Afternoon Cyber Tea with Ann Johnson 5.31.22
Ep 53 | 5.31.22

Mitigating Future Risks


Ann Johnson: Welcome to "Afternoon Cyber Tea," where we speak with some of the biggest security influencers in the industry about what is shaping the cyber landscape and what is top of mind for the C-suite and other key security decision-makers. I'm Ann Johnson, and today I'm joined by Katie Nickels. Katie is currently the director of intelligence for Red Canary and has worked in security operations centers and cyber threat intelligence for nearly a decade, hailing from a liberal arts background with degrees from Smith College and Georgetown University. Before joining Red Canary, Katie was the attack threat intelligence lead at MITRE Corporation, where she focused on applying cyberthreat intelligence to attack and received multiple awards, including a SANS Difference Maker Award. She is also the program manager for Cyberjutsu Girls Academy, a program for teenage girls that seeks to inspire exploration and learning in cybersecurity and STEM. Welcome to "Afternoon Cyber Tea," Katie.

Katie Nickels: Thanks so much, Ann. it's great to be here with you today. 

Ann Johnson: So let's dive in. You know, new cyberthreats are being detected all the time, and they have the potential to impact any operating system. This evolution has forced enterprises to upgrade their security tools, processes and skills to stay ahead. What do you believe are best practices when trying to be proactive and to protect your information? 

Katie Nickels: Yeah, this is such a tough one because there are so many things organizations can do, and I think it's easy to be overwhelmed by all the recommendations for logging, for protection. And so I always encourage organizations to go back to the basics - the simple things of having a really good patch management program. We know that a lot of adversaries gain their initial access into environments via unpatched vulnerabilities that sometimes are years old, right? CISA maintains this big list of those vulnerabilities. And so in the overwhelming - you know, all of the overwhelming guidance that's out there, I think going back to the basics, patch management program. And I think it's important to acknowledge that just because - right? - we describe these as the basics, doesn't mean that these things are easy. Trying to - especially for large enterprises - figuring out what is the status of what versions of software do I have across my enterprise - that's not an easy task. But I think these basic fundamentals of - right? - knowing your environment, having an asset inventory, having a patch management program - those are going to help organizations protect against a lot of different threats, even as a lot of those threats change up that we know that they come back to those same techniques of exploiting known vulnerabilities. 

Ann Johnson: So let me ask you this. When you talk about a patch management program, you know, one of the things I talk about and I heard you say in your response was that understanding where your assets are. Can you go a little further and talk about what a program actually should be inclusive of and what best practices are for building a program? 

Katie Nickels: Yeah. Ideally, any kind of patch management program would start with a solid asset inventory. There are tools that can do this and can enable, make it a little easier for enterprises to just have an understanding of what is my enterprise, right? What assets are included in that? What kind of workstations, servers, mobile devices, etc. So understanding those assets - and a lot of tools, as I mentioned, can help kind of automate that process, that discovery - and then understanding what software is on each of those assets. From there, knowing your software versions, then you can have an understanding of, OK, when a new known vulnerability comes out, do I need to update? How do I need to update? But it's more than just that, right? I think that's a key part of patch management is also prioritization, realizing that - right? - there are a lot of vulnerabilities out there and system administrators have limited time to update, and a lot of updates results in downtime for the environment. So I always recommend to having threat intelligence analysts or whomever is tracking threats for your environment, for your organization, kind of have input into, OK, this is a vulnerability in VMware that adversaries are actively exploiting in the wild. And whether that team is looking at reporting from other organizations on those threats or just using something like a CVSS score, that can be another way that organizations can make sure they're also having this prioritization aspect of patch management, because it can be so overwhelming to keep up with everything, right? Knowing, hey, these are the ones that adversaries are loving to exploit right now can be a really key part of that program. 

Ann Johnson: So when you think about, then, the assets for patching, what do you do with the things that can't be patched? The things that whether it's an IOT device, an OT device, or just a legacy operating system that's running a mission critical application that hasn't been updated - how do you handle those? 

Katie Nickels: Yeah. I think it's mitigate where you can - right? - if you can patch. But realizing - ICS environments, as you mentioned, that's one where it might just not be possible. So I think just having an understanding of if there are assets that you know can't be patched, that's really helpful because then you can try to apply other mitigations, right? Maybe decreasing the privileges or adding some monitoring so that if an adversary did get onto one of those devices - limiting their options for lateral movement, for example. Or just having really strong detection and monitoring of those assets, knowing, OK, these are at a higher risk of being compromised, so if an adversary got on, we'd be more confident we could log and monitor and detect if they were on that device. 

Ann Johnson: That's good. And I think that, you know, the important thing - and I always tell people this - instead of just saying patch, patch really fast, is have a holistic program. And you've described it in a lot of detail. So I really appreciate you giving that guidance because one of the things we try to do on the show is give practical guidance, and that's super practical. 

Katie Nickels: I'm all about practical advice. 

Ann Johnson: So let's move on and talk about industry cooperation, right? The industry - you know, and I've been in the industry for a long time, and you've been in the industry for a long time. And we know that increased cooperation and transparency are big goals to help defend against future threats. We also know that organizations are at greater risk when they reveal cyberattacks prematurely because they don't actually have the time to fully understand the breach or to prevent the breach from happening again. How do you recommend organizations share information about attacks without putting themselves at greater risk from the attackers, but also - and this is a bigger question, and we probably won't get completely through it - but to be compliant with different regulations globally? 

Katie Nickels: Yeah. This is such a hot topic right now. And what I always say is that I think there's a happy medium between protecting organizations' privacy and sharing threat information. For example, if an organization has an intrusion, I, as a partner organization, someone else out there - I don't really care if Katie Nickels or Ann Johnson were the victims. What I do care about is what techniques and procedures did the adversary use? Are there any malware samples that can be shared, right? And so I think that, especially in policy circles, sometimes there's this mistaken idea that - right? - if we share information about an intrusion, that we're sharing something super sensitive about our organization. And I don't think it necessarily has to be that way. 

Katie Nickels: I do think there is some challenge always in admitting, hey, we got compromised, right? But I think that maybe we're, community-wide, doing a little better in realizing - right? - intrusions happen to everyone. And so I think with that knowledge, if we can start to destigmatize the fact that - right? - we all have compromises at some point, I think there is a happy medium where you can anonymize the details. Just share the stuff about the adversaries, about the threats, not about the victim details. That's not usually very relevant to many other organizations anyways. And so, you know, I think for information sharing, there's a lot of - in policy circles - talk about, oh, well, we have to protect the victim information. Absolutely. But I think there are a lot of ways that we can focus more on the adversary and sharing that information and that there is a happy medium between sharing everything and sharing nothing. 

Ann Johnson: I think that's right. And sharing the tactics and techniques of the actors, sharing any IOCs you have - right? - or indicators of attack also. But you don't necessarily have to share the impact to your organization transparently. But as soon as you see something that's new or novel or just a - you know, maybe it's not new or novel, but it's being persistent, I think that's super important for - to share as quickly as you possibly can. And I love what you said about destigmatizing it, right? As an industry, we need to not - you know, you're on social media, and I'm on social media, right? You always see organizations, that certain people will take shots at them for having a breach. Everyone has attacks. Everyone gets compromised. What we need to do is make sure that people understand that because that's the only way we're actually going to have meaningful sharing is if people feel safe to share. 

Katie Nickels: Yep. Absolutely. And, you know, social media, you mentioned - I think of the tweet from the - I think it was a university in Tennessee a month or so ago that tweeted - right? - basically unplug all your devices; there's a ransomware attack. And I felt like there were so many just mean responses there, you know? This organization, this university, probably not well-resourced, is going through this huge ransomware attack. And luckily, I saw a few supportive responses, recommendations for steps to take in incident response. But I think making it the norm to share that information is certainly helpful. 

Katie Nickels: And the other thing, you know, I think that's important as we're talking about information sharing is realizing there are different ways to share and different communities to share with. Not everyone has to put out a public blog about every single intrusion. There are a lot of informal sharing groups or organizations like ISACs or ISAOs where you can share the information with others in your industry privately, not having to necessarily admit publicly that there was an intrusion, or, potentially, if there are sensitive techniques or new malware adversaries are using that you don't want to tip them off to, you don't have to share publicly. So I think that's another important nuance - right? - private versus public information sharing. 

Ann Johnson: Yeah. How do you feel about - you know, let's just stay on sharing for a couple of minutes. How do you feel about the ISAC sharing or government sharing or CISA? Can you talk a little bit about that? 

Katie Nickels: Yeah, it's such an interesting area. And I recently talked to Grace Chi. She's one of the co-founders of Pulsedive. She did a really interesting study talking about cyberthreat intel sharing and networking. And one of the takeaways she found from sort of an informal survey is that informal sharing is still one of the most powerful methods, right? These are kind of, you know, Slacks or Discord groups or Signal chats just between different defenders in this space. And I think that informal sharing and just making those relationships - hey, if, you know, my organization got compromised and there's another bank that has very similar threat model to mine, just reaching out and telling them. But I think there's also a role for formal information sharing. And that's where I've heard that ISACs and ISAOs - some of them are very, very mature, right? The financial services ISAC, for example, has been around for many years. And I think for ISACs in particular, since they're industry-based, that can be a really powerful sharing method, again, for people who have very similar threats they're facing. 

Katie Nickels: I think on the government side, one of the things that I've come to appreciate about CISA in particular is just how broadly they can communicate out. They had a call a couple months ago - I think was around a major vulnerability, maybe some of the Ukraine activity - and Jen Easterly and the CISA team stayed on that call for, I think, three or four hours. And I listened in to that and heard from so many different small organizations - right? - an IT admin from a critical infrastructure organization in the rural part of the country. And it was just really revealing to me and made me think about the fact that - right? - you and I, we live and breathe security all day, every day. But I think one of the powers that CISA has is, as a U.S. government agency with reach-out and the ability to reach all of these different organizations and critical infrastructure contacts - they have the ability to reach a really wide audience, not just of the people who live and breathe security every day, but the single administrator who is protecting a dam, for example, and trying to disseminate simple, actionable information, indicators, guidance to them. 

Katie Nickels: So I think that there's not one best form of information sharing, right? The informal continues to be really valuable - those personal relationships. But that's not necessarily scalable. And so I think ISACs, as well as government sharing, I think, can have a lot of power for different reasons and different types of information and organizations, as well. 

Ann Johnson: You know, I could talk to you all day. Anyway, all right, let's talk about insider threat for a minute. We know that insider threats are increasing. We know that human behavior is a really powerful tactic for threat actors. And we know that these threat actors are increasingly targeting insiders within organizations. They can find information on social media. They can find information just by trying to bribe them. People end up having financial difficulties. What do you think, from an insider threat standpoint, is really beneficial for companies to invest in? 

Katie Nickels: Yeah. I think one of the interesting things in thinking about insider threat is that a lot of the same methods you use to catch external threats, you can also apply to try to identify insider threats. For example, a lot of data leaving your network - exfiltration. This is something that an insider might do, as well as an external threat. And so I think for organizations who are concerned about insiders - starting with the basis of collecting logs, having this visibility into what's happening in your environment and looking for techniques that insiders and external adversaries might do. 

Katie Nickels: But I think for organizations who are looking to kind of level up, one area that I think a lot of organizations are looking at is sort of anomaly-based detection, often using kind of machine learning techniques to look at, OK, what is normal in this environment, right? How much data usually leaves this machine to external resources? Or looking for - USB devices are still a thing, even though, you know, they've been around for years - looking for anomalous USB activity. And I think insider threat is just inherently a tougher space than - threat intel is focused so much on external adversaries. And we have a lot of reporting, and we share that. But there's not a whole lot out there about insider threats and how they behave. So I think in the absence of that, organizations - right? - do the best they can. Applying those same kind of methodology as they apply to external threats to look for anomalous behaviors, I think, can be a useful strategy to identify all kinds of threats, whether it's an insider or an outsider. 

Ann Johnson: I think that makes a lot of sense. And I think there's just this understanding that insider threats can be equally pernicious and making sure we're treating them the same way as we would treat an external threat and applying the right tooling to them. 

Katie Nickels: Yep, absolutely. And this is something - you know, when I was previously on the MITRE ATT&CK team, a lot of people asked, well, is there a MITRE ATT&CK framework for insiders? And what we would always say is, just think about the existing MITRE ATT&CK framework and how an insider might maybe have a slightly different procedure or a different tool they would use. But a lot of those same techniques are going to work for objectives, regardless of where that adversary is located. 

Ann Johnson: So as we move through different threats, I want to talk for a minute. You know, let's move to - we've done sharing. We've talked about insider threat. Let's talk about ransomware. Ransomware across an organization - an average of $200,000 in payments per attack. And I know that you're a member of the Ransomware Task Force of the Institute for Security and Technology, and you helped develop this 81-page report that developed a framework to help companies combat ransomware attacks. Can you summarize? I know it's 81 pages - a lot to ask. But can you summarize and talk a little bit about ransomware, the ecosystem and your thoughts on how companies can best mitigate and defend against future ransomware attacks? 

Katie Nickels: Yeah. And it's been a fun milestone. Mid-May was actually the one-year anniversary of that IST think tank Ransomware Task Force report. And we had a gathering in D.C. where a lot of people in this space - from the policy side, from the practitioner side - came together and talked about a lot of the recommendations that had been implemented in that initial report because the report was really a call to action, right? A report doesn't solve the ransomware ecosystem. It's just sort of - it identified different areas, everything from - right? - information sharing, which we talked about, to dealing with the cryptocurrency side - right? - things like adding Know Your Customer requirements or better cooperation with law enforcement, reporting incidents. So a lot of different recommendations, and a lot of those recommendations have been implemented over the last year, which is pretty exciting. 

Katie Nickels: But I think we also had a chance to look back and think about, how has ransomware changed maybe? How has it stayed the same? And I think we're at an interesting point now where we haven't solved ransomware, but I think there is sort of this perception in the community that we have because we haven't had - right? - another Colonial Pipeline-type attack where people are waiting at the gas station to fill up plastic bags - been over a year since that attack. And I think the challenge is realizing that - right? - combating ransomware is really going to be a long-term task. This is not something that's going to be solved in days, weeks, months or even a year. And so I think we've sort of, as a community, have shifted from this panic mode of, oh, my gosh, Colonial Pipeline and then, last summer, the Kaseya attack. It got really, really bad and law enforcement kind of upped the temperature a little bit, had some indictments, some takedowns of different adversary ransomware groups. 

Katie Nickels: But I think the reality we're all facing is that ransomware is just a threat that is still here and is maybe here to stay. We saw, for example, the recent Conti ransomware intrusion into the Costa Rican government that resulted in them declaring a state of emergency. And so that was really a reminder to me that a lot of people are saying, oh, ransomware, it's getting better. Well, first off, it's really tough to measure 'cause no one has perfect visibility. But I think as long as there are major compromises like that or there are organizations, like that university in Tennessee, who are being compromised, I think ransomware remains a threat that a lot of organizations really need to keep paying attention to and law enforcement and international governments need to pay attention to, as well. 

Ann Johnson: Yeah. I think that the law enforcement angle is really important, also understanding that crypto can help run ransomware organizations, right? It was a defining moment. So bringing in law enforcement and bringing in regulators early and helping to thwart attacks, you know, down the road, even if you yourself are compromised - just, again, that threat information sharing - right? - giving all the information you can to help thwart an attack down the road is - and being part of the community and ecosystem is so incredibly important. 

Katie Nickels: Yeah, and it was interesting. One of the things that that Ransomware Task Force report did not recommend is outlawing ransomware payments. It was an area where the members of the task force just couldn't agree. And there remains this debate over, should we outlaw payments of ransom? And it's a really tough issue. And the kind of collective wisdom was there's a real risk that - as governments are trying to incentivize, share with us when you're compromised, when you have a ransomware incident, so we can know more, if you're saying that and, in the same breath, saying, oh, and it's illegal to make ransom payments, I think what a lot of members of the task force felt is that there's a risk that if ransom payments were outlawed, that would decrease the desire of any organization who might want to pay a ransom to share that with the U.S. government or other governments out of fear of some kind of legal action. And so that remains one of those issues that I think is still hotly debated. And I don't think there's a clear answer. 

Katie Nickels: I think that the best thing government can do - right? - we've talked about information sharing - is really start to try to incentivize reporting, right? Rather than using the stick, I think the carrot is a better approach. Incentivizing, hey, if you report to us, even if you're going to pay the ransom, we can offer the following support or the following guidance or maybe some closed information about a certain ransomware group - something like that. So it's interesting. There are these policy issues that have been discussed around ransomware for years and still no clear answers on what the right approach is. 

Ann Johnson: Yeah, I agree with you. And, by the way, we recommend that people don't pay the ransom. But at the end of the day, some corporations just have no choice. 

Katie Nickels: Yeah. 

Ann Johnson: Right? They have no option. And I think that outlawing it is going to do a disservice to companies that have to keep their critical business systems online or get their critical business systems back online. All right. Well, can you share a little bit about what you're working on right now? 

Katie Nickels: Yeah, absolutely. My big focus at Red Canary right now is building a team, which has been a lot of fun. We're up to 10 people on the Red Canary intelligence team. And we're really trying to carve out a space for our team and our voice in this industry and really try to share the message with the community that threat intelligence is about more than just tracking atomic indicators. It's about more than just tracking state-sponsored actors. It's really about using a really deep knowledge and understanding of what adversaries are doing to help inform better decisions. And that takes so many different forms. My team recently published a blog post on this weird activity cluster called Raspberry Robin. And we don't know everything about what this cluster is doing. We just saw this weird USB worm, realized a lot of other people in the community were seeing that. And so one of the things that we're trying to do is - on the topic of sharing - share what we know with the community. Maybe there's some pattern we're seeing. And what we've found is that no organization has perfect visibility. But by kind of sharing with the community what we're seeing from threats, sometimes, we can piece together our different visibility and try to put together a bigger picture of what these adversaries are doing. So growing a team, building a team, trying to continue to identify new threats, new patterns. We're kind of closely tracking, along with other teams, different shifts away from macro-based malware intrusions - right? - as a result of Microsoft locking down Microsoft Office macros, which I think everyone across the community cheered about. It's been interesting because we - as we try to track adversary trends and shifts, we've definitely noticed that adversaries seem like, all right, macros are not the place to be, so using other methods. We've seen a lot of ISO files for initial access, XLL file types. So we're always trying to track - what are these adversaries doing? How are they changing? And the response to the Office macro shutdown is kind of an interesting one that we and others in the community are keeping an eye on right now. 

Ann Johnson: I think it's a big step forward, right? And I think we just need to keep going. When you have any company, like Microsoft, that's a massive producer of software and 50 years old, you're going to have vulnerabilities. It just happens, right? And the more we're cognizant of and the willing to take quick action, the better for the industry and better for, you know, our customers. 

Katie Nickels: Yep, absolutely. It was such a - it was a great step. And it was interesting because you always get the people who are like, oh, you know, took long enough. But, you know, I think about the scale of what Microsoft's doing and all of the software and all of the people and the users, right? You can't make changes like that overnight. And so - it was an exciting change, though. But, of course, adversaries are going to change, and they're going to shift, and they're going to respond to whatever Microsoft or software developers or defenders are doing. And I think that's what I love about the job of threat intelligence - is it's always changing and, you know, just trying to keep up with what adversaries are doing and, if you can, anticipate where they might go next. So that keeps me and my team pretty busy. 

Ann Johnson: Well, as we wrap up here, we always like to leave with two practical pieces of advice for our audience. So what are your things that people could do today to overcome cyber challenges? What are the top two things - you know, it sounds silly, but what are the top two things you would tell people? 

Katie Nickels: Yeah. I think going back to the basics, right? We talked about patch management at the beginning and realizing that it's so easy in this community to be kind of misled by the shiny object syndrome, right? There's a shiny thing that's happening. But going back to those basics, remembering that those fundamentals aren't easy, but they are definitely worthwhile. So I think that's the first one. And then the second one, I think on the information sharing front, just making time to prioritize sharing and networking. That's one of the things we didn't talk about with information sharing. It takes time. It takes time to share that thoughtfully with your peers, with the community. But I think taking that time to share information and making that part of how you work. It's something I try to do on my team - remember that we don't have all of the answers or all the visibility, so taking the time for sharing and networking and making that part of your everyday activities - I think that's the second key takeaway in addition to going back to those basics. 

Ann Johnson: Katie, thank you so much. Thanks for sharing all of your insights. I hope to see you at least at one of the upcoming events over the summer. And I appreciate you joining me on "Afternoon Cyber Tea." 

Katie Nickels: It's been such a pleasure. Thank you, Ann. 

Ann Johnson: And many thanks to our audience, as always, for listening. Join us next time for "Afternoon Cyber Tea." 

Ann Johnson: So I chose Katie Nickels to join me on "Afternoon Cyber Tea" because she's this exceptional industry expert that has a wide breadth and depth of experience. And I knew that she would provide practical information and guidance to the audience, as well as lending us her expertise. And she did not disappoint. This is a fantastic episode, and I hope everyone enjoys it as much as I did.