Podcasts
CSO Perspectives (public)
Ep 93
CSO Perspectives (public) 7.22.24
Ep 93 | 7.22.24

The current state of Cyber Threat Intelligence.

Show Notes
Transcript

Rick Howard: Hey, everybody. Rick here. So far this season, we've done a gut check on the current state of XDR, extended detection and response; IAM, identity and access management; and the MITRE ATT&CK framework. Since we did ATT&CK last week, I thought it was only appropriate that for this week, we take a look at CTI, cyber threat intelligence. If you're following along with our "First Principles" book, you know that CTI is a key and essential tactic to the intrusion kill chain prevention strategy, and in order to deploy and maintain prevention controls for known adversary campaigns across the kill chain, your CTI team will likely be using the MITRE ATT&CK wiki for a good portion of its inbound intelligence. See what I did there? Do you see how everything is connected? We don't do random stuff here. We got a plan. So hold on to your butts.

Unidentified Person: Hold on to your butts, butts.

Rick Howard: We're going to take a deep dive in the world of cyber threat intelligence. [ Music ] My name is Rick Howard, and I'm broadcasting from N2K Cyber's Secret Sanctum Sanctorum Studios located underwater somewhere along the Patapsco River near Baltimore Harbor, Maryland, in the good old US of A, and you're listening to CSO Perspectives, my podcast about the ideas, strategies, and technologies that senior security executives wrestle with on a daily basis. John Hultquist is the chief analyst at Mandiant, an XDR training and incident response company now part of the Google Cloud organization after the acquisition in 2022, but he's been doing intelligence work for going on two decades now. First with the US government, then with a commercial cyber intelligence company called iSIGHT Partners, and then with Mandiant, where he has been working for over seven years. So John and I are both cyber intel guys from way back, and when I ran into him at the mWISE conference in DC last October, he and I got to talking about the old days and how far CTI has come. So we have a history, right, John, because I ran a cyber intelligence shop many years ago called iDEFENSE --

John Hultquist: That's right.

Rick Howard: -- founded by John Waters, that was owned by Verisign, and then when he left the company, he started another commercial intelligence company called iSIGHT, right? Stole half my people [inaudible 00:02:39]. Kept the eye.

John Hultquist: Kept the eye, yeah.

Rick Howard: And then you joined them, right? So explain what happened after that.

John Hultquist: So I joined out of -- I guess I was working at DIA at the time, mostly spent most of my time at State Department and in the Army way back in the day. And they had -- they were like -- they were focused on cybercrime at the time, and it was just like, "Can we find anything besides cybercrime out there in the ether?" And at first, we could not. For a long time, we could not. And then, you know, slowly, we figured out how to track certain actors -- you know, certain espionage actors. It took us a while, and I mean, it was a very, you know, slow process. But over time, we built out the ability to hunt for cyberespionage outside of the government, which is something, frankly, if you told me it was possible when I was in the government, I would say that's ridiculous.

Rick Howard: Yeah, that's exactly right. So you've been involved in all the changes of hands of the iSIGHT stuff, right?

John Hultquist: Yeah.

Rick Howard: It went from where to where to where?

John Hultquist: So we were at iSIGHT, and then we got acquired by FireEye, which had previously acquired Mandiant, and then FireEye sort of became Mandiant.

Rick Howard: Which nobody could figure out --

John Hultquist: Yeah, it was a strange sort of thing, and then we became Mandiant Intelligence within Mandiant, and then Mandiant was acquired by Google Cloud, and that's where we are now. I've been through all of it.

Rick Howard: And you've seen all -- you know where all the skeletons are, right?

John Hultquist: Yeah, yeah.

Rick Howard: But we're talking today because we're at the mWISE conference here in Washington, DC, right? The -- I don't know. What would you say the theme of the conference is this year overall? What were you trying to get across?

John Hultquist: You know, I've spent a lot of time with customers, and that's -- honestly, it's been super enlightening because I have my thoughts on what I think matters, and then you go into the room and they're like, "This is what actually matters to me," and it's always great to sort of find where those two parts kind of connect. And, you know, I think obviously, the situation with the casinos in Las Vegas is like the talk of the town or whatever you want to call it right now.

Rick Howard: Which is crazy, right? I mean, okay, it's a big deal for them, but why is that more important than, I don't know, something else?

John Hultquist: I mean, I think those actors are sort of challenging a lot of the, you know, the ways that we do security, right? And --

Rick Howard: What John and I are talking about are the ransomware attacks against two Las Vegas hotel chains in September of 2023, just prior to this conversation, by the hacking group Wicked Spider. The group compromised Caesars and the MGM Resorts, including the Bellagio and the Cosmopolitan, and sent them back to the Stone Age. MGM had to stop using their computers for 10 days entirely, and instead checked in hotel guests manually and provided customers with cash payouts from the casino. Caesars reportedly paid Wicked Spider a $15 million ransom, and MGM estimated that the total recovery cost for them was about $100 million. According to Josephine and Wolfe at Slate Magazine, casinos have a reputation for excellent security, but it seems that security may be more focused on physical vulnerabilities than online ones.

John Hultquist: And I will tell you that casinos -- I've worked and spent a lot of time working with casinos of the years, and they are mature players, right? They are --

Rick Howard: They know what they're doing.

John Hultquist: They have been doing security since day one at casinos, right? It's not an afterthought. It never was. And so, you know, it's really interesting to see, you know, an actor, you know, hated more than one of them. And, you know, we've been essentially trying to distill some of the lessons learned from that actor.

Rick Howard: Is there something we can just point to here? Like, you know, we've been doing cybersecurity for 30 years. They took advantage of something that we have not been paying attention to.

John Hultquist: Well, you know, it's funny. It's like everything old is new again, right? There are things that I think we thought about a long time ago, and maybe we didn't keep watching because adversaries change, and we maybe not have kept our eye on the ball on certain things. Just like -- by the way, there was a talk about USB malware, right, which was like the bane of my existence when I was in the government with the, you know, with the Agent BTZ situation, so that everything old is new again, I think -- you know, these are things that we've thought of before but there's been a refresh -- you know, it sort of refreshed a lot of our memory on a lot of these problems. And it's good because we're going to start, you know, attacking some of these problems. So the biggest one is their ability to social engineer. It's exceptional. They're English speakers. I keep talking about -- it's not just that they're English speakers, they're native English speakers. They're able to sort of develop a real familiarity with the people they talk to and sort of emote in the language, right? There are differences between how people in Western Europe discuss things, right? You know, like they're very -- and how they emote on the phone, right? And these guys are locked in and able to really convince somebody to help them. And what that means is that your help desk will not only sort of, you know, allow them to get through these gateways that we've set up, but almost pull them through because I think they like them, you know. They want to help them. And --

Rick Howard: So kind of we've gone back to more social engineering as a skill set, right?

John Hultquist: It's a huge skill set. And I think that it exposes the vulnerability and just, you know, the way that we set up these help desks. Probably how we incentivize them, right? They're incentivized to be helpful, right? That's how they're reviewed, I'm sure. Telling somebody no may not actually be in their interest, you know, economically and, you know, if you work on the floor, and we've got to make sure that's not the case.

Rick Howard: I heard a story by Mitnick talking about help desk, right? The Mitnick I'm referring to here is the late, great Kevin Mitnick, the infamous world-class social engineer, author of two wildly popular books on this subject, "The Art of Deception" and "Ghost in the Wires," and who you could reasonably say put the skill set of social engineering on the cybersecurity roadmap when he went to prison for five years back in the mid-1990s for "various computer and communications-related crimes." When he got out of prison, he went straight, set up a consulting business, and became a beloved character in the infosec community. Sadly, in 2023, when he was just 59, we lost him to pancreatic cancer. Right. He was saying that the way he would social engineer a target was that he would call in and help the help desk solve a problem, like a contractor. Like he faked to be a contractor.

John Hultquist: Oh, wow.

Rick Howard: He'd solve the problem, and then a week later, he would call the help desk again and say, "Hey, I need you to fill out this -- "

John Hultquist: You remember me.

Rick Howard: You remember me? Fill out this paper, right? And it's like, yeah, so maybe we're coming back to those kinds of things.

John Hultquist: Yeah. I mean, the long play, by the way, is something we actually seen from the other players, more than like the text, you know, like email message situation, like the Iranians and the South Koreans. You'll see them social somebody for like a month now before they ever bothered to send that link or that, you know, that attachment. But they're pulling people through. They're hitting these business process outsourcers that are -- like third parties that manage a lot of our data and sort of going after third parties to get into their targets. And the other thing that's really important that they're doing is there's a focus on telecoms and SMS and particularly the ability to overcome second -- like, two factor, right? Or the ability to get somebody to send a reset code or something directly to a phone that they control. And it really proves that we have to really rethink, you know, how much we rely on phone numbers as a reliable way to sort of authenticate somebody.

Rick Howard: Because we're still trying to get people to use two factor on phones, right?

John Hultquist: We're still on this journey. And I will say that I still, you know, I still think it's a speed bump, right? But it's just not an enterprise -- like, a speed bump is not, like, a doorway, right? Like, it's not enough for an enterprise. Maybe for certain things, it's enough. But if, you know, if you are trying to protect the enterprise, it's just -- it's probably not going to -- it probably won't do it. [ Music ]

Rick Howard: So you're on this panel at the mWISE conference, okay? It's called "Cyber Intelligence in a Rapidly Changing World," and some big-time luminaries on that panel -- I'm not saying you are but, you know, other people are there.

John Hultquist: There are other people there.

Rick Howard: Right?

John Hultquist: Yeah.

Rick Howard: Do this kind of stuff come up on the panel, or what was the -- what were you talking about in all of that?

John Hultquist: Well, you know, we had some really interesting people on the panel who had spent a lot of time looking at crime from various aspects. Jackie from Chainalysis, I thought had a really interesting sort of view into the problem. She looks at the blockchain and she watches a lot of this movement.

Rick Howard: For those of you not familiar with the company Chainalysis, it figures prominently in the cyber security Canon Hall of Fame book, "Tracers in the Dark" by wire journalist, Andy Greenberg, in my opinion, the best cybercrime book in the last decade. If you had any lingering doubts about whether Bitcoin's blockchain technology would protect your identity, Greenberg completely blows that out of the water, and Chainalysis, along with a feisty IRS agent and a university grad student, are the ones that figured out how to do it. The Jackie that John just mentioned is Jackie Burns Koven, the head of cyber threat intelligence at Chainalysis.

John Hultquist: And one of the things she said is she's seen sort of a drop off in some of the many criminal actors, and she attributes this to maybe some success. And, you know, we're seeing zero days in the crime space now, and there's a thought that maybe some of the -- there is actually an increasing barrier to entry. So some of our defenses may actually be working. That's what we're talking about innovations here, right or like --

Rick Howard: And that's our show. Well, part of it. There's actually a whole lot more, and I have to say it's pretty great. So here's the deal. We need your help so we can keep producing the insights that make you smarter and keep you a step ahead in the rapidly changing world of cybersecurity. If you want the full show, head on over to the cyberwire.com/pro and sign up for an account. That's the cyberwire.com/pro. For less than a dollar a day, you can help us keep the lights and the mics on and the insights flowing. Plus, you get a whole bunch of other great stuff like ad-free podcasts, exclusive content, newsletters, and personal level of resources like practice tests. With N2K Pro, you get to help me and our team put food on the table for our families and you also get to be smarter and more informed than any of your friends. I'd say that's a win-win. So head on over to the cyberwire.com/pro and sign up today for less than a dollar a day. Now, if that's more than you can muster, that's totally fine. Shoot an email to pro@n2k.com and we'll figure something out. I would love to see you over here at N2K Pro. One last thing. Here at N2K, we have a wonderful team of talented people doing insanely great things to make me and the show sound good. And I think it's only appropriate you know who they are.

Liz Stokes: I'm Liz Stokes. I'm N2K's CyberWire's associate producer.

Tré Hester: I'm Tré Hester, audio editor and sound engineer.

Elliott Peltzman: I'm Elliott Peltzman, executive director of sound and vision.

Jennifer Eiben: I'm Jennifer Eiben, executive producer.

Brandon Karpf: I'm Brandon Karpf, executive editor.

Simone Petrella: I'm Simone Petrella, the president of N2K.

Peter Kilpe: I'm Peter Kilpe, the CEO and publisher at N2K.

Rick Howard: And I'm Rick Howard. Thanks for your support, everybody.

All: And thanks for listening. [ Music ]

CSO Perspectives (public)
Podcast Info
HOST(S):
Rick Howard
Hash Table logo
Rick Howard is the CSO of N2K and the Chief Analyst, and Senior Fellow at the N2K Cyber, formerly CyberWire. His past lives include CSO at Palo Alto Networks, CISO at TASC, the GM at Verisign/iDefense, the Counterpane SOC Director, and the Commander of the Army's Computer Emergency Response Team (CERT). Rick served 25 years in the Army, taught computer science at West Point, edited two books and just published his own book, "Cybersecurity First Principles: A Reboot of Strategy and Tactics" and he is regularly joined at the N2K Cyber's Hash Table by a collection of industry experts.
Schedule: Mondays (in season)
Credits: Edited by John Petrik and executive produced by Peter Kilpe. Our theme song is by Blue Dot Sessions, remixed by the insanely talented Elliott Peltzman, who also does the show's mixing, sound, and original score
Creator: CyberWire, Inc.