Threat intelligence discussion with Chris Krebs.
Dave Bittner: Chris Krebs is well-known and respected in the cybersecurity world as former director of the Cybersecurity and Infrastructure Security Agency, now a partner at the Krebs Stamos Group and an advisor to SentinelOne. My N2K colleague Simone Petrella sat down with Chris Krebs at the mWISE conference in Washington DC, hosted by Mandiant and Google Cloud. Here's their conversation.
Simone Petrella: So I know one thing that has been on kind of all of your talking points is how technological systems have really become part of enterprise risk management writ large, and then in addition business strategy. So I guess maybe to kick it off, what are some of the things that you think security executives and the teams in particular need to do to navigate between this kind of inevitable inseparation between technology systems, security risks, and business objectives?
Chris Krebs: Yeah, so there are two immediate thoughts. One is that we really need security teams and security program leads to make sure that they're thinking strategically and not get trapped in the day-to-day shiny object procurement cycles. Really start thinking about the broader risk to the enterprise, rather than again diving down into a single capability. And part of that is starting, as I see it, with a real full analysis and understanding of what your threat model looks like. You know, we do see a lot of organizations that get wrapped around the axel on ransomware, which is important, and it's also probably the single greatest threat to any organization. But at the same time, there's an increasing number of organizations that kind of fit into an adversary's playbook. And what we're seeing lately is much more aggressive behavior by, particularly the Chinese Ministry of State Security and the PLA, as evidenced by the bolt typhoon and crimson typhoon activity that reported earlier this summer out of Microsoft, that shows that they're preparing for conflict. And in doing so, they would try to win the fight before the fight's actually begun. And part of that is going after U.S. critical infrastructure and our ability to support the military as well as just general civil society. So you know, I do think it's critically important that organizations take a step back and say, how would I fit into an adversary's game plan? And what do I need to do to step up from a security perspective? But also, you know, how do I need to work better with government and make sure I understand the threats coming my way? That's great, right? That's exactly where you need to start. How you get that done is actually quite complicated, though. Start with a threat model, you run a gap analysis against your current security program, and then you pull together the roadmap on how you do that. A CISO or a security team lead in their own positions will not be able to get that done in any sort of, you know, realistic time frame or, you know, practically execute. It really does require high-level executive engagement to ensure that you're pulling together a team that can communicate the risks to the business. And that's across corporate liability, shareholder value, operational reliability, and ultimately national security. And so, it really does start, and as I see it, with communicating to the executive team and the board in ways that make sense. You know, we in the security community have a different language. It's kind of all Greek to some of the folks we deal with. And so, how do you translate that down into, you know, again, real business objectives and business language? At the same time, I've never seen a CISO be successful if they don't have the full support of the executive team and the board. You can be Phil Venables over at Google, and if the executive team doesn't support you, then you're in a tough spot. So it is critical that you make that connection. And then, again, you know, stay strategic. Don't get trapped tactically. It's a marathon, not a race. So don't get wrapped around the axle on procurement and shiny objects. And then, also realize, as I touched on a little bit earlier, you know, you're not alone. It's going to take a collective approach here. So make sure you're working across industry. ISACs are great tools to make sure that you kind of know what else is happening in the sector, across the industry. And then, of course, keep working with government, whether it's CISA or the intelligence community and the FBI or foreign partners that play a similar role.
Simone Petrella: You mentioned on the threat model side, just as a starting point to kind of coming up with that strategy. Obviously, in cyber intel, we're pretty good at tracking and attributing campaigns. We've done that across the MITRE ATT&CK framework, across a number of different of kind of threat actors, but we're not so good at attributing it to people. And so, for the general purposes of, you know, cyber defenders on the ground, does it matter if they know if the attacker's from Russia or China or North Korea?
Chris Krebs: From a strategic perspective, I think it does. And yes, it is difficult. I think in many cases, we're getting better insight and we're getting better insight into the behaviors, but at the same time, the adversaries know that we're getting better and they're getting better as well. So you're starting to see a little bit of obfuscation and mimicry and third- and fourth-party collection that makes you think one thing, but it's really the other thing. But again, this goes to the importance of understanding the adversary's objectives. And I think you're right, we are getting better at attribution and a lot of that's on the tactical level and the TTPs. That helps you from the day-to-day, but if you think about where we're going, where we're going geopolitically over the next three to four years, you really do have to have a better understanding of what the adversary's overall objectives are, where they may be going, what are they preparing for, and how do you fit into their plan. And this does get much, much bigger than just defense industrial base and even banks. Logistics, travel, you know, how do we move troops into theater during a conflict? And it's under the Civil Reserve Air Fleet, which uses domestic and international carriers, otherwise commercial airlines, to move troops. And now commercial airlines are squarely in the sights of what I would see is a Chinese escalation.
Simone Petrella: Yeah. So you know, given that, do you think there is a common set of intelligence requirements that organizations have or they should have with respect to cybersecurity?
Chris Krebs: Common kind of depends upon the sector. It depends on the sector you're in, the sector you play in. It also depends on a lot of your supply chain dependencies and what you're relying on. Per industry, is there a cyber risk registry that's consistent? Yes. How you feed into the risk registry and how you, you know, look out across threat model, there's going to be some, you know, kind of tailoring to the sector and the subsectors.
Simone Petrella: So switching gears on you here a little bit, but since you left CISA, the agency has been pretty much on the lead or pegged as the US government's efforts to help attract, retain, and bring in additional cybersecurity talent. And I'm curious, even from your time and what you're seeing now, what are some of the skill sets that the agencies you've worked with need the most when we think about kind of cybersecurity profession?
Chris Krebs: Yeah, I think one of the real turning points of the last several years, particularly at CISA, is, you know, the ability is -- actually, it's not too different from the private sector, right? It's the ability to communicate risk in a way that makes business sense. How do you talk to not just the defenders that understand how to -- you know, they know what a YARL is, how do you talk to their executives that set their budget, that give them, you know, that have the governance and policy responsibilities? And that's one of the big things that we really tried to emphasize in my time, and I see Jen continuing to do working at the senior levels to help them understand. The best example that I have here is in 2020, January 2nd, when the US government took out General Soleimani with the IRGC, we were able to immediately get not just some tactical information out to defenders on here that, you know, the common TTPs for Iranian threat actors and their proxies, but also flip it into an executive version that said, here's why this matters to you in the private sector and the things they've done in the past, going after banks and other critical infrastructure when they're agitated, how they've hit regionally as well as they've hit strategically. Trying to put into context why events matter to executives, not just at the technical security level, but also at the business risk level. That's the sort of thing, again, we need more people that understand how to communicate in business terms. I also think, you know, the thing that I've been really kind of heartened by is the continued emphasis on building out the CISA field force. Jen Easterly, it was a month or so ago, announced that there are going to be election state coordinators. I understand they are in the process of hiring and interviewing for this. I think that's fantastic to have dedicated election support teams out in the regions, as well as the continued cybersecurity advisor, so that you can get that, you know, last mile engagement, that last mile tailoring of engagement. Because otherwise, if you're pushing this out in DC, it's just not going to land. It's not going to resonate uniformly.
Simone Petrella: Well, I think what you're also pointing to is just the importance of being able to connect and communicate like what's happening relative to those business objectives, whether it's an agency, whether it's a private organization, you know, corporation, and that's sometimes beyond just the technical acumen that we see in raw cybersecurity skills.
Chris Krebs: Yeah, and you know, there's another aspect of this is that I continue to encourage some movement in between government and industry. I think it's only helpful if CISA has personnel that have either in government, whether it's local, state, or federal, or out in the private sector, that have practical experience managing networks. The real, you know, the hands-on nuts and bolts of what it takes to operate and maintain a system reliably that informs some of the recommendations that come forward, rather than just the pure security practitioner that sits in government.
Simone Petrella: Right. I know one of the things we talk about is this idea that, you know, we in the cybersecurity community have spent so much of our time kind of focused on like finding those unicorns or finding someone who has all that experience and then can all of a sudden communicate it. And it's partly because we focus on the individual and try and hire those superstars right off the gate. But in reality, a lot of times they just don't exist until we grow them. So you know, should we shift our attention from finding those diamonds in the rough and grow that workforce more than we have necessarily in the past?
Chris Krebs: Well, I think some of the programs that have been put into place for hiring over the last year, including the Cyber Talent Management System, is going to give a bigger kind of top of the funnel for recruiting to bring in more technical people that don't stick to the traditional GS scale that really is more of an administrative management approach. And, you know, you don't really know how within the GS scale how to hire and retain someone that may have been, you know, hacking boxes since they were 10, 11, 12, and now they just finished either a two-year school or maybe didn't even go to college. And it really does prioritize in the GS scale, you know, four-year degrees. And that may not always be relevant. And so CTMS should give an advantage. But, you know, there are still challenges in hiring in the government. It takes too long. It's far too bureaucratic. You have security clearance challenges at times as well. So you know, we need to continue looking to make sure that we're not over classifying and over specing positions. And, you know, within my role at the Aspen Institute in the Cyber Working Group there, we have done some work on hiring recommendations, including to make sure you're not over specing and things like that.
Simone Petrella: Well, my last question is probably the most important question/statement, which is I have been told that you are known for your socks.
Chris Krebs: Oh, yes.
Simone Petrella: And I wanted to, even though I can't see them, I wanted to share with everyone your socks.
Chris Krebs: Oysters.
Simone Petrella: Oysters. All right. Just in time for fall.
Chris Krebs: Yes. I kind of got away from socks for a little bit and then mainly just would not wear them during the summer.
Simone Petrella: We're just coming back into it.
Chris Krebs: Right. There we go.
Simone Petrella: Awesome. Well, Chris, thank you so much for taking the time with us this morning. Really appreciate it.
Chris Krebs: Yep. Thanks. Have a great day.
Dave Bittner: That's Chris Krebs speaking with my N2K colleague, Simone Petrella.