devices used by FirstBank, which is headquartered in Lakewood, Colorado, and had $28 billion in assets at the end of 2023.
In one case, Smith said during the panel at the cybersecurity-focused RSA Conference, the hackers made an initial breach into FirstBank's systems that took 102 days for his team to detect.
"The good news," he said, "is that they didn't accomplish any of their objectives."
But the months the hackers lurked silently in FirstBank's system "felt uncomfortable," according to Smith, who had hired them to levy the attacks against his team as a way of finding the team's weaknesses so they could improve. The professional cyber threat his team faced was benign, but it was designed to simulate a real threat — malicious hackers who could conceivably target FirstBank one day.
This professional team worked for a company called Randori, which
. Randori is also known as a red team, which in cybersecurity speak is the team playing offense in a cybersecurity exercise. In this yearslong exercise Smith had created, FirstBank was defending, so it was the blue team.
IBM's Randori is one of many so-called attack surface management vendors. Microsoft offers its own such service, as do CrowdStrike, Halo Security, Palo Alto Networks, Verizon and
.
Smith advises other companies to conduct their own due diligence before choosing a red team vendor.
"I think it's a bit foolish when someone picks a vendor based on a talk without any additional due diligence," he said. He added that, given how long FirstBank has worked with Randori, the bank plans to reevaluate the market soon.
Red team exercises can be critical to validating the assumptions of the blue team, according to Keith Mularski, a managing director in Ernst & Young's cybersecurity practice. These assumptions might be about the security measures a CISO might assume their institution implements adequately. A red team can help validate that these measures are indeed sufficient.
In one example, Mularski described a client retaining EY for a red team exercise, and his team was able to find a way to bypass the multifactor authentication system the client had set up.
"From the blue team's perspective, they knew they had multifactor authentication in place, and they thought it was good," he said. "But the red team comes in and says, 'yes you have this in place, but let's see how we can get around it.'"
For two years after Smith hired Randori, his blue team won. The red team made initial attempts to break into FirstBank's systems but was never able to achieve any substantial objectives with those footholds. Smith described a three-part cycle that repeated itself during the exercise.
In the first part of the cycle, the red team would conduct a scan of FirstBank's attack surfaces — the parts of its system exposed to the internet or otherwise accessible to attackers. As it detected potential ways in, it would launch scattershot attacks that were typically easy for FirstBank to detect but miss every once in a while. Once the red team gained initial access, it would attempt to move laterally within the system, at which point the blue team would detect their presence and remove them, restarting the cycle.
But one day, three years into the exercise, the red team finally won — albeit with a lot of help from Smith. The red team targeted an internet of things, or IoT, device owned by FirstBank with a zero-day vulnerability. Smith did not say what the device was because of a nondisclosure agreement; when hackers disclose zero-day vulnerabilities to device and software creators, those creators often bind the hackers to nondisclosure agreements to ensure they do not share any details of the vulnerability, even if it gets patched.
Once the red team compromised the IoT device, they used knowledge they had gained over the three years prior to evade FirstBank's threat detection scanners. This was one of the bits of help Smith admitted the red team had; while some threat actors are persistent, few would spend years learning the ins and outs of a bank's computer systems the way the red team had.
Not only had the red team been paid to focus on FirstBank for so long, but Smith had even opened the metaphorical door for them a few times. In one case, Smith allowed the team to hide a small device in a tissue box in an infrequently-used part of a FirstBank building during the pandemic, when everyone was working from home. Even in that case, FirstBank staff caught the intruders before they could further infiltrate the system, and a staff member eventually found the device and turned it over to the security team.
But after three years of the cat catching the mouse and letting it go, the mouse had studied the cat well enough to know its next move.
Once the red team compromised the IoT device, they used that access to find a computer that could send internal emails, thereby bypassing FirstBank's phishing filters. The red team conducted two phishing campaigns to collect two types of credentials. One worked; in the other case, an employee turned the email over to the security team, and the team stopped the attack.
Even though the security team had detected the phishing attack and determined it was coming from somewhere inside FirstBank's system, they couldn't pinpoint where. Smith chalked this up to the fact that the red team was operating from an IoT device using a zero-day vulnerability; these exploits, he repeated, are "very hard to detect."
So, the blue team recommended activating FirstBank's incident response retainer — a team of outside cybersecurity experts who come in to clean up after a cybersecurity attack. Smith said he was proud of his blue team and that the moment was a win for them. "They knew they were out of their element," Smith said.
He denied the request to activate the incident response team, as he didn't want to spend money having them respond to an exercise. So he told his team that the people behind the IoT device attack were members of a red team and challenged them to do their best responding themselves.
At that point, the red team went silent, to try to avoid detection, all the time maintaining the access they had gained — and that Smith allowed them to keep. After months of lying dormant, they planned an attack using knowledge of FirstBank's Active Directory system, which is a service that authenticates and authorizes users in enterprise Windows systems.
The attack worked. Smith spared the details, but at a basic level, the red team forced a password reset on one user; that user had control over the account of a second user with domain administrator privileges; and "within 15 minutes," the red team gained full control over the system. At least, hypothetically; the red team didn't exercise this control because they were hired by Smith for the exercise.
Smith said that, even though the blue team eventually lost to the red team in the end, the failure provided innumerable lessons that were valuable to the institution as a whole, which he shared with the session attendees. For starters, the users who fell for the phishing attacks and password reset attacks would be far less likely to make those same mistakes again, he said.
But the broader takeaway, he said, was how valuable this kind of long-term red team exercise can be. Many times, banks and other firms enter into two-week contracts with red teams to save time and money while trying to learn where their vulnerabilities are. But in Smith's case, it took years for the red team to compromise just the outer perimeter of FirstBank's computer systems.
Continuous red team exercises also emulate attackers more realistically, Smith said.
"Attackers aren't on two-week contracts," he said in his presentation. They can — as the red team did — go inactive for months on end once they gain initial access to avoid detection.
Ultimately, continuous red team exercises make the prospect of a cyberattack against a bank much more real for the people defending it, Smith said. Cyberattacks become more than something that just happens in the news; they become something that can actually happen to the bank.
FACT CHECK: Did Bill Gates Say, ‘I Choose A Lazy Person To Do A Hard Job’? ♂
A Facebook post credits Microsoft co-founder Bill Gates with saying, “I choose a lazy person to do a hard job. Because a lazy person will find an easy way to do it.”
Verdict: False
There is no evidence that Gates ever said or wrote this expression.
Fact Check:
Gates, a billionaire entrepreneur with an estimated net worth of $106 billion, co-founded the software firm Microsoft with Paul Allen in 1975. Gates and his wife Melinda chair the Bill & Melinda Gates Foundation, a private charitable organization that works to improve global health and promote equal opportunity around the world. (RELATED: Is J.K. Rowling The First Person To Fall Off The Forbes Billionaires List For Charitable Giving?)
While Gates has given tips on business strategies in the past, there is no record of him ever saying or writing the expression attributed to him in the Facebook post. An internet search reveals no credible sources ascribing it to him.
The Daily Caller also searched his books, “The Road Ahead” and “Business @ The Speed of Thought,” as well as his personal blog, but found no similar statements.
In 1947, automobile executive Clarence Bleicher testified before the Senate that one should “put a lazy man on it” to make a difficult job easier. Bleicher’s testimony may have been abbreviated over the years into the statement falsely attributed to Gates, according to the website Quote Investigator.
Related questions
To tackle the HackerEarth MakeMyTrip Hiring Challenge, focus on solving problems involving graph traversal with time and cost constraints. Here's a structured approach to handle a flight route optimization problem:
Approach
- Graph Representation: Model cities as nodes and flights as directed edges with attributes (departure time, arrival time, cost).
- Priority Queue: Use a min-heap to explore paths by ascending total cost.
- State Tracking: For each city, maintain non-dominated states (arrival time, cost) where no other state has both lower cost and earlier arrival.
- Dominance Check: Prune paths that are worse in both cost and time to optimize the search space.
Solution Code
from heapq import heappush, heappop
import bisect
def main():
import sys
input = sys.stdin.read().split()
idx = 0
n = int(input[idx])
idx += 1
m = int(input[idx])
idx += 1
source = input[idx]
idx += 1
dest = input[idx]
idx += 1
city_map = {}
cities = []
current_id = 0
def get_id(city):
nonlocal current_id
if city not in city_map:
city_map[city] = current_id
cities.append(city)
current_id += 1
return city_map[city]
src_id = get_id(source)
dest_id = get_id(dest)
adj = [[] for _ in range(current_id)]
for _ in range(m):
u = get_id(input[idx])
idx += 1
v = get_id(input[idx])
idx += 1
dep = int(input[idx])
idx += 1
arr = int(input[idx])
idx += 1
cost = int(input[idx])
idx += 1
adj[u].append((dep, v, arr, cost))
for flights in adj:
flights.sort()
heap = []
city_states = [[] for _ in range(current_id)]
initial_time = 0
heappush(heap, (0, src_id, initial_time))
bisect.insort(city_states[src_id], (initial_time, 0))
found = False
while heap:
current_cost, current_city, current_arrival = heappop(heap)
if current_city == dest_id:
print(current_cost)
found = True
break
valid = True
states = city_states[current_city]
pos = bisect.bisect_left(states, (current_arrival, current_cost))
if pos > 0:
prev_time, prev_cost = states[pos-1]
if prev_time <= current_arrival and prev_cost <= current_cost:
valid = False
if valid:
while pos < len(states):
next_time, next_cost = states[pos]
if next_time >= current_arrival and next_cost <= current_cost:
valid = False
break
pos += 1
if not valid:
continue
flights = adj[current_city]
req_dep = current_arrival + 60
departures = [f[0] for f in flights]
idx_flight = bisect.bisect_left(departures, req_dep)
for i in range(idx_flight, len(flights)):
dep, to_city, arr, flight_cost = flights[i]
new_cost = current_cost + flight_cost
new_arrival = arr
to_states = city_states[to_city]
pos = bisect.bisect_left(to_states, (new_arrival, new_cost))
dominated = False
if pos > 0:
prev_time, prev_cost = to_states[pos-1]
if prev_time <= new_arrival and prev_cost <= new_cost:
dominated = True
if not dominated:
j = pos
while j < len(to_states):
t, c = to_states[j]
if t >= new_arrival and c <= new_cost:
dominated = True
break
j += 1
if not dominated:
to_remove = []
j = pos
while j < len(to_states):
t, c = to_states[j]
if t >= new_arrival and c >= new_cost:
to_remove.append(j)
j += 1
for j in reversed(to_remove):
del to_states[j]
bisect.insort(to_states, (new_arrival, new_cost))
heappush(heap, (new_cost, to_city, new_arrival))
if not found:
print(-1)
if __name__ == "__main__":
main()
Explanation
- Graph Construction: Cities and flights are parsed into an adjacency list. Each city is assigned a unique ID for easier handling.
- Priority Queue Initialization: Start from the source city with initial time 0.
- State Management: For each city, maintain a list of states (arrival time, cost) sorted by arrival time. New states are added only if they are not dominated by existing states.
- Flight Processing: For each city, flights are processed in ascending order of departure time. Valid flights (departing after the required time) generate new states which are checked for dominance before being added to the queue.
This approach efficiently finds the minimum cost path considering both time and cost constraints, ensuring optimality using dominance checks and priority-based exploration.
评论已关闭