Operation Winter SHIELD: What the FBI Wants Industry to Do Now
Jarrod Schlenker: It's the tragedy of the commons, right? We all collectively are operating without any individual taking responsibility for action, and so the collective security posture suffers as a result. And then we, from our side, we have the added curse of vision that, where others don't see the totality, we do. And so, through all of our investigations, we have a much better picture. And that is a big part of why a push like this is important and why we've felt so driven to push this out and really become -- be a little more public and supportive of collective security through Operation Winter SHIELD.
David Moulton: I'm David Moulton, and this is Threat Vector. Today I'm speaking with Adam Matic, Section Chief of the FBI Cyber Technical Analytics and Operation Section; and Jarrod Forgues Schlenker, Assistant Section Chief leading the FBI Cyber Division's private sector engagement. We're talking about Operation Winter SHIELD, the FBI's effort to help industry take concrete steps to reduce the attack surface adversaries depend on. We'll talk about the recommendations at the heart of the operation, what investigations revealed about where defenses failed, and what a real private sector partnership looks like on the ground. Here's our conversation. Gentlemen, thanks for being on Threat Vector to talk to me about the work that you've been doing over the last couple of months. I'm really interested to have a conversation to get to know you a little bit and then to get to know your work so that we can broadcast this out to, you know, our listeners here on Threat Vector.
Adam Maddock: Great to be here.
Jarrod Schlenker: Yeah. Thanks for having us.
David Moulton: Jarrod, I know that you studied philosophy at Brown; then went off to law school. Spent, what, three years as a strategic intelligence analyst briefing the FBI Director, the Attorney General. And then you moved into the field of cyber investigations before landing in your current role leading this private sector engagement. That's really not a straight line. Not a criticism. I've done the same thing. What pulled you towards cybersecurity specifically?
Jarrod Schlenker: I was always interested in the technical pieces. I was the nerd when I was growing up who was always buying the computers for my family and getting excited about the different, you know, all the details and all the specs for the computers. And so I had that interest. I just wasn't able to manifest it until I got here. And then recognizing how integral to all of the criminal investigations, national security investigations the cyber piece was, I really couldn't help but steer my career in that direction.
David Moulton: Adam, I'm going to kick it over to you. You're with -- or you spent eight years with Ford in the office of the chairman. By the way, I have a Ford Mach E. I don't know if I'm allowed to say Mustang. Some of the hardcore Mustang owners disagree that that pony logo's on there. But, boy; do I love that car. Before you joined the FBI as a special agent -- and you've now been with the FBI's Cyber Division for 20 years, earlier alluding to your early Radio Shack computer buying days. So, you know, 20 years at the FBI, you've seen an incredible shift in what's going on in this space. Do you remember the moment that you made the switch from private sector to going to the FBI? And what caused you to want to go into the FBI?
Adam Maddock: Yeah. It was an interesting path, for sure. I kind of landed at Ford right out of college. And, in those days, I had no thought that I was going to go into law enforcement. I was just always interested in computers, had studied them in college. Landed there. And looking back, it was a bit providential in the sense that I landed at a really large company, obviously, that has an enterprise IT apparatus. I mean, they have computers on every continent that is inhabited and hundreds of thousands of nodes on their network. But, even in those early days when I landed there in the late '90s, they were already making some pretty good decisions as far as network architecture and systems architecture.
David Moulton: Let's talk about Operation Winter SHIELD, right. This is a list of 10 specific recommendations rooted in y'all's recent investigations. And, before we get into those individual items, I'm hopeful that you can help me understand your process. How do you go from hundreds of cases to this short list of 10 actions and then decide those are the ones to worth -- that are worth amplifying to the public right now.
Jarrod Schlenker: Yeah. That's not necessarily an easy task, right, because we -- we're constantly dealing with all kinds of different manifestations of criminal activity. We're seeing a very broad scope of the way in which actors are manipulating and exploiting systems. And, to your point, it's -- we're in the hundreds and thousands of cases and incidents. So it isn't necessarily intuitive. However, these -- these things that are in this, the key defenses that we have listed here exist in most, if not all, of the cases that we have. So it may seem challenging to break this down. But, as we see this repeated over and over and over again, it's fairly intuitive from our side what bubbles to the top and which vulnerabilities make their way into all of our cases. And so, you know, externally, it seems like there's a lot more complexity to it. But as we -- as we have our -- from our headquarters side, our program managers that are -- that are keeping tabs on and tracking all of our investigations across our criminal threats and our nation state threats, we have that awareness from a top level on what aspects are being exploited continually. And so it was a fairly easy mechanism for us to build this out pretty quickly in terms of which controls are the most commonly exploited.
Adam Maddock: Yeah. I was going to say it's a little bit more intuitive than it is, like, entirely data-driven. We don't have every single one of our case files tagged with the specifics of what, you know, actually was leveraged and what, you know, security vulnerability and weakness was -- was actuated by the threat actor. But we know as investigators what we continually see. And, when we just talked internally as a team, these 10 things just bubbled to the top.
David Moulton: Let's shift gears. The phishing resistant authentication leisure list, and we've been talking about MFA for years. So, guys, what's still broken?
Adam Maddock: There's a couple of things. I think maybe we should just define what multifactor authentication is and the value that it adds and why it makes you resistant to phishing scams in the first place, which is effectively that it's pretty easy for bad guys, criminals, to trick people into giving up their passwords. There's lots of mechanisms that they use. It boils down to social engineering. Multifactor authentication is supposed to be based on this principle of something you know and something you have, like a physical device that you have with you and that you need both of those things to authenticate yourself to a system. And, back when I started deploying multifactor authentication, it was almost always a hardware token type of device, mostly the RSA SecurID tokens. And now there's many, many -- sorry. There's many, many manufacturers in that space making those kinds of devices. But, over time, I think because of cost and simplification, we started to see SMS text-messaging-based platforms for that second factor. It's supposed to be the something that you have. You have your phone. And so, if we send you a text message, then that qualifies as that second factor. The problem with that is that it's actually not that difficult for motivated criminals to basically steal your phone number temporarily to be able to intercept those kinds of messages. And they've primarily done that through a technique that we call SIM swapping, which is -- which is where you social engineer effectively tech support at the phone carrier and trick them into transferring the phone number from the real customer's phone to an alternate device and then usually switch it back at some point so that the -- you know, the victim doesn't know that that's been going on. But they do that for a period of time where they're trying to authenticate with a password to steal that one-time token that's sent to the -- as a text message is. The other bucket is tricking the user into disclosing the message that was sent to them as a one-time password through social engineering. So it's you reach out -- you know, a criminal reaches out to a victim and says that they're Joe from tech support, and we just sent you a one-time PIN. We need you to verify that so we can proceed with this call. And an unsuspecting user gets that as a text message and goes, oh, yeah. I did actually just receive a code in another message. They copy/paste it, and they've effectively just given that message over to the criminal who's trying to steal their login identity. And so what we're really encouraging people to do, IT administrators to do is to look for mechanisms that are resistant to those kinds of techniques. And that's going to be going back to hardware tokens primarily. It's going to be something like SecurID or YubiKey or some other kind of physical device that you have to either plug into your computer or you have to read a code off of a little display and type it in. We still have to deal with educating users so that they are internally resistant to those social engineering ruses where, if they do have a SecurID type of a device and there's an LCD number on it, they're not just handing that over to a bad guy who's trying to steal it from them through some other kind of like social engineering ruse.
David Moulton: So end-of-life technology shows up in a number of the case studies behind your recommendations. I think you had Soho routers. You had IoT devices. Walk me through what an attack actually does or an attacker actually does when a device isn't receiving patches anymore and why you think that problem persists in organizations at every size.
Adam Maddock: Sure. Yeah. I mean, it's really the intersection of, you know, the inevitability of software vulnerabilities and a device being end of life, meaning it's not supported by the manufacturer anymore. And, when those devices are on the wide open internet, they're at the edge of networks, they're routers and firewalls, it becomes basically trivial for threat actors to use them as obfuscation points in trying to attack other systems. So, effectively, what it looks like in practice is you've got a small router on the edge of a home network. It's not supported by the manufacturer. It's not supported by the provider, and there's a vulnerability in the management software of that router where, effectively, an attacker can just send the right type of packet, the right type of communication to some port on the outside; and immediately they have full root access to that device. Even if the owner ends up rebooting it, then they can just get back in very easily, very quickly because the vulnerability is still there. And what we've seen in practice is that threat actors are using automation to stitch together hundreds or thousands of these types of devices into we either call them proxy networks or obfuscation networks. In some cases, they're using them for their own nefarious means to launch attacks against, you know, US industry or other victims around the world. And, in other cases, they're using them -- they're selling access to these networks to other criminals who are wanting to do similar things, and they're paying an hourly or a daily rate or whatever to use the obfuscation network or the proxy network.
Jarrod Schlenker: Something else, too, on it is that, with regard to these small office and home office routers, the Soho routers, those targeted entities may not be the ultimate final end target, which I think folks don't necessarily entirely grasp or understand. So you may have a small business that doesn't have the ability to -- to purchase new devices to increase their security posture. But, because that doesn't occur, that obfuscation network is able to expand and persist; and then other more sophisticated targets can be accessed. And we have -- as the investigators and law enforcement have a real challenge working back to ultimately disrupt those actors because of that initial compromise downstream of the ultimate intended target. And so a lot of what Operation Winter SHIELD is meant to do and the objective of this is to communicate and educate some of those smaller businesses and medium-sized businesses about the way in which the security within those organizations, or potentially the lack of security or lack of security measures, consistent with the 10 key defenses that we highlight ultimately result in a lack of security across all of our networks that puts everyone at risk.
David Moulton: The Winter SHIELD framing positions industry not as this passive recipient of intelligence but as a -- a critical ally alongside the FBI. What does active partnership look like day to day beyond following these 10 recommendations?
Jarrod Schlenker: I can definitely jump in on that one. You know, as the guy who's kind of overseeing our private sector engagement strategy, from headquarters side, a lot of what we do with our industry partners occurs at the field office level. So we have our 56 field offices spread across the country, currently operating with 55 that have private sector coordinators in each of those offices. And those folks are interacting on a daily basis with different organizations. And it can range from as -- as simple as just knowing who to be in contact with at the FBI in the case of an incident so that, as a company has to quickly spin up and deal with a compromise situation or a potential compromise or breach, they can reach out quickly to us; and we can potentially share information that would assist them and help them in securing their networks or remediating more quickly or mitigating for the future. So it can happen at that level where we are able to share threat information and indicators of compromise to organizations that are suffering from a potential breach. And then it can go all the way up to maybe a more sophisticated relationship that we may have with industry partners where, as Adam mentioned earlier, we have these organizations that have global telemetry, that have networks that span hundreds of countries and geographic locations that are receiving inputs on threat activity on a scale that we in the FBI could never have as broad a picture. And so that inevitably results in an incredibly broad understanding of activity that's occurring on the internet and on networks that is malicious in nature. And we have mechanisms in the US to allow private organizations to share that cyberthreat -- that cyberthreat intelligence and measures for defense with law enforcement so that we can be informed as we are investigating but also so we can then inform the public back on how they can protect themselves. And so the private sector in cyber is very uniquely situated versus some of our other threats, where a lot of our industry partners have an insight that is far broader than we do within the law enforcement community. And so that's where that -- that active participant from private industry in the collective effort of security really factors in.
Adam Maddock: Well said. I understand that, like -- because I do work with the cyber action team. We deploy to companies and government agencies that are experiencing computer intrusion incident, and we help both investigate the activity so that we can piece together the narrative story of what happened; and we can then pursue national security interests or criminal prosecution, as the case may be. But, when we get there, it's effectively a digital crime scene. And, when you think of how crime scenes are managed in, like, traditional, you know, meet space investigations, anything you've ever seen on TV, whether it's a bank robbery or a murder case or something like that, you know, law enforcement comes in and they dominate the crime scene. They put up police tape around it. They control the area. They control who can come in and who can leave and all that kind of stuff. But, in a digital crime scene where there's a computer intrusion, it's so much more of a partnership with the system owner because we don't want to create extra harm by being too overbearing in the way that we investigate a computer intrusion, but our objectives are still the same. So we come to a company; and we're asking for their partnership in enabling us, one, to fulfill our mission of figuring out who committed the crime and collecting evidence on them so that we can then fulfill our mission but also helping them restore operations because, by finding the artifacts, the indicators of compromise, the log files that show what exactly happened, that actually pivots really well into helping the victim remediate the threat, patch the systems that were vulnerable, evict the threat actor, and then, like I said, resume their business operations, which is generally their main goal in all of it.
David Moulton: Could you briefly describe the difference between what happens when a company calls the FBI really early in an incident and then maybe what it looks like if the FBI is brought in after the fact?
Adam Maddock: Yeah. The earlier that we can get out onto that digital crime scene, the more likely that we can actually collect evidence while the threat actor is potentially still even engaged with their networks, which would be real-time information and potentially volatile information that wouldn't be retained in log files that might point to not only where are they coming from as far as IP addresses that they're connecting from but also the credentials that they're using to log in or the vulnerability that they're exploiting. The more time goes by, you know, it doesn't mean we can't do our job; but it means that we're relying on whatever information was logged by the -- you know, the security operations facilities at that company, which some are good, some are bad. You know, they all have different amounts of information, granularities of information that they're collecting and different data retention policies. But the fact always remains that, the sooner we get there, the better the fidelity of information that we're going to have to tell the story of who did the crime but then also to help repair the systems and resume operations.
Jarrod Schlenker: And I'll add to that, too, from the other side, from the organization side. If a company brings us in early, there's a greater likelihood that we will be able to inform that organization early on regarding the tactics, techniques, and procedures that that threat actor uses. And sometimes that may be technical on the network, but some of it might not. Some of it may be things like this threat actor doesn't encrypt. They just exfil and extort. So you've got -- they've given you a notification with a ransom payment request. You don't need to be as concerned about them encrypting your data, but you will need to be concerned about them extorting you. And that can then factor in the calculus that the organization takes as to how to respond to the threat actor. If they don't bring us in, then we don't -- we can't necessarily inform them on what that looks like; and an organization may be operating blindly. In a lot of those aspects of threat actor activity, that's where we have unique insight because we're dealing with that threat actor through the totality of the victimization for the organization. We see that from start to finish, all the way through, where an incident response organization only sees a sliver of that, a piece of that. They can handle some aspects but not others. So there's that component, too, where the organization can better -- can make better or more informed business decisions about how to respond to the threat actor sometimes if they bring us in earlier versus later and already going down a path that may be unproductive.
Adam Maddock: Yeah. It kind of reminds me of a coach that has watched all the tape and knows the tendencies of the opposing defense or offense. They can sometimes get a jump on what's going on just by knowing what those tendencies are. But, if you're flying blind, you've got to really hope that your playbook holds up.
David Moulton: Guys, the final recommendation is exercising your incident response plan with all your stakeholders, and it explicitly calls out your local FBI field office. If you're listening, do you know who at your local FBI office is supposed to be participating? And, if you don't, I'm going to recommend that you figure that out today. I don't think most organizations think of the FBI as a participant in those tabletop exercises. Talk to me about how including law enforcement changes those tabletop exercises and what organizations discover when they include y'all for the first time.
Jarrod Schlenker: When I was in Kansas City, I did a number of those and had a lot of -- a good deal of outreach with our partners within the Kansas City area of responsibility. And I'll say -- maybe I'll answer your second question first as far as what they learn when they start to bring us in and have us participate. I found that a lot of organizations are really surprised by how willing we are to take a back seat until there's a necessity for us to contribute or bring value in some way. We, as Adam mentioned, do not come in and just take things over when we're dealing with engagement with a victim in an incident response type scenario unless that victim wants us to, which happens in certain circumstances. But we don't enforce that aspect of our authorities when we're dealing with victims. And I think that is very surprising to organizations as they look to bring us in. I think that that's different than expectations. I think another thing that folks learn is that we are incredibly deferential and respectful of the victim, their data, how they protect that, how they proceed with it. And that's something that's very important to us, and I don't know that -- that everyone fully grasps that or appreciates that at the outset. As far as what it looks like and what we bring, to answer the first part of the question now, a lot of it is -- is just giving organizations reps on when to reach out and what that communication looks like. So that comes in the way of just, for example, using out of band communications. Sometimes organizations don't necessarily think about, hey. If I have a compromise, even though there's no indication immediately that it's affecting my -- you know, my email server, I really shouldn't be communicating with the FBI about the compromise over my email server because that could -- that could give, you know, tip off threat actors, right? And some organizations may not have thought through that yet, and they might not be considering that. And those are things that are just standard practice for us as we're dealing with that. But we can bring some of those perspectives in and potentially cause organizations to either more -- more aggressively highlight certain aspects of their incident response that they're following those or add aspects in that they might not otherwise have considered or included or thought of.
Adam Maddock: You can't also underestimate the value of just knowing a person before you have to deal with a stressful situation. You also -- you just don't want the first time that you've thought through some of these really complex scenarios to be when you're dealing with a ransom demand from, you know, a threat actor out there on the internet; and all of your data is being encrypted, or you know that they've exfiltrated your crown jewel information. And the other area that I think that applies, especially the having thought through things in advance, is in the legal aspects of it. You know, Jarrod and I -- are you an attorney?
Jarrod Schlenker: I am an attorney.
Adam Maddock: I'm not an attorney. Jarrod is an attorney, so you correct me if I get anything wrong. But, like, we work with lawyers all the time. And we know that it's sensitive to share information with the government. We value the Constitution and the Fourth Amendment. And, in many cases, we're coming in and we're asking for some sort of written consent to be able to collect some critical evidence that's going to be useful in our investigation. And, if a company's never talked with their counsel, inside or outside, about what that looks like to sign over that kind of consent to the government, then thinking about it in the moment of a critical incident is probably not going to be as fruitful as having had those conversations in advance.
Jarrod Schlenker: Yeah. The way I like to think of it is you don't want to build trust under pressure, and you don't want to build process under pressure. And, for us coming in, both of those things are very critical and important to a successful outcome. So by practicing, you know, running through your policies and procedures on a tabletop exercise and bringing us in, we can build both of those things before we need to deal with any of it.
David Moulton: What should an organization have ready before they reach out to their -- their local field office to start building that relationship?
Jarrod Schlenker: Honestly, I don't think they really need to have anything ready. They just need to reach out. It's really that simple. It's -- we're -- we're all -- you know, the cyber supervisors out in the field and the investigators out in the field, we deal with people day in and day out. That's why a lot of us came to this job. We're just people ourselves, and we'll just -- the conversation will go where it goes and where it needs to go once they reach out.
Adam Maddock: You can almost go in the wrong direction if you think that you have to collect a bunch of, like, information or evidence before calling law enforcement because we're trained at collecting evidence. And we know how to do the forensic side of things and all that. So, if somebody who doesn't know what they're doing is trying to get their -- kind of their act together before calling the FBI, there's things that they could do that would actually harm the investigation.
David Moulton: Okay. So no homework really. It's just a willingness and an openness to make the call and then knowing who to call. Guys, let's end it here with my favorite question that I ask on Threat Vector. If a listener takes one thing away from this conversation and they act on it this week, not next quarter or, you know, next year, what should it be?
Adam Maddock: You want to go first?
Jarrod Schlenker: I was going to say there is no one thing. That's why we have 10 things on our list. But, you know, I think it's -- here would be what I would say to the CISOs that are out there is you're not alone. This is -- as we've said before, this is a community effort. And then, to the CEOs that are out there, I would say probably listen to your CISO.
Adam Maddock: The one thing that I would like folks to take away, if they were to, is that, within FBI cyber, we recognize that security is not a fight that we can win from a law enforcement side on our own. We need partnership, participation, engagement from the private sector; and we are willing and open to doing that in the ways that look right and are effective.
David Moulton: And I think I know what the answer is going to be on this one; but is there a resource, a website, a contact point that our listeners should start with to get engaged with Operation Winter SHIELD?
Jarrod Schlenker: Yeah. So fbi.gov/wintershield has resources. It has a lot of the communications that we've put out. This is -- was a -- was a multi-month operation that we had, and so there was a lot of content that was generated. And that would be a good place for folks to go to review that content and engage with the content so that they can start implementing some of these things and considering from their perspectives within their respective networks.
David Moulton: And we'll go ahead and make sure to have the link in our show notes. So, if you're listening on your favorite pod app, you should be able to pop that open and find the link directly to those resources. Adam, Jarrod, thanks for this awesome conversation today, for the work that you're doing. I always really appreciate talking to people who have a sense of mission over reward, and it seems to me that both of you exemplify that; and it shines through with Operation Winter SHIELD. And I'm just, you know, at a -- as a participant in the community really thrilled to be able to share a little bit of time with you and talk about what the FBI is doing and seeing on the ground.
Jarrod Schlenker: David, thanks so much for having us on. This is a great opportunity, and really appreciate the conversation as well.
Adam Maddock: It's been a pleasure. Thank you.
David Moulton: That's it for today. If you like what you've heard, please subscribe wherever you listen. And leave us a review on Apple podcast or Spotify. Your reviews and feedback really do help me understand what you want to hear about. And, if you want to reach out to me directly, email me at ThreatVector @PaloAltoNetworks.com. I want to thank our executive producer, Michael Heller. Elliott Peltzman edits the show and mixes the audio. We'll be back next week. Until then, stay secure. Stay vigilant. Goodbye for now.
