CyberWire Live - Q3 2021 Cybersecurity Analyst Call
There is so much cyber news that, once in a while, all cybersecurity leaders and network defenders should stop, take a deep breath and consider exactly which developments were the most important. Join Rick Howard, the CyberWire’s Chief Analyst, and our team of experts for an insightful discussion about the events of the last 90 days that will materially impact your career, the organizations you’re responsible for, and the daily lives of people all over the world.
Transcript:
Rick Howard: Hey everyone, welcome to the CyberWire's quarterly analyst call. My name is Rick Howard, I'm the CyberWire's chief security officer, chief analyst and senior fellow and try to say all that in one sentence, it's a mouthful. I'm also the host of two CyberWire pod-casts the CSO perspectives pod-cast on the pro sign and the Word Notes pod-cast on the ads supported side but more importantly I'm also the host of this program and I'm happy to say that I'm joined by long time friend and colleague MK Palmore, a Director of Google Clouds Office of the CISO. MK it's good to see you and welcome.
MK Palmore: Thanks Rick, great to see you as well. Appreciate you letting me on.
Rick Howard: So this is our-- yeah it's fantastic man and, and thanks for doing this, I appreciate it. This is our seventh show in the series where we try to pick out the most interesting and impactful stories of the last 90 days and try to make sense of them and as usual this third quarter of the year has been filled with all kinds of crazy security stories. If we try to talk about all of them we would be here for the next couple of days and here are some that we considered for this show but didn't choose. First a quote from Rob Joyce, the new Director at the Inner City CyberSecurity Directorate, during this week's Aspen Cyber Summit on Chinese espionage, there's a quote now "scope and scale China's off the charts. The amount of Chinese cyber actors dwarfs the rest of the globe combine the difference from four or five years ago to today, the difference I see is where we respected them less. It was always broad, loud and noisy and what we're finding when you have a resource base that large the elite in that group really are elite" end quote.
Rick Howard: Holy crap that's a little bit scary. I didn't know that, that's a little change from when I did it. Had you heard that before MK?
MK Palmore: Yeah, I certainly have always had the respect for what I consider to be the, the, the top three usual suspects as it relates to advance for assistant threat nation state.
Rick Howard: Well certainly sounds like China is ahead of the game at this point. The second story we didn't choose for this show is the Russian arrest for treason of Ilya Sachkov by the FSB in Moscow, Sachkov is the CEO for the Cybersecurity company Group-IB and ouch that seems a little harsh, treason. But okay he's got that in front of him. And then finally the third story we didn't choose for the show is Brian Krebs story about ransom where groups re-branding, a practice that he says has been going on since like 2014. So just to name three to get, get you up to speed. Sekhmet re-branded to Maze and is now called Egregor, Hermaze re-branded to Ryuk and is now called Conti and Serber re-branded to GandCrab and is now called REvil, right. Okay.
Rick Howard: So those are stories we decided not to talk about but let's get started with this show MK, are you ready to get going?
MK Palmore: Yeah, you bet, let's do it.
Rick Howard: Alright so let's start with the first topic. I get to pick the first topic this time. It's about Ransomware as a service now offering insider threats and this is according to Lawrence Abrams from Bleeping Computer in an article entitled LocBit ransomware recruiting insiders to breach corporate networks. So this ransom group LocBit is actively recruiting corporate insiders to help them breach and encrypt networks. In June it announced new features to their ransomware as a service offering redesign tour sites and automatically encrypting devices on a network via group policies, but the one thing that caught my eye was that they were actively recruiting insiders to provide credentials for RDP and VPN and corporate email and they're offering millions of dollars of payouts and according to Abrams, groups behind typical ransomware as service offerings, they consist of a core group of developers who maintain the Ransomware in payment sites and then recruit affiliates who breach victim's networks and encrypt devices.
Rick Howard: Any ransom payments the victims make are then split between the core group and the affiliate, with the affiliate getting the bulk of the money. With LocBit's new offering they're trying to remove the middle man here and instead recruit insiders to provide them access to corporate networks. I think this is genius. If I was a criminal I would have loved to come up with this, right and just in case you think this is all far fetched, Abrams points out that in August 2020 the FBI arrested a Russian national for attempting to recruit a Tesla employee to plant malware on the network at Tesla's Nevada Gigafactory. So MK let me ask you this right. So that's the story but most entire threat programs that I have seen are pretty anemic. More are concerned with departing employees taking corporate intellectual property in the forms of slide decks and word documents and spreadsheets.
Rick Howard: But in your travels, have you seen any existing insider threat programs that would defeat this new kind of access of attack this insider threat approach?
MK Palmore: Let me answer that in this way. I think one, I am not surprised that the adversary is ahead of the game in terms of where information security teams are, are making their investments, right. As usual they are well ahead and if we look back, I think we can note with some relevant data that the insider threat programs for most organizations is the place where the least emphasis I think is placed in most large scale organizations and enterprise. So not a surprise that the adversary is now doing this and I, I can't formidably speak to any widespread insider threat program that I thought was super super engaged except, of course, where I spent the majority of my professional career with the FBI, we had a pretty decent insider threat program there because there-- [LAUGHS]
Rick Howard: I'm shocked, shocked they say [LAUGHS].
MK Palmore: Oh I mean, in government organization when you have, you know, the, the kind of controls that you're able to put in place and limitations you can put on user behavior and activity, you actually get to the point where you can monitor activity in such a way that it's useful to the organization but once you step outside I think of government circles and get into the private sector, it becomes a difficult proposition both from a technical standpoint but also from a cultural standpoint within most of these organizations.
Rick Howard: Well let me ask you this then. Do you have any, any practical advice on how to protect against insider threats in general to kind of upgrade these corporate programs and specifically what would you do against this particular attack? Any advice that you could give?
MK Palmore: Yeah well I mean the, the first part I think is identifying it, identifying it as a viable risk to the enterprise right, once it put on the blotter and part of the risk consideration. Then you then go about identifying tools that can detect this kind of activity. Like you, I suspect, I put a lot of emphasis on user behavior analytics. I am, I am not sure, I know that there are lots of great tools out there to help you identify anomalous behavior. I am not quite sure that organizations have turned those tools inward to look at the activity of employers, contractors and others associated with the enterprise. So I think UBA is probably the future of mitigating this issue and I don't know that there's widespread adoption of those types of tools.
Rick Howard: You, you said UVA, what's that acronym stand for?
MK Palmore: UB, UBA.
Rick Howard: UBA.
MK Palmore: Yeah user behavior analytics.
Rick Howard: User behavior analytics, right.
MK Palmore: Yeah.
Rick Howard: And I would say that other people have, other organizations have prone some sort of data loss prevention technology but I don't see how that would prevent this kind of attack especially if the insider has credentials to the stuff you want, they're going to encrypt. So I think that's a, that's a wash. The one strategy that comes to mind for me is Zero Trust right. If you can-- and I know Zero Trust is a buzz word everybody hates to talk about these days, now I'm not talking about going out and buying a Zero Trust technology because it's not, I'm just talking about the strategy of reducing the attack servers in limiting what users have access to. They don't absolutely need to have access to it, you probably shouldn't give it to them, right. And so Jen let's throw the poll question up there to see what our listeners, how they think they might attack this particular problem.
Rick Howard: So the question is what is your primary strategy to defeat insider threats? Is it some sort of data loss prevention technology, you're doing something Zero Trust, something else we haven't talked about or some sort of a mix of all three? We'll let that, let that go for a little bit. Anything else you can think of MK that we could throw at this besides the user behavior analytics, data loss prevention or Zero Trust? Anything else comes to mind?
MK Palmore: No I, I think the combination of Zero Trust and UBA really helps to mitigate the potential impact of an insider threat incident. I've taken to using the term, you know, lessening the blast radius and that's what you get, I think, from micro-segmentation which is a core component of the Zero Trust philosophy. If, if you start practicing that, putting that in practice, I think when you lessen the blast radius you are more apt to then mitigate this kind of potential attack on the enterprise and hopefully cut off the, the adversary at the heels.
Rick Howard: From the poll, can we put the poll results up Jen or shall I do-- oh there it is okay. So, so nobody is using data loss prevention technology to prevent this kind of threat, about 15% for Zero Trust, 8% something else, I wish I had them on the call right now, maybe you guys can submit a question and or, and tell me what you're using and the bulk of us are using a mix of all three. One thing that Abrams mentioned in the article MK was that, you know, during the middle of a ransomware attack and you hire out a consultant group, you know, you go out to a crowd strike or somebody like that alright to come in and help mitigate the problem, you know, immediately they're going to want access to all the things right [LAUGHS], so, and, and he said that, you know, it was kind of interesting that he would list this kind of thing on their tour website after the ransomware has been effective.
Rick Howard: But Abrams said that they're hoping to, you know, throw a net out to the contractors that are looking for the culprits of the ransomware thing and they would run into the recruiting message for insider threat. So one of the things you have to worry about when you hire this CrowdStrike group or, you know, incident response group is not giving the keys to the city because they might be the ones giving you up in the underground, so you have to be careful about that. I thought that was kind of scary [LAUGHS]. What do you, what do you think about that?
MK Palmore: No, definitely scary but again I think as, as you note it and I will certainly note when we get to my topic, it's part of this sort of asymmetric approach that you have to think in terms of how the adversary is going to look to penetrate potential environments. They are always looking for new ways to gain access, again kind of leading the market and we're always, as vendors, and folks responding in the security environment, kind of trailing behind their activities.
Rick Howard: So I got a question from Harry Poppins okay, [LAUGHS] in the chat group right. So here's the question MK. In light of the fact that these bad actors operate within bulletproof hosting infrastructure, would you like to see cyber command take a more offensive approach to dismantling their infrastructure? What do you think about that?
MK Palmore: Interesting. So there's lots of opinions around affirmative approaches to cyber protections, exercise by governments. I think unless and until, let me take it up a degree, unless and until there is some agreement on the global scale between the nations in terms of what represents appropriate and bad behavior on these interconnected systems, I don't think that we appropriately get there without a lot of push back from other nations.
Rick Howard: I, I, I think I would disagree with you on this one, alright. I'm kind of tired of being the whipping boy in all this and, and having, and having that is a problem that we don't have an agreement. One of the reasons that bulletproof hosting services exists is that we don't have law enforcement exchanges with some, you know, eastern block countries like Russia and Ukraine, I guess Ukraine's one of them, not one of them but, you know, that block of countries.
MK Palmore: Right.
Rick Howard: Right. So I would like for known bad guy activity, we know where the REvil infrastructure is okay, we know where, you know, some, you know, 50 groups of these guys are, I don't say I have any problem with cyber command going out there and just dismantling that stuff as they see fit and then we'll see what the governments do to complain about it. You're complaining that we took out a cyber crime group, I, I, I don't see how you can do that, right. Tell me where I'm wrong about that. What kind of trouble would we get into that?
MK Palmore: Well, I think the trouble you get into is that how confident are you that then our systems are as protected as they need to be for the type of retaliation that might take place for an act like that and that's where I think the, the challenge is for anyone sort of advocating that we take a more aggressive approach on things like this.
Rick Howard: Well you're absolutely right. I, I have an old army boss in mind that's always told us when we got our in, you know, we got on an upper, "We should go attack those guys," he'd always say "You know what, the enemy gets a vote alright, just because you go attack somebody doesn't mean that they're going to lay their arms and say, "Oh, they hit us, I guess we'll need to go away." No, you can guarantee that they will come back at you in spades so you need to be prepared for that.
MK Palmore: Absolutely.
Rick Howard: But I still feel like we should be able to dismantle their infrastructure and, and we should be able to do it faster than they can react, you know. You know, after 35 years of this I'm getting a little tired of being the punching bag. Another question here from listener Yellow Snowman, great name there too by the way, are there some=--
MK Palmore: I'm going to start, I'm going to start calling myself Rogue Leader from my, from my Star Wars affinity.
Rick Howard: [LAUGHS] I love it. So here's Yellow Snowman's question; Is there some legal measures that we could take that would aid the dismantling of a bad actor infrastructure? Especially I guess when you're sitting behind bulletproof infra, infrastructure, is there any legal means you can use to go after hosting services even if they're in weird countries like this? What do you think MK?
MK Palmore: Not, not without exist, existing MLAP protections or agreements between existing governments that will allow you to execute legal process in those regions. You know during my time in the, in the FBI we relied heavily on the MLAP process and that's Mutual Legal Assistance Treaty and in many instances were certainly helpful in terms of dismantling infrastructure or at least getting access to it or ultimately getting our hands on adversaries and then bringing them to justice and the converse of that is also true. Without those kinds of agreements in place you have a, a very limited tool set of things in your, in your tool kit.
Rick Howard: Well let me ask you this. Could you, could you go out one layer alright because all of those bulletproof hosting services in strange countries, they have to get to the Internet somewhere, they have to come out on a router in countries that we do have those relationships in. Can we put the legal action on those site, those devices and say you are not allowed to have REvil communicate through your pipes? Can we do that? Is that possible?
MK Palmore: That, that would be an interesting approach. I think it would, would require one, the assent of a portion of the private sector that may or may not be willing to enter in those types of agreements and then again I think there has to be some public sector interaction there depending on where those entry points reside. So public private cooperation still an essential component of how it is that we begin to mitigate these challenges on the cyber threat landscape and without both of them I don't think you get useful results.
Rick Howard: Well, we've always had some corporation like Microsoft have some luck taking down infrastructure, I've always thought that DHS should hire just not one or two lawyers to do this but thousands of lawyers and tie those organizations up legally until they stop doing this stuff but I'm a little bit naive when it comes to those kind of, you know, global transactions. One last question.
MK Palmore: And I've never heard anyone advocate for more lawyers but.
Rick Howard: Yeah I know [LAUGHS]. Yeah one last question from Tin Foil Hat, listener Tin Foil Hat, how many Ransomware groups exists? Do you want to ball park that MK?
MK Palmore: I don't think we know. I mean we know that there are thousands of Ransomware variants out on, out in the wild. I think you could probably narrow down probably to the concentrated campaign groups, the really successful ones to maybe scores of groups but I don't, I don't know that you can put an actual number on that.
Rick Howard: Yeah it's kind of hard especially with all the re-branding we were talking about at the beginning but I, I keep an unofficial tally in my little notebook and I counted it up this morning, it's about 55 individual group names and who knows if all of them are active but, and that's just within the last year and a half, so, so it's not that many right. That's amazing that we're under all that, all this pain with just a small-- under a hundred groups doing all this stuff. But enough about that, let's switch over to your topic MK alright. What do you have as the most impactful story of this quarter?
MK Palmore: Yeah, so interestingly enough after listening to your topic, mine sort of sounds a bit like a pun and if you give me a little bit of room to, to talk, to talk about it a bit I think that we'll get down to the gist of what it is that I'm suggesting here but. So I chose the topic around, you know, like the most impactful breaches of 2021 so far and as I was going back and doing my research on the breaches, what I decided to do was sort of begin to tease out what, where I thought the common elements within those breaches and what it is that they tell us really about the future of cybersecurity and where we're heading. So as I looked at a number of them and I'm looking at my list right now on a spreadsheet, there's probably more than, you know, 15 or so notable ones on here, the usual accounting right.
MK Palmore: Millions of records, in some, in some of the larger ones I.e Astoria company we're talking about, an excess of 30 million records but the average is somewhere between 3,000,000 and 5,000,000 records in these breaches all having to do with personally identifiable information ultimately being cultivated and then actually traded out of these environments, the time to detection in these breaches continues to be in excess of 200+ days but that's not where I would like to taze out the, the thought leadership on this. It's really around the number of breaches that involve third party access to the ultimate destination of the adversary when they're heading towards getting this data.
Rick Howard: Nearly all of them, greater than 50% of the breaches that we've seen this year have a third party component to it. We only need to look back to this time last year when we, when we began talking about solar winds and the ultimate impact that that was going to have on the industry and already this year we've seen a number of breaches that involve access to third party information and or data and they've used that in each of these instances to pivot into the desired environment and the component that's relevant here is the fact that these third parties are trusted entities that provide access to the main source of data and in allowing trust, again as we go back and think about the solar winds incident, we're talking about a level of trust that doesn't even require us to look at, you know, the, the downloads of updates.
MK Palmore: I want to know how it is that we're thinking differently about evaluating third party risk to our organizations and then ultimately with issues like Ransomware continuing, continuing to be relevant, how is it that we're looking at, you know, the future organizations. You mentioned Zero Trust earlier, I, I'm, I'm in agreement with you. I believe it's more than a buzz word. I think we need to start thinking much more holistically about the new approach to security that large scale organizations need to take and so I throw out those issues of third party access, I fail to mention cloud mis-configurations right. We know that a number of organizations, certainly in the past year, have begun clouded option in a, at a rate and in a way that they had not historically and so Cloud mis-configurations, a, a smaller component of those overall breaches that have been noted up to this point this year.
MK Palmore: So all of those things continue to compound and so third party risk, Cloud mis-configurations and then issues like Ransomware which, again, as, as I look at adversarial behavior I think these folks will continue to do what works for them. They're experts at return on investment unless and until we provide mitigation that makes them pivot elsewhere and that's sort of the, the scope of how I like to frame the topic around these challenges as they continue, I think, to have impact on large scale enterprises.
Rick Howard: So I got a couple of clarifying questions here, MK. First you're talking about breaches here specifically but, and not specifically Ransomware. And then, right that we're talking, that's the data you were talking about it's about breaches.
MK Palmore: Correct.
Rick Howard: Right. And then the second question.
MK Palmore: All, all, although I would, just for clarification, I would view Ransomware as a, as a, as an effective breach on an enterprise, absolutely.
Rick Howard: Yeah. I, I get that too but I, I like to try to keep them a little bit separate because--
MK Palmore: I understand.
Rick Howard: Yeah, Ransomware are trying to export money from you, where breach is trying to, I don't know, steal data. Is that, is that too naive or can you?
MK Palmore: No it's, no but I mean in many situations we've seen, I'm sure you're familiar with the double extortion component of ransomware so in that double extortion example or use cases that are out there, they've already ex-filtrated information and are threatening to release it via the dark web or otherwise and so there's already a component of data having been ex-filtrated in the process.
Rick Howard: Right so but in my-- and we're arguing semantics here but the, the, another kind of breach, data ex-filtration is take the data to use it for some other purpose like, you know, PII to do other criminal activity or intellectual property for espionage or, you know, those kinds of things. So I, I know there's a big overlap of the two between a breach that I just described and Ransomware but okay. Just, just to make sure we're all tracking there. And you were talking about-- well how do you clarify-- you, you classified it as third party risk or how, how did you say that?
MK Palmore: Third party risk was the first thing that I wanted to tease out there, because it appears as though a great number of these breaches began with access to third party systems and or software many of which are, again, in most environments trusted systems or applications for which, you know, the enterprise. You know they're not paying attention to in the right way to be able to look for the kinds of intrusion indicators that will allow them to know that there's a problem within the enterprise and I go back to my comment about user behavior analytics which I think is a core component of how it is that we tackle this in the future.
Rick Howard: So third party risk can apply to like contractors that you have come on board to help you but also another name for it is supply chain risk and I think the solar winds and other like you mentioned, all this activity this last year would you, was it over 50% of the breaches where third party or supply chain attacks we're certainly starting to get out heads over how many relationships we have with people that are, are not our organization who we grant access to our network somewhere and, and so the question then is how do you deal with that? So what's the advice we're giving there. I think Zero Trust is the thing that comes to mind but is, is that what you're advocating for too?
MK Palmore: I am. Zero Trust I think is a core component of how it is that we tackle this and again it's about that idea of lessening the blast radius right and having, putting yourself in a position to win, which is identify the activity at a point where it's still relevant to you and we're not talking about, you know, 200 and 250 days out from the initial infiltration into the enterprise. I think Zero Trust in all of its forms and then again like you said and then I certainly will restate not just a simple tool, not just a simple implementation, it's an overall architecture and approach to security that organizations have to undertake. I think it's a worthwhile undertaking and I, I'm still somewhat surprised at some of the resistance that I hear from either customer interactions or just throughout the industry because folks are so resistant to the, the, you know, the marketing buzz word of Zero Trust. It doesn't mean it's not a relevant topic and that we should be talking about it in substantive ways.
Rick Howard: Jen, let's put up the Zero Trust poll from MK and get a feel for what the audience is, what the audience thinks about this. I'm a huge advocate of Zero Trust, right, as a strategy, not as a technology and what I like to tell, when I talk to CISOs and other cybersecurity practitioners is that there's a gazillion things you can do to improve your Zero Trust posture and you probably have the technology in place right now to do a bunch of it, right, and so you don't have to go out and buy a new fangled, you know, widget to do Zero Trust, you can just take a look at your existing security stack and implement some things that can reduce that attack surplus. Is that your experience too, MK?
MK Palmore: Absolutely. So lots of different areas to think about right, everything from identity access management to contextualization of devices to, you know, session controls and things that you can put into place in order to enhance your viability at preventing and or mitigating a potential attack. But I'm with you that there are lots of different things that you can do and I think we need to veer away from a single solution, a single implementation is going to get us to where we need to be. It starts the journey but it's not the completion of it.
Rick Howard: Yeah, so let's, let's see what everybody said [LAUGHS]. How about that? I, I think that's a first right there MK, that the entire audience agrees with us. I, I, I don't know if I ever lived my life where everybody agreed with something that I said out loud, so. [LAUGHS].
MK Palmore: I, I, I did, I did give you an analog approach to it right, it's yes or no. [LAUGHS]
Rick Howard: Well I appreciate that, right. So, so let's answer, answer a couple of these questions from listeners. This is from listener at Crazy Cat Lady, right. If you had to identify one critical piece to the security apparatus of the future, what would it be? That's interesting.
MK Palmore: Yeah, for me it's autonomous security operations. There's so much that, that we need to be doing in the way of, of automatic response detection and evaluation of alerts and threats so that we can more efficiently tackle the ones that require our attention. The future of security operations is all around automation, so. There is one thing if they, if I had, if I was a genie and I could sort of flip the switch good automation at identification detection and monitoring would be great.
Rick Howard: I since had an epiphany about that, you're talking about DevOps and DevSecOps right? That's, that's where you're hitting around at right?
MK Palmore: Yeah, that's a component of it certainly, yeah.
Rick Howard: Well, because there's really two pieces to the DevSecOp's idea right. One is just for the organization's critical infrastructure, you know, deploying infrastructure as code and making sure that security is in the middle of that, right, and not done afterwards or not done at all, that's one component to it and then the second component too, is how the security team automates their stuff right, you know, how they automate the update to the security stack, whatever it is, okay and wherever it is, alright and how they make sure that you don't have to, you know, have a, you know, a level on analysts cranking a wrench to get everything done, right.
Rick Howard: So, there's a couple of things there that need to get done and I have to tell you MK, I don't know want your experience is, but the security community's been slow to adopt this. But we are very happy sitting in our socks watching alerts going by and, you know, swiping right and swiping left and not automating that process and I, if I could advocate anything, going back to what Crazy Cat Lady say, what's the one critical piece is yes, please automate your socks so that you can get rid of those low level task and concentrate on some important things. Like any disagreement there?
MK Palmore: No. So timely reading. Just before we got on I had an opportunity to glance at the, I guess at the IBM cost of data breach reports for 2021 and the one thing that jumped out at me is that they did research on the lessening of the financial impact to the enterprise by the presence of automation within the security apparatus and there is a wide gap between effective use of automation impact on the enterprise and where automation is used, financial impact is much less, it was something to the degree of 80% difference.
Rick Howard: Who wrote the paper? IBM you say?
MK Palmore: Yeah it was IBM 2021 data breach loss.
Rick Howard: Excellent. This is a question from listener Banana Hammock, okay, in your estimate, in your estimation what do security practitioners still get wrong when building for the future? That's a good one. What do you think?
MK Palmore: Yeah, my take on this is a little theoretical. I, I think we're spending time solving problems of the past and not thinking about problems of the future. Looking backwards a little bit too much so we're, we're all in a way, laggards, as it relates to security and so I'm, I'm always pushing for folks to be thinking about what the breach of the future looks like.
Rick Howard: I, I agree with you there right and the, for folks that listen to my CSO Perspective show, they know I have a mantra that I've been yelling about for the last 18 months which is really thinking about cybersecurity as a first principle and what are we trying to accomplish, right and I believe what we're trying to accomplish and the people on the call have heard me say this a million times but we're trying to reduce the probability, a material impact to our organization. We're not trying to prevent cyber attacks, we're not trying to prevent malware, we're not prying to prevent, I don't know, zero to exploits. We're trying to reduce the probability that we will be materially impacted, right and if you think of the, the problem that way, right then it changes how you go about what priority you give to certain projects in your infosec program. Yeah, any thoughts on that?
MK Palmore: Yeah, no, yeah I was just going to say, I mean that's the continuing debate around and maybe there is no debate, cybersecurity practitioners are risk managers at the end of the day and so it all gets to be about risk management. Maybe we could do a better job in the industry of making sure that the practitioners understand that as opposed to the fact that they're just there to provide security tools or security strategy. They are part of the risk management apparatus of any major enterprise.
Rick Howard: Well, you and I have been doing this a long and I think our community made a huge mistake early in the, well when I first started doing this back in the 90s, where we insisted that cybersecurity risk was somehow different than other kinds of business risks, right. We made it special, we made it scary and therefore we, we didn't learn how to talk to business leaders about just risk and how should we convey risk to them. We kept, you know, and I did it, I used to do it myself and so I'm guilty there too. But now the generation coming up behind us, they're having to deal with that problem. So if I can give anybody advice it would be to figure out how to dis-convey risk to the business so your leaders can make decisions, you know, for the business because those guys, you know, the, the CEOs and the CFOs and all those people they get paid to make decisions about risk that's, that's why we, that's why they're there.
Rick Howard: So, just to be able to get that into an information that they can, you know, grok and make decisions with. Alright, so I'll got to the last question here from Fat Batman, which I'm taking that acronym from now on, that's gonna be my new one. Alright, so how viable are public private partnerships to the future of security and are there any examples where there, these partnerships have achieved their intended goals? That's a good one.
MK Palmore: Yeah I mean I, I've already kind of touched on this. I think they're essential to solving these problems. I think that you don't get to viable solution without a firm engagement by both, you know, the private sector certainly has the technological means for which to solve many of the issues and challenges that we have, but you need a runway and you need borders and scope and I think that's where public sector entities come in and can help provide sort of the, the parameters for which we can go about changing the narrative on a lot of the things that we're facing. In terms of firm examples, I would say that let me counter that question with this; You show me an example where there's anything of a substance of nature done that did not include a public or and private level partnership and I would be surprised. It's, it's always a combination of both.
Rick Howard: I don't disagree with that and you're right, it's absolutely essential, but again I'm a little jaded in my, my, my old age. We keep trying to reinvent the wheel right as opposed to moving forward on ideas that we had, you know, 20 years ago, you know, the, the iSAX were started in 1999 right and I was watching some of the government, the new government leaders coming in on cybersecurity. They're starting to, they're trying to start new groups to share information and stuff, it's like gee, Merry Christmas, now we just, you know, make the other stuff work, I don't know, what do you think?
MK Palmore: Well you, you have actually a whole lot more experience of this than I do as it relates to information sharing, right. That's all, that's always been a bit of an uphill climb and an obstacle to overcome and I think that that's a prime example of an area where we could make some very quick wins initially if we could just come to an agreement on how to do that, how to do it in a way that allows for companies to not have, you know, negative impact on themselves and allows for the entities that need to receive that kind of information so they can get it and then use it to protective themselves. You know the old expression "a rising tide lifts all boats," right, it's, it's, it's that thing that we need to fix and like you I'm a little bit jaded on it because that, that topic's been floating around for so long and I still don't think we get it quite right, but I do believe that's a part of the answer.
Rick Howard: Yeah, especially I think everybody agrees it's the right solution right but we can't seem to get it out of our way to make it happen in some efficient way, right. So, so a lot of work to do there. But you and I could talk about this subject for the next, you know, 20,000 hours. Let's, let's transition to the last topic. This one's on Zero Day Exploit Market right and this story came from Dan Gooden over at Ars Technicaand it was titled Clickless Exploits from Israeli Firm had activists fully updated i-phones. So Gooden says that, that smart phones belonging to more than three dozen journalists, human rights activists, business executives and two women close to the murdered Saudi journalist Jamal Khashoggi,have been infected with Pegasus, that's that full featured spy-ware developed by the Israeli based exploit seller the NSO group and MK you know that Pegasus is, is that piece of malware that frequently saws through zero click exploits such as those sent by, you know, text messages and require no interaction from victims.
Rick Howard: So this is pretty nasty stuff. But the target list from Gooden seems to conflict with the stated purpose of the NSO's licensing on the Pegasus spy-ware which the company says is intended only for use in surveilling terrorists and major criminals. I got to tell you though, to me, that policy statement is nothing more than legal border plate designed to keep the uniform or the uninformed off their backs, you know, because the fact is that once you sell a tool like Pegasus to a third party you really have no control over its use. Now we're, I'm picking on the NSO group here because their tools seems to have gotten noticed a lot, a lot over the years okay, but the fact is the Zero Day Exploit Market is alive and well all over the world. Western governments buy them, eastern governments buy them, other shady organizations buy them.
Rick Howard: In the NR group, in our owngroup, it's not the only one selling them. So I will direct your attention to Nicole Perlroth's book, this is how they tell me the worlds ends, which she basically talks about the evolution of the exploit market starting with my old workplace I-Defence back in the early 2000s right up to, today and according to Perlroth, the best exploit developers in the world right now are the hackers out of Argentina and they're making top dollars selling their tools to all customers. And like I said governments and other more shady organizations who don't at least profess publicly that they value basic human rights. So here's the question I have for you MK.
Rick Howard: Should it be legal for governments to develop and buy Zero Day Exploits? Should, should there be some limit on this? I, I, I have no idea how to do it but let's just agree or disagree on whether or not they should even be allowed to do that.
MK Palmore: Yeah so I, I'm going to take it, I'm going to pot a little bit and take it back to my [LAUGHS], to my comment around the agreement on what represents good and bad behavior right from a, a uh, uh government, a government standpoint. I think that if we're all being practical about this right, no government wants to limit its own capability to do what it feels it needs to do in order to protect itself. So you get into this murky world of sort of the national security perspective on how to approach problem solving like this and sometimes, sometimes the absence of a solution is the solution to the problem.
Rick Howard: So, we have examples, you know, let's just talk about the United States, we're both United States citizens, we want our government to protect us from bad guy things. We know the NSA uses Zero Day Exploits and their attacks, it's just part of the tool kit, so we expect them to develop them and get them from somewhere, right, but we also know that their tools sometimes cause damage, I mean huge damage. You know in the, in the Snowdon trove of stuff like got put out to the Internet, you know, Eternal Blue got put to the public which caused damage in Ukraine, it caused damage in Baltimore and lots of other places. So these are dangerous, dangerous tools right and so the question is, you know, how do we limit that? How do we protect against that. I don't know. I don't have an answer to this, but what do you think?
MK Palmore: All it, it-- part of the challenge I think is that, you know, if we agree to limit, say we agree to limit the, the use of these tools by government or the, limit the acquisition of them, it doesn't mean that the tools won't then still be traded among folks who desire to use them. So I think it's hard.
Rick Howard: Then only bad, bad guys will use them.
MK Palmore: Right then. So it's a little bit of a mislabeling of the playing field right, it actually gives an inappropriate advantage to, to the bad guy to actually go out and do what it is that they do. Maybe if you sort of re-frame it, maybe it's a leveling of the playing field that governments are allowed to sort of barter in exchange for these exploits in the same way that the adversary does.
Rick Howard: So Jen let's put up the poll for Zero Day Exploits. Let's see what the listeners think right. And I, I totally understand this is naïve question, you know, like it, it's a yes or no answer, like I totally understand its simplistic but let's see what you think. Here's the thing that shocked me in Perlroth'sbook and she, she went down to Argentina to talk to some of the hackers that do this for a living and, by the way they're pulling in top dollar right and she was a little flabbergasted that they were, you know, making these things and selling them to whoever wanted to buy them. And so she asked the other, this other naïve question to them like, "Well, you're only selling them to the good guys right, you're not selling them, you're only selling them to the western governments," and they all looked at her like she had a horn growing out of her head.
Rick Howard: And, because, then they said something like, "You think that the US are the good guys? And if you look around the world", this is their answer to her, "Are the only country in the world right now that looks like a bad guy is the United States, they're the ones dropping bombs on terrorists with drones okay, no other country on the planet is doing that. They're the only country assassinating government leaders. China's not doing that, Iran's not doing that," and they said, "You know, you need to check your assumptions that the United States is the good guys," and that shocked me completely, right, that the United States is not the good guy anymore. We are one of the bad guys and [LAUGHS] what do you think about that MK?
MK Palmore: Well, well here's what I think about it. I think that now we are, I think in a position of recognized that the subject of cybersecurity is a geopolitical level subject right, it is something that should be discussed at, just by the think tanks and by the private sector organizations that sort of promote technology and the, and the subsequent security measures to protect enterprises, but this is a subject that requires geopolitical engagement across the board because we are all heavily reliant on these digital systems for our very survival, the last year has taught us that more than I think anything and then it's a, it's a subject growing in importance and I think for too long we've been sort of ignoring the relative importance of this to the, literally the survival of our society in modern day. So it's, it's a big topic.
Rick Howard: Let's pull up the answers Jen and see what the audience said. It's pretty split, okay and again I don't know what the answer is, but I will tell you that, you know, groups like the NSO groups and others that make these tools, their argument is that we only make tools, we don't tell people how to use them right and, you know, that's the same argument you get with, you know, the Smith and Wesson folks who make guns and it's the same vote, argument you get from the NSAwho makes these, you know, EternalBlue kinds of things right. By using that logic you can make an argument that Facebook supports Russian influence operations or that Google facilitates child pornographers, right. But, you know, EternalBlue is bad there's no cause enormous damage, there's no doubt about that but some governments and some organizations need them to do what they're thinking.
Rick Howard: I, I really don't have a good answer for this but it is causing me trouble to have, to come up with an answer for any of this. Any thoughts about that MK?
MK Palmore: No just that the, you know, the ethical implications of the things that we create and then, and then subsequently sell on the open market is becoming more relevant and I am not certain that as a society that one, we know there's no easy answers to this, but I'm, I'm, I'm not a hundred percent certain that we're also capable of solving some of these ethical dilemmas.
Rick Howard: I've got one audience question on this from Bubblegum Milkshake [LAUGHS], you sure you don't want that name as opposed to the one you were going to take MK?
MK Palmore: No, I'm sticking with Rogue Leader.
Rick Howard: [LAUGHS] Bubblegum Milkshake wants to know if I recommend Perlroth's book. You all know that I'm still involved in the cybersecurity canning project and we've all been reading that book to see if we're going to recommend it for the Hall of Fame. I don't think it's a Hall of Fame book, cause it's kind of niched but if you are interested in the, the evolution of the exploit market, it's definitely a good book to, to, to go pursue, alright. I will say that, can I just say this about Perlroth's book, she took a lot of heat when she first published it. Some of the Uber cybersecurity gigs took some pot shots at her because they thought they found some mistakes in the text and I've looked at all those mistakes and, you know, they might be wrong, they might be right but there is some gray area there, so I'm, I'm willing to cut her some slack. What I'm worried about is that, you know, the cybersecurity community is, you know, we're not so great on misogynistic behavior and I don't know if we would've had those criticisms for a book if it was written by a male, alright. So please keep that in mind right.
Rick Howard: So I think it was written well, the mistakes that people have pointed out are not really mistakes, they're more of a gray area, so I would give it a shot especially if you're interested in the exploitation market. And, and, and she writes about my own alma mater iDefense and I came in right after all that stuff got started. iDefense started the exploitation market back in the early 2000s and I ran it for a couple of years, so. So I'm not blameless on this MK. I, you know, when I was in the army I had to keep 30 Zero Day exploits on hand on any given day so that we could use them for some future job, so I bought them from contractors and when I was at i-Defense we built them and sold them to the US government so, you know, I, my fingers are dirty in this. So I, I don't, I don't have a [LAUGHS], have a good answer for this. Let's go-- so we finished up that topic, let's go to the last minute general purpose questions.
Rick Howard: This one's from Helga des Journez okay, the only one there who put their real name in there. He's a senior information security adviser out of Copenhagen and his question is do we have any advice for automatic population and maintenance of asset inventory? That's a good one and a hard one I think. What do you think MK?
MK Palmore: So interesting, this question has been coming up quite a bit I think in the past year or so as, you know, Cloud adoption and, and things, where folks are sort of losing control, as it were, of, of their infrastructure and, and, and control variables and I don't know that there's a auto, automatic process or tool out there that's worthy of mentioning, but I do know that there are some vendors out there offering some very competitive products that will allow you the ability to get a broader understanding of what your asset scope looks like.
Rick Howard: A couple of things there, you know. Both of us worked at Palo Alto Networks before and all of the next generation firewalls have ability to see what applications are running and which hardware are running. So that's a, that's a poor man's way of collecting some of the data, it wouldn't be a complete solution. But you can just turn that on if you're, if you're using any next generation firewall and we all are, right. So that would be one way to do it. The other way is to use an MDM tool okay, that doesn't automatically collect things but if you put the things you're most interested in like your laptops and your phones and things in there you can get an 80% solution pretty-- and that might, that might be good enough for some sort of the solving this particular problem, I don't know.
MK Palmore: But then maybe, maybe you've covered the, the remaining 20% with an attack surface management tool of some kind that covers the rest of it.
Rick Howard: Yeah, yeah, something like that, yeah. Good point. I got one more question, I didn't get the name alright but here's the question MK; What is your take on Zero Trust architecture and or software defiance security. Well I think we've pretty much talked about Zero Trust architecture. How about SDP, software defying perimeter I guess is what they really meant.
MK Palmore: Well, my opinion on that really revolves around, you know, ensuring that you have the protections and controls from layer three through layer seven right, you get into application control and, and, and again back to the subject of Zero Trust which I think is a component of-- I think if you're employing or using a Zero Trust architecture that you ask for the malware software defying perimeters.
Rick Howard: So, I'm a huge believer in software defying perimeter and the problem is there isn't a whole lot of solutions out there that's universal for all the places that we have to work, by the way software defying perimeter is a horrible name, MK. It's not about perimeter at all, right, it's about taking this very obvious step of moving out of the workload environments, the authentication and identification of users. It, that, when you talk about this out loud, it's just obvious to me that you shouldn't do this, that you shouldn't have to go to the workload that you're trying to get into, to submit a user ID and password to get in and then that system has no way to know if you're authorized to get there anyway. So software defying perimeter is moving that functionality out of that space. Users would go to a separate location, identify themselves, the system would know what you're authorized to see and then the system would establish those connections, encrypted connections to the workload that you need to get to.
Rick Howard: That's the way that you're going to be able to implement any kind of Zero Trust architecture in the future. But we are a long ways away from that and, and MK, he wasn't trying to hock his own wares but Google came out with, they kind of redesigned their entire network after they got hit by the Chinese in 2010 and invented or at least deployed software defying perimeter inside their internal networks and then a couple of years later rolled it out to a commercial product called BeyondCorp which is really good if you're a strictly Google organization. It doesn't really work across the board to all the other places you are. So we're, we don't really have a universal solution yet but I, I believe it's in the future right. So SDP I think is where you all should be looking at for future deployment going forward. Did I get any of that wrong MK or am I?
MK Palmore: No you didn't get-- hyper focused on, on the specifics of it, you're absolutely right. The more Google tools and services you consume then then BeyondCorp story I think gets a lot more enticing and more relevant but as you well know, if, if you take a system like that and you incorporate it with several of our partner tools and products out there, you get more of a complete solution.
Rick Howard: Alright, well I think that's the end of our questions, so that means we are at the end of this webinar. MK any last thoughts here you want to, want to give to the group here?
MK Palmore: No, just I appreciate you having me on. I know we went back and forth for quite some time on identifying a time and thanks, thanks for the invite. Love it.
Rick Howard: Perfect. So we are at the end everybody. MK, thank you for joining us and you can expect to be asked to come on many times cause this was fantastic and thank all the listeners for coming on and participating, we appreciate all the questions and we will see you at the next CyberWire quarterly analyst call. Thanks everybody, I'll see you later.