N2K logoDec 20, 2021

CyberWire Live - Q4 2021 Cybersecurity Analyst Call

There is so much cyber news that, once in a while, all cybersecurity leaders and network defenders should stop, take a deep breath and consider exactly which developments were the most important. Join Rick Howard, the CyberWire’s Chief Analyst, and our team of experts for an insightful discussion about the events of the last 90 days that will materially impact your career, the organizations you’re responsible for, and the daily lives of people all over the world.


Rick Howard: Hey, everyone, welcome to the CyberWire special edition end of year quarterly analyst call. My name is Rick Howard. I'm the CyberWire's Chief Security Officer, Chief Analyst and Senior Fellow. I'm also the host of two CyberWire podcasts, one called Word Notes on the ad supported side, meaning it's free to everybody and it's short, just a little bit over five minutes usually and it's usually a description of the key words and phrases that we all find in the ever expanding alphabet soup that is cybersecurity and the other one I do is called CSO Perspectives on the pro side or the Netflix side, the subscription side if you like, and that's a weekly podcast that discusses first principle strategic thinking and targets senior security executives and those that want to be them some time in their career. But, most importantly, I'm the host of this program, usually reserved for pro subscribers but since it's at the end of the year, we've opened it up to all CyberWire listeners so they can get a taste of what they're missing on the pro side and I'm happy to say that I'm joined by two CyberWire Hash Table regulars. First, a very old friend of mine, and, Denise, I can't believe how old friends we are, the President and CEO of the Health-ISAC, and second is Jaclyn Miller, the CISO for NTT. So, Denise, Jaclyn, welcome to the show. You can say hi.

Denise Anderson: Hi.

Jaclyn Miller: Hi, everyone.

Denise Anderson: And I'm not that old.

Rick Howard: Oh, yeah, you're not old. It's only me, Denise. This is our eighth show in the series, where we try to pick out the most interesting and impactful stories, usually from the last 90 days, and we try to make sense of them but, like I said, since it's the end of the year, we're gonna try to pick out the most important stories of 2021 and this year has been hugely busy, Jiminy Christmas. It was tough for each of us just to pick one story and as we were getting ready for this show, the Internet gets hit with the Log4J shell zero day exploit. Oh, my goodness. A supply chain attack and OWASP Top 10 injection attack that, by all accounts, we're gonna be dealing with for many years in the future and the Twitter-sphere just came alive with it and here's a quote from Kevin Beaumont. His Twitter handle is @GossiTheDog. He summed it up really nicely, quote, "Basically, the perfect ending to cybersecurity in 2021 is a 90s style Java vulnerability in an open source module, written by two volunteers with no funding, used by large cybersecurity vendors, undetected until Minecraft chat got owned and nobody knows how to respond properly," end quote. Phew, what a year, okay. So, with that as a backdrop, let's get started. Denise, your story is what everybody thought was gonna be the biggest story this year until probably this past weekend. So, what do you have for us?

Denise Anderson: I'm basically talking about the Colonial Pipeline and--

Rick Howard: Which is huge, gigantic. Yeah.

Denise Anderson: Yeah, huge. Ransom-- the ransomware attack and, and attacks on critical infrastructure and what that has done in this past year. So, just a funny note, we, we saw that quote and we, on our chats here and the ISAC people have been laughing about it, so--

Rick Howard: Yeah, it's a pretty good one, yeah.

Denise Anderson: So, anyway, I was, you know, basically in the past, you know, ransomware attacks were, way back when, were attacks against grandma's photos, right? They were happening to people's personal PCs and people would pay a ransom of 20 bucks or whatever it was and they'd get their photos back and then, you know, fast forward a little bit and then it became a, a incident where municipalities and schools were typically hit because they used older systems and they had records that they needed and so the attackers would go after them and now we're seeing, you know, especially like la-- last December with SolarWinds and then, you know, now, in May, with Colonial Pipeline and, and, th-- that the attacks have changed and they're going after, in particular with Colonial Pipeline, critical infrastructure and so there's a lot of reasons why that's had some major impacts as far as ransomware's concerned and right around that same time, JB Meats, another large meat producer got hit with a ransomware attack. So, number one, the FBI got involved. It became a nation state, right, so that was huge. Ransomware became a nation state problem, not a criminal problem, and that was a big shift in focus for the US government to, to kinda make that ad-- admission and then to pursue it.

Rick Howard: But that's 'cause there's this gray area, right, 'cause it used to be the-- when you were talking when ransomware groups went after grandmas, they were mostly just cyber crime folks, right? But, as nation states dip into the cyber crime world, to fund their own operations and for other reasons, okay, it's a pretty gray area now about, you know, between criminals and nation state actors, right?

Denise Anderson: Right, well, and I think also, you know, back in the day, was small dollars, right. Now you're seeing the threat actors targeting big dollars, you know, so they're looking at companies that can pay the ransoms that they want and so they're going after it. I also think it became a nation state focus though because of what was attacked. So, the Colonial Pipeline, obviously, has huge implications for our fuel supline-- fuel supply, and therefore has huge implications for us, as a country, and our economy. So, when critical infrastructure started getting hit and couldn't deliver on operations, quote, I'm gonna put that in air quotes, that, you know, then it became a focus of government and, you know, then they started kinda waking up to it.

Rick Howard: So, Jaclyn, what do you think about that? Is that a, is that a reason for the change, that government can now go after these groups or, or at least military outfits can go after these groups, so what's going on there?

Jaclyn Miller: Yeah, I think, you know, one of the things that's interesting about this shift is that to-- there's been a fundamental shift in how ransomware is used and it basically comes down to what's the next step in terms of growing a, an ever growing business and if we look at the, the critical infrastructure attacks through maybe a more business lens, they went after this sector because they've got great opportunity for market disruption with critical infrastructure. So, I think that there's-- what the government's role is, in terms of protecting especially critical infrastructure from large market disruptions, which in the past they've been responsible for, whether it's weather-related events, you know, other external factors, that's really gonna define where the boundaries are of where the government gets involved and doesn't, and there's a long history of the, of the government needing to step in to protect the resiliency of cri-- critical infrastructure from typical market forces.

Rick Howard: Denise, I have a question for you. Do you think the attacks were mostly to cripple us or was it just ransomware or is there some sort of influence operation going here, trying to convince citizens that, you know, that we didn't have any fuel or something like that? What, what do you think is going on here?

Denise Anderson: So, I think it was criminal. I think it was opportunistic. You know, it was dark side at the time. Obviously, there's some-- you know, a lot of these threat actors are funded or have some ties to nation states, in this case Russia. But I don't know that it was meant to really disrupt the infrastructure. I think they were trying to go after the money and they had the opportunity.

Rick Howard: Let's put that poll question up to see what everybody else thinks on the call. Jen, can you put that up for us? And so I, I agree with you that the attack was mostly for, you know, general purpose ransomware but it sure impacted us. Did you ever remember being in fuel lines before? It was the first time in my adult life that I've had to do that.

Denise Anderson: No. So, here's the thing. I was actually with my son and we were driving around and I-- so I used to be a firefighter and EMT and I-- we, we are trained to think that you never have-- operate with a less than half a tank of gas, right, 'cause you always have to be ready for the next emergency. So, I've always been that way and, unfortunately, that particular day I had, I had been running around and I went down to almost an empty tank and I'm like, oh, my god, I have to get fuel. I didn't know any of this was going on. I go and I go to the first gas station and the line is out on the street and I'm like, "What is going on?" So, I go to another one. I went to five gas stations before I was finally able to get gas. So, it was kinda crazy.

Rick Howard: So, let's show the results and see what everybody says, right. So, it looks like if there was a influence operation going on and at least it hit 20% of us, right. Some of us thought it was just lack of fuel supply, right. What do you-- Explain that poll question to us. What were you trying to go for there?

Denise Anderson: Yeah. Sure, so, for what-- the problem was, was it was not a fuel supply problem and, as Jaclyn mentioned earlier, we sh-- the Colonial Pipeline gets shut down all the time during physical storms, right. So, they, they are able to operate and bring fuel supply in. What it was, was the media and the government, by the way, caused this panic buying by saying, "Oh, my gosh, Colonial Pipeline had a ransomware attack, we're gonna be without fuel for weeks." So, people panicked and you, you saw pictures of people with garbage bags, filling them up with fuel, I'm like, "What are they thinking?" But--

Rick Howard: Yeah, plastic garbage, 'cause that works, yeah.

Denise Anderson: Yeah, that was crazy. But, you know, it was like, i-- instead of coming out with a message saying, "We have this handled, calm down, there will be fuel," they created this panic buying and then they created the shortage and the shortage was actually from the-- between the gas farms, so the tank farms, and the, the local retail stations where they just couldn't get it to the stations fast enough and there was also-- they were also dealing with, because of COVID, a shortage of certified fuel drivers. So, that also impacted the scenario a little bit. But really it was caused by human behavior.

Rick Howard: Oh, so, I didn't understand that till you just said that, that crisply, right. So, the ransomware attack on Colonial Pipeline caused some problems but it didn't cause a shortage until everybody panicked and went out and bought all the gas, is that right?

Denise Anderson: That's right.

Rick Howard: Is this another toilet paper situation?

Denise Anderson: That's right, absolutely. Yeah.

Rick Howard: [LAUGHS] Oh, my God.

Denise Anderson: Talk about lighting fuel with the fire.

Rick Howard: Oh, we're all, we're all doomed, okay, we're all very much doomed, okay. So, let me ask you this, Jaclyn, you know, security professionals have known forever that critical infrastructure is, you know, pretty much ripe for any kind of attack and we really haven't seen anything that impactful until that happened. Why now? Any thoughts about that?

Jaclyn Miller: Yeah, I mean, it's, it's not-- when the supply chain attack or, you know, the critical infrastructure attacks started, I don't think anybody who's been in the industry was surprised by that. They-- it is a-- an industry segment that is running on incredible amount of end of life infrastructure in just aging software. I think it's-- the better question is why did it take so long? There's been kind of this code of, you know, hospitals and other types of critical infrastructure that have been hands-off from a criminal perspective. But as the market becomes more competitive, as, you know, the, the next big hit is important to the reputation of these threat actors and as they need to fund larger and larger operations, they are going to not have the option of, of not going after these easy targets that can generate a lot of cash and capital for them and I think it'll be really interesting to see what actions that the world takes, whether it's government stepping in to help protect or defend. But, realistically, the critical infrastructure providers really need to step it up and do things that we've been saying, as a profession, they need to do, for the last 15 years and just do the basics, the, the good hygiene basics that would help prevent these attacks in the first place.

Rick Howard: I like what you said, Jaclyn, about , you know, in the past, at least it's been our perception that critical infrastructure, especially organizations that are providing health are kinda off limits to criminals. Like, we kind of assume they thought that way. Is that true, Denise? You, you're the-- yeah, I was gonna say [LAUGHS]. We just hoped it was like that.

Denise Anderson: No, no. Yeah, you know, you know, we can-- we could tell them all we want, let's, let's have peace, let's all join hands, let's-- you know, we all want the world to sing. But that's not the reality. They're, they're gonna go after where they can find the money and, and, you know, hospitals have been attacked, almost daily, since before COVID but certainly after COVID.

Rick Howard: Well, now with the, the advances in ransomware, now they're a lucrative target, not just a, you know, one off target, now they're-- you know, real money can be got from hospitals, right, and so that's kinda scary for you in the future. What are you telling your constituents in the ISAC?

Denise Anderson: Well, I, I just wanna point something out too is that in-- so in January of 2016, when they had that attack against Hollywood Presbyterian, that was the first major attack, known attack against the hospital, a ransomware attack, they-- what they did was they painted a target on the back of healthcare because-- and, and this also changed the conversations we were having and one I had been trying to have when I moved from finance over to health, was that we need to move away from worrying about data security and worry about operational security and patient safety. But what they did was they paid the ransom and they were very public about it and so then the threat actors, you know, woke up and said, "Oh, my gosh, here's a lucrative target for us, they're gonna pay because they need us, they-- I mean, they need their operations." So, that, that was a game changer back then and it's just been that way ever since. So, what am I tel-- what are we telling our--

Rick Howard: What year was that attack, Denise, I missed the date?

Denise Anderson: 2000-- January 2016.

Rick Howard: Mm and-- yeah, go ahead.

Denise Anderson: You-- so you asked the question what were we telling our, our members? You know, I don't think our members are not aware of that. I mean, they certainly are, we certainly see it all the time and they certainly talk about it a lot. I, I, you know, I think what it is, and actually there was-- I don't know if you saw it but Brian Krebs just put out an article about the attack in Ireland about-- and their national health system and just the fact that here's a system that had money but were operating on Windows 7 and then an employee, of course, clicked on a, a malicious XL file and--

Rick Howard: Shocked, shocked, they said.

Denise Anderson: Yeah, yeah, you know, boo, and they had so many warning signs and didn't do anything to, to stop the attack. So, you know, some-- a lot of it's technology but a lot of it's people process and, you know, it's just like we, as Jaclyn said, you know, we've been talking about this for 15 years and there are still people that haven't taken it seriously.

Rick Howard: So, let's go to some of the questions from the listeners. This one's from a Shaquille Oatmeal, god, I love that name, right. What can critical infrastructure owners and operators do to protect their operations from rans-- ransomware and other attacks? Any advice, Jaclyn?

Jaclyn Miller: I, I hate to be repetitive here but I'm gonna be a little bit repetitive, you know, patch, do the basics, start with the basics, you know, introducing--

Rick Howard: Maybe, maybe not run Windows 7?

Jaclyn Miller: No, don't run Windows 7, yeah, a-- and I know it, it sometimes, you know, in critical infrastructure there's not a lot of options in terms of application development, right. It's not like when you're in the B to C space and you have end users that are clamoring for app updates and functionality improvements. But, at the same time, there needs to be a level of modernization and expectation that the software we use to run our business can run on modern infrastructure that can be patched. It's resilient enough that we can take maintenance windows to get it up to date when we have, you know, Log4J critical vulnerabilities that need to be patched. So, so, it's a mindset or strategy shift that needs to happen in-- within just basic operations of how IT infrastructure is run within critical infrastructure in my opinion.

Rick Howard: Denise, I've had you on other shows and we've talked about how security executives are not high up in the leadership chain of hospitals and medical organizations. Is there some systemic thing we can do to help improve that or what else you got for the healthcare folks?

Denise Anderson: Absolutely. You took the words right out of my mouth. I was gonna say enterprise risk management and it has to be from the top down. I mean, you have to have board buy-in and you have to have-- we've seen a number of organizations where-- and again, it's actually pointed out in the Krebs' article yesterday, you know, where the, the role of the CSO in the organization; are they reporting directly to the CEO? Are they getting in front of the board regularly? Are-- Is the board aware of the role that cyber plays in operations? And so it, it's kinda like pound-wise or penny, whatever that saying is, pound-wise, penny foolish, yeah, whatever that is. But, you know, it's like--

Rick Howard: Easy for you say, Denise.

Denise Anderson: Yeah, really. It's, like, if ransomware-- you know, you're gonna wait for a a zillion dollar ransomware attack when you could have spent a lot less to shore up your operations and make sure it didn't happen. So, you know, it's-- and then again, looking at that whole enterprise risk management, looking at risk across the enterprise, understanding what your threat attack surface is and then shoring up against that, understanding what your crown jewels are, protecting them and then working out from there.

Rick Howard: Well, it's a good topic, Denise, and we could probably talk about this for the next couple of hours but let's switch over to you, Jaclyn. You're gonna open the aperture up a bit and talk about an attack technique that's been around for a while, but really got noticed in the mainstream culture this year with the SolarWinds attacks and the new Log4J zero day exploit. So, what do you have for us?

Jaclyn Miller: Yeah, so I couldn't pick just one, one news story. I did not follow the instructions and did not--

Rick Howard: Didn't follow the rules, yeah.

Jaclyn Miller: I did not color in the lines. But I, I think the, the conversations important is, you know, supply chain attacks, by some analysts, projections have increased by 4x over 2021 and, obviously, this really kicked off with SolarWinds and-- but we've had a number of other attacks that have come through 2021, that are important to note, a-- and consider and so those include the compromise of Legacy Accellion file transfer software, again, end of life software, and attacks leveraging unsupported, open source sentry end software, by cyber crime group Sandworm. We also had the Kaseya attack, attributed to REvil distributing ransomware to over 1,000 organizations, some of those themselves being service providers, more notably, and then the Nobelium attacks on Microsoft customers, specifically targeting about 140 service providers and re-sellers that are in other client environments essentially, with access, targeting that access to spread further attacks. So, I think the monetization of the larger supply chain related attacks have really become lucrative for cyber criminals but the government sponsored threat groups are using the same attack technique for more than just distributing ransomware and monetary gain. It's also for, you know, intel gathering and making sure that we have-- that they have access to back doors and we continue to see that with the state sponsored actors leveraging published software to deploy further back doors and surveillance across attacks in North Korea and South Korea with, with the Lazarus Group, which is attributed to North Korea.

Rick Howard: Well, it's such an obvious vector to come in. I'm surprised we are just now getting around to it and, Denise, in the healthcare sector, those folks are-- they have a unique supply chain compared to everybody else. Everybody has a general purpose supply chain but the whole org-- the whole institution's operating on very specialized supply chain for very specialized equipment. So, what, so what's the thinking over there in the ISAC about how to protect yourselves from that?

Denise Anderson: It-- Well, let me just on one thought too, that, you know, and I think we've talked about this before, is concentration risk, you know, all of these providers are reliant upon one particular vendor and we certainly saw that with vaccines, where there were-- was a packaging firm that did all the packaging for vaccines, a lot of the pharmaceutical firms used them as part of their process and distribution and they hit-- they got hit by a ransomware attack and it had huge impacts to them. So, obviously, the supply chain is very vulnerable in healthcare. You know, we're talking pipettes and, you know, little things, vials, little things that you wouldn't even think of. Even IV bags. Think about those consequences. That was not necessarily a cyber attack, that was actually the result of Hurricane Maria in Puerto Rico, which is another long story. But, you know, we're reliant upon these little things that are so critical to delivering healthcare. So, you know, we have to be very, very mindful. Again, it goes back to the enterprise risk management attitude where, you know, you have to understand; here's what I do and here's what I need to do it and here's-- I need to protect these things or have at least backups in place that I can work around them when they're not available.

Rick Howard: Oh, Jaclyn, I, I kinda push back on all this, a little bit, not too much, 'cause it is pretty significant, right. But, but the-- these supply chain attacks, software supply chain attacks, they're just the entry point, right? It's not the place where they got into trouble, where the victims that were hit by that attack got hit because they had let other things unsecured, right. So, can you give us any thoughts about kind of a more strategic approach to, you know, maybe zero trust or something else, what you, what have you got in your handbag?

Jaclyn Miller: Well, I think it, it boils back down to exactly what Denise said, is, is when you do enterprise risk assessments, you need to think deeply more, spend more time on concentration risk. If you think your protections in place are kind of one level deep then I would really question, you know, how much-- if you've done enough, right, in terms of your strategy, in terms of your risk assessments. If they're-- If you're doing many of the right things, not even 100% of everything right, but if you're doing multiple things right then these supply chain attacks, you're exactly right, Rick, is that entry point dies off after the entry point. They may get so far but they can only get skin deep, as the saying goes, and that is--

Rick Howard: While you're talking, Jaclyn, let's put your poll question up to see what everybody else thinks. But, go ahead, finish your thought.

Jaclyn Miller: Yeah, that's why I don't think any one technology or one technique is going to be our savior and I'm curious to see what the audience thinks, as, you know, are we going to see an increase in supply chain attacks or is there going to be something that really curbs this trend going into 2022?

Rick Howard: Yeah, and it's not just commercial software, I mean, which is what we've seen, right, but, but with this, like the one which is highlighted this past weekend, this is coming from open source software, which is, you know, presumably, easier to infiltrate than, you know, infiltrating something like SolarWinds or one of the others. So, I think it's gonna be, you know, this is A, the attack vector going forward, at least they established the beachhead. Denise, are, are you buying any of this or have you got another idea about that?

Denise Anderson: No, I, I didn't answer the poll but I will say that I think it's gonna go up. I, I'm, I'm surprised but I don't know why I'm surprised that we're still surprised about the-- things like Log4J. You know, we certainly saw that with Harpley, right. We had these conversations a couple of years ago about Harpley. I feel like we're in the same kind of-- I feel like déjà vu. So, you know, I'm, I'm just, I'm just-- I don't think it's gonna go away. I think that we're gonna always find something that everybody uses because they've bought from open-source in their programming, in their software builds and they're gonna find issues that need to be fixed.

Rick Howard: Well, I'm heartened to see the audience, they agree with all of us, that it's gonna go up. I think that's a no brainer. But at least 6% of the audience said zero trust could significantly reduce the attacks, so that's, that's promising, okay, I like that idea. To both of you, President Biden, in his Presidential Directive, is making the US government implement SBOMs, right, and maybe this is the thing that will help us be better prepared against these kind of supply chain attacks. Any one of you wanna take a swing at that one?

Denise Anderson: I could take a swing in that. We are-- We've certainly been talking about SBOM for a while now, especially because of medical devices, and so there's been a lot of conversations with the FDA, who's the regulator that oversees medical devices, and what components make up the software and we're also doing some innovative things in ISAC. So, we, you know, we have many manufacturers as, as members of our community and we've developed guidelines to-- where they can list-- when, when something breaks, like Log4J, where they can list their products and what they're doing about it and they-- a user can go to their website and see, but it's all compiled within the ISAC and so it's, it's a one stop shop, hopefully, [LAUGHS] not always, but at least it pares down some of it.

Rick Howard: So, I, I guess I, I'd like to tell everybody what an SBOM is, a Software Bill of Materials and-- or-- So, Denise, are you saying that the ISACs might-- some ISACs might be the arbiter, the collector of SBOM information? So, hospitals and other healthcare industries could plug in there to see what is-- what the software components are for all the things they are running? Is that what you're trying to say?

Denise Anderson: Potentially but it could also be where we point everyone to everybody's websites, you know, each individual manufacturer's websites, especially when an incident breaks, so that they could see, okay, here's, you know, 20 manufacturers and here's how they're impacted or not impacted by Log4J, for example.

Rick Howard: So, Jaclyn, are SBOMs the solution for this or is that just one component to a myriad of things we're gonna have to be doing in the future for this?

Jaclyn Miller: I think it's one component that helps us respond faster in these situations. It's really important. I mean, SBOMs are an extension of good asset management practices anyways. So, with everything becoming more virtualized and containerized, it makes, it makes a lot of sense and we are now having the same problem we've been having through the industry, which is information overload, you know, how do you-- it, it's, it's one when thing when it's a whole enterprise package of software that needs to be pa-- patched and it's totally different when you're looking at different open-source modules or components that need to be adjusted now, when we have zero days like this. So, so, I think it's a step in the right direction because that level of transparency is, is required from a response standpoint. I think it's going to be, once we do have that greater transparency across the industry, it's-- the challenge is gonna be in managing and responding to that information in a sustainable way because it, it's so widespread, as we're seeing with Log4J, it's everywhere and finding it everywhere is, is, is really the challenge right now. Even if we speed that up, we still have the response to get through, which is, again, a lot of work.

Rick Howard: So, let's answer one of the questions from the audience members. This one's from Fedora the Explorer, right; how can supply chain companies know if they have done enough to prevent supply chain attacks? So, I guess the question there is, like SolarWinds, what should they be doing and how do they know if they've done a good enough job.

Jaclyn Miller: I think they need to be testing their, their resiliency strategies, right. They need to be testing that their risk assessments are actually identifying all of the risk and get third parties to help them open up those assumptions, not maybe more frequently than annual penetration tests and I think a lot of companies, you know, it's a check the box activity on really validating their risk assumptions and they're doing it annually, needs to become more best practice, something we're doing much more frequently and we're looking aftiv-- actively seeking those vulnerabilities to, to test if our controls, even if we've designed them well, are actually in place and doing the jobs that they should be doing.

Rick Howard: So, Denise, one of my ideas is, especially for vendors, right, design their product so that you don't need work administrative access to be functional, right, and what I mean by that is SolarWinds is a network management console software, right, and I don't know how you do it, but design it so you don't have to have administrative privileges for everything that piece of software is doing. That's what I would like to see. What about you?

Denise Anderson: I'm sure a lot of people would like to see that. That's been a bone of contention in, in the medical device world, to be honest with you, because many of the devices do require that the manufacturer have access to that. There's, there's this whole mythology around that and, and then the role that the healthcare delivery organization, we call them HDOs, play when it's deployed within their environment. So, there's been a lot of argument about who's responsible for what and where the blame should lie if something happens and, you know, I think, again, people process-- one of the things we've done the ISAC is we've-- we have a medical device cybersecurity council, where we have-- it's co-chaired by a healthcare delivery organization and a medical device manufacturer, so that they could understand each other's pain and understand that they're on the same team and that's-- we've come a long way since we started that group and, you know, there's still a long way to go but at least they're having the conversations and I think it's, again, basic enterprise risk management and, and forward thinking around threats. I'll, I'll tell you, with the Kronos ransomware attack that just happened, you know, was just in the news this week, which is a payroll, time management system, does a lot of HR things. I don't let a good incident go to waste. [LAUGHS] So, I basically told my team, you know, hey, let's look at our payroll and time keeping processes and make sure that we have workarounds that, if we went down, for whatever reason, we could still pay expenses an-- and people and, and then let's exercise it and make sure that we're catching everything, you know, and thinking about everything. So--

Rick Howard: So, Jaclyn, you're-- you work for a big networking company, right. How do you guys view the problem here?

Jaclyn Miller: I think the, the access needed to manage devices is, you know, a huge issue but maybe I'm a bit more pessimistic about technology vendors actually changing their ways on that one and it's a long time before that's gonna be a reality and we, we can reduce the level of access in order to administer a device or a piece of software and so it's--

Rick Howard: I think we have an opportunity here, all three of us, we should start our own company 'cause I think the first one that does this, that, that makes it not part of the installation, everybody's gonna buy us, right, so I think we, we can make all kinds of money.

Denise Anderson: There you go.

Jaclyn Miller: It's true. Just need to, you know, produce technology for everything, so that access model.

Rick Howard: You know, so easy.

Jaclyn Miller: Yeah, so easy, so easy, and I think that's the promise that zero trust, you know, gives us or, or the hope that it gives us, is it becomes the intermediary on, on reducing that level of access or at least containing the blast zone of that access, which is a good thing and, and I don't see that changing. I think it's still challenging for organizations to understand how to implement that architecture when they are still in such a legacy mindset of how technology works and how security works in their environments and so we have, on the people side, we have a lot more education to do in the technology space but also outside of it from an enterprise standpoint and continuing to push and educate our senior leaders, regardless if they're in technology or not and the importance of evolving and maturing continuously is, is going to be huge to help us with this.

Rick Howard: That's a topic that's come up to all the CSOs I've talked to this past year, demanding from the vendors that they do this, right, and, and I realize that one, one customer yelling about it probably won't get a lot of action but if the entire community starts yelling that this is the way we need it, perhaps we will see some change. I don't know. We'll see.

Jaclyn Miller: Yeah. To get that I think we have to have support from the other leaders in the business in order to actually move the needle.

Rick Howard: That's true. We got a question here from Yellow Snowman; are software, staff and cloud providers actually disclosing enough about the attacks they face, successful or otherwise? Jaclyn, that looks like that's directed right at you.

Jaclyn Miller: I'm, you know, I'm in this space and maybe it's-- I'm, I'm gonna be not liked too much for saying this, but, no, I think, I think, as an industry, as service providers, as cloud providers we need to be sharing more. So, same as SBOMs, software providers, providing SBOMs, greater transparency of what's in their code, I think we need to be more transparent about what's going on. The hard part about that, and I recognize, is balancing, you know, do we share before we really know what's going on and we-- as providing critical infrastructure and services to our clients, are we exclu-- you know, exposing information about our clients that they don't want exposed and how much of a choice do they have in that conversation? So, I think that a lot more work needs to be done in the level of transparency, especially in the area of the hypervisors, of how much is shared about the types of attacks, how often they're happening, especially getting that information sooner rather than later. I think they delay too much but I'd love to see better transparency in, in our industry on that.

Rick Howard: Well, since we have Denise on the call, part of an ISAC, I don't think you'd get any argument from more sharing faster, right, Denise?

Denise Anderson: Absolutely not, absolutely not. I think it's so important and I don't think people understand, you know, and we have that saying, I know I've said it before, one person's defense becomes everybody else's offense and the quicker we can get that information out so everyone can protect themselves, the better off everyone will be and it's just so important. You know, a lot of times-- I was gonna-- you know, to some of your early points there, liability is a huge issue. So, people clam up or the-- you know, they get told, they're lawyered up when an incident happens and they can't share anything and that's absolutely the wrong way to go about it and I think we need to educate lawyers more about why it's so important to get this information out.

Rick Howard: I'm surprised in 2021 that we're still thinking that way, you'd think we'd get past that by now but--

Denise Anderson: I know, I know, I know, you would think.

Rick Howard: Yeah, well, it's a good topic, Jaclyn, that was a good one. So, thanks for providing that and all those good points. Let's switch over to my topic. It's the US government's decision to use the military's cyber offensive capability to go after cyber crime. We kinda touched on this a little bit, right, but I got a note here from Julian Barnes, he's the New York Times journalist. He quoted General Nakasane or Nakasone, he's the head of the US Cyber Command and the Director of the National Security Agency, on December 5th. So, here's the quote. "Nine months ago, the government saw ransomware attacks as the responsibility of law enforcement but the attacks on Colonial Pipeline and the JBSB plants demonstrated that criminal organizations behind them have been impacting our critical infrastructure," end quote. So, we talked a little bit about this in the first segment. But we know that back in September, Cyber Command diverted traffic around servers being used by the Russia based REvil group or REvil ransomware group. They also assisted law enforcement in their efforts to seize and recover much of the cryptocurrency ransom paid by the Colonial Pipeline to the Russian ransomware group, DarkSide and they even got involved before the 2020 election, when officials feared a network of computers, known as Trickbot, could be used to disrupt voting. So, the word's still out on how effective those operations were or have been, but that's not what I'm trying to get at here. The fact that Cyber Command is doing them and do we have any concerns about that? So, Denise, I'm gonna go to you with this first question. I had an old army boss of mine, back in the day, who was constantly worried about secondary and tertiary effects, when people like me, we're running around saying, you know, we should go after these guys in cyberspace, he would always remind us that the enemy gets a vote and just because you decide to punch him in the face doesn't mean that he will run out of the ring with his tail between his legs, vowing never to touch the Internet again. He's much more likely to hit back. So, Denise, while you're ans-- answering, let me put the poll question up from my question. Jen, can you put that up for us? But, does it concern you, Denise, or do you feel like the US can handle whatever the Kremlers throw at us?

Denise Anderson: That's interesting. I think I would have to say I sit on the fence a little bit with it. I think it's refreshing that we're actually doing something because too long we've just let the criminals get away with it and the nation states get away with it. So, I, I do think it sends a message, even if it's just a perception, that we can come after you if we need to. But then, again, as we saw with the DDoS attacks, that's distrib-- distributed denial of service attacks, that hit the financial sector in 2012/2013, by a nation state, you know, the, the commercial concerns were the ones attacked, even though it was a political country to country issue that-- for the reason, the motivation for why they attacked, an-- and so a lot of times the commercial sector, critical infrastructure, receives the action from the threat actors versus the government and so I think that that is always something to be concerned about. But as long as we're pretty clear that the government's gonna assist and step in, I think that-- I, I think it's something we should continue to pursue. I don't think we should let them walk all over us.

Rick Howard: I didn't see the poll pop up. Did any-- Are you guys seeing the poll? Oh, there it is, okay. Jaclyn, I'll throw it to you. What do you think? Where do you fit on the-- Where would you answer this poll question?

Jaclyn Miller: I am on the fence as well. You know, I think if we take a more offensive stance, then we are definitely at risk of escalation. We definitely wanna hold a big enough stick that it makes threat actors consider what reactions would be if, if they do attack us and the government does step in, but, at the same time, I don't necessarily think it's the US government's role to start policing the global Internet, to be honest, and we don't wanna take on that role of being that responsibility for the rest of the world, as, as we've seen in other cases, when it comes to, to warfare and, and actions against threat actors in the real world. That said, I do-- I am happy to see the government step up in these cases where I think they do have a responsibility to help support critical infrastructure and support business against things that they reasonably cannot invest in protecting themselves against and that's, that's really the space where I'd like to see more on the response side and stopping an attack that's going on than, than necessarily pro-actively going out and trying to eliminate threat actors.

Rick Howard: Well, I'm on the pro side of this. I definitely think that we should do something here, right, and-- but I, but I'm just bracing myself 'cause I know that there's gonna be push-back and we're gonna have to, we're gonna have to be able to sustain that before it gets better, I believe, right, and-- but, but here's an interesting question from one of the listeners. This is from Oprah Windfury, I love it. Did Cyber Command have the authority to do these missions or did the President issue any directives or did Congress pass any laws to give them the authority? Before the show I went out and asked one of my lawyer friends a similar question to this. He says that the President has a couple of different ways; the National Security Presidential Memorandum that he's written and a handful of Presidential Directives, all written during President Trump's time, okay, and these are all highly classified that we will never see these in the public, but that gives them at least initial authority and, just as an aside, this is not unprecedented, we've used the military to go after criminals before, okay. So, when we went after Pancho Villa with the military and we also did war on drugs with the military. So, there is some precedent for this. So, I think the legal authority question is not really out of the question. But, Denise, I'll go to you. Are you feeling a little queasy about this, that it's not more written somewhere, what we're trying to do here?

Denise Anderson: Ooh, I'm-- I don't know that I'm a good person to ask about that one [LAUGHS] because, you know, I find too many times we get wrapped up in authorities and it stymies some of our action sometimes. So, I-- again, I'm gonna be on the fence on this one. I mean, I, I do think it's important, obviously, to have boundaries, but I also think sometimes we get too wrapped up in the boundaries and it kinda makes us almost ineffective.

Rick Howard: I don't disagree with that. I mean, I can see that happening, okay. But, Jaclyn, looks like you had a thought about that too though?

Jaclyn Miller: Yeah, I think I agree with that. I mean, I am definitely more a pro action versus sit around and and talk about whether we're allowed to do it in the case of, you know, something is clearly under attack or, you know, economy or, or any business is being damaged by a, a threat actor, it's criminal activity and it needs to be addressed. The thing that is interesting, and where I think we will see more back and forth is maybe more in the privacy, data privacy law space. We already have countries outside of the US that have problems with how we handle search and seizure of information under criminal investigations or potential criminal investigations and I think lack of transparency of when we're doing these searches and why is maybe the more problematic issue than it is necessarily should we take action. It is more the how we're going about it and that individuals don't have a right to know when it's happening, when they get caught in the cross-hairs. So, I think that's maybe where we're going to see a longer t-- term impact from the decisions that have been made recently and in the future.

Rick Howard: Well, it sounds like both of you go along with the Grace Hopper mode of operations, which is better to ask forgiveness than to ask for permission, which I'm, I'm kind of-- I'm, I'm okay with that. Let me switch gears though on this topic. This is a question from Definitely Not An Athlete. She says, or he says; what does success look like with military going after cyber crime in the open? How do we know we're winning there? So, I don't know, either you guys got an idea about that?

Denise Anderson: I think a lot of times we're playing Whac-A-Mole. You know, we saw the take down of Emotet and then that's back. Trickbot has been taken down and, you know, that-- we're still talking about Trickbot. So, I, I'm not sure how successful. I think sometimes, in the short term, it might be successful. I don't know how successful it is in the long term and certainly we've seen a lot of these threat actors move from group to group to group, right. DarkSide has been a number of [LAUGHS] numerations of names. So, I, I do see though, when you get the money back, like, from Colonial Pipeline, that is a success. They, they got there-- you know, they were able to function and they got their money back. So, yeah, good, good for the good guys.

Rick Howard: How about you, Jaclyn, any ideas about what looks good? How can we say we're winning?

Jaclyn Miller: I think, you know, e-- exactly what Denise said, it is incredibly hard to pick any one KPI or metric that would measure that. But a decrease in monetization would be, I think, maybe the biggest signal, where threat actors just aren't making as much money on this and we stop seeing the size of the market for these types of attacks, grow.

Rick Howard: I think that w-- The reason I like this topic is, I think that what it means to us in the future. I think for us to be successful, this kind of offensive operational capability is gonna have to be relentless. It can't be a one off and just a little bit. It has to be a lot and always and that si-- that signifies a change in how we're gonna do this in the future. So, that's why I think it's the most-- one of the most impactful things we've seen this year. This is a question from Magic School Bus Dropout. General Nakasone said that they were not just using cyber operations to take down criminal organizations, they were also using whole of government approach. So, Denise, what do you think that means, a whole of government approach? It's more than just hacking back?

Denise Anderson: I think that's a buzz word. Yeah, you know, a lot of--

Rick Howard: You mean, generals use buzz words, huh, what?

Denise Anderson: My jaded, my jaded self is gonna come out here. You know, this goes back to that authority thing. You know, it's like too many times I've seen where it was like, "Well, we don't have the authority to do this, that's that agency or this agent." I-- It just-- I don't, I don't know, whole of government sounds nice. I'm not sure how practical or realistic it is and, you know, not to sound too jaded but I am.

Rick Howard: Now we're old and jaded, okay. [LAUGHS]

Denise Anderson: Yes. [LAUGHS]

Rick Howard: Well, Jaclyn, let me throw it to you this way. I've always had the idea that DHS, right, should not just have one or two lawyers on their staff, they should have thousands and tie up infrastructure, criminal infrastructure in legal cases, just so-- make it so it's so hard to operate that they can't do it anymore. I don't know. What do you think about that, as a whole of government approach?

Jaclyn Miller: I think it's an interesting concept but I [LAUGHS] --

Rick Howard: Yeah, I know.

Jaclyn Miller: Maybe-- I know. I'm trying not to be jaded, I'm trying to be the optimistic viewpoint here. I think the, you know, the government has been focusing on how to-- how do you have inter-agency cross-agency collaboration on a number of initiatives, but cybersecurity being one of them and that is-- maybe the most optimistic thing is that they continue to focus on, on that and hopefully that will continue to push them into a holistic strategy, being able to use all their resources, not just attack back as a concept.

Denise Anderson: Hey, Rick, can I jump in for one second?

Rick Howard: Yeah, yeah, please.

Denise Anderson: Here's a concept. Why does it have to be whole of government? How can it be-- Why can't it be whole of public private partnership? And I think that's the big problem is that too many times government-- and I, I'm seeing a little bit, you know, where they're trying to reach out to the private sector, but really it should be a whole nation effort, right, where the private side, as well as the public side, come together as one voice and one action and I don't think we do that enough. I think we tend to operate very much in silos and I think it's, it's just something that we should strive for. I know that's really, you know, holding hands and like the world to sing but I think that's what it should be and I don't think we take that perspective often enough.

Rick Howard: Well, it isn't like we've not tried to do that, right...

Denise Anderson: We have.

Rick Howard: ...the I-- the better idea of ISACs is the, you know, to do that kind of thing, right?

Denise Anderson: Yeah, absolutely.

Rick Howard: We're just not very good at it, even 20 years, you know, after the first one got established, right. So-- and so, well let's talk about what that means in practice, okay, if we're gonna say commercial and government working together. We kinda have an idea what governments can do. What would you want the commercial sector to do, besides just sharing threat information? What else, what else could they do or what else would you want the government to use them for? Jaclyn, maybe you take--

Denise Anderson: Well, let me, I'll, I'll give you a concrete example fro-- from this week actually, and this is som-- something minor, I mean, this isn't major, but it's an example of a step forward that we could take, and that is when the Log4J vulnerability came out, we put out-- the health ISAC put out an alert to our members and actually we made it TLP white, for those of you don't know what traffic light protocol is, it's a way to disseminate information and white means it's on public. So, we put it on our website, we distributed it broadly. And HC3, which is a sock for the health and human services, or HHS, also came out with an alert, very similar to ours, within about half an hour. So, here's a concept; why don't we brand it together as health ISAC and HHS and no-- number one, we're having one voice on a threat, number two, it's one less email in your inbox and, number three, it's a great example of public/private partnership, working together to get a message out to, to the, you know, to the country basically.

Rick Howard: Yeah, I think that's a good thing to say but, in practice, it's hard to do, just coordinating all those activities is hard. But one of the ideas I've heard put forth on that is having a-- like the Agile system of software development. Let's say you guys put the first alert out, then DHS comes in behind, and, says, you know, we'll change this to that 'cause we know that piece, as opposed to having 17 different emails, it's all in one spot and it gets updated as people have new information, right. So, I don't think it's that hard. So, Jaclyn, you were shaking your head up and down, you're in violent agreement with it?

Jaclyn Miller: Yeah, I am. Being on the receiving end of those alerts and in my world, you know, what we do is we then translate those alerts to what does it mean for me at an individual client, customer, environment level and we are communicating with C-levels, not just CIOs that understand our CSOs, that understand, you know, what the alert level ten means, a CVSS score, you know, and all the technical jargon that we use in the industry, but how do I translate it into business terms and what does it mean for my business today, this week? So, I think that's the other level of partnership that we're kind of talking about. This idea of whole government is you not only have to get the technical alerts out, that information out, publish updates as fast as possible using Agile methodology, but you need another layer, translation layer, which often we rely on the media to do, you know. Bleeping Computer does a great job of, of doing this, just to call out one particular publication. But it's needed, massively needed and we have to be faster at it. So, the better coordination we have in these communications and, and what the downstream impacts are means that we are more resilient. It's not worth it to attack because we're gonna respond so fast that you would only make-- again, get skin deep on an attack when we have a zero day like this.

Rick Howard: This is all good stuff and, and all the topics we've covered this show have been extremely interesting, so good job everybody. What we're gonna do is transition to some general purpose questions. We got these from CyberWire audience members before the show started and it's kind of a hodge podge of everything. So, be prepared, you know, we're gonna make stuff up as we go. This is from Steven Laskowski. His question is: hat is the role of third party threat intelligence in XDR implementations? And then, in the same category, from Phil Neray. He says, what are your thoughts on the value of XDR and do you see it replacing or augmenting your existing Sims? So, that's a, that's a big giant topic. Jaclyn, let's start with you. Are you guys using XDR at NTT?

Jaclyn Miller: Yes, we are using XDR. I think the XDR capabilities are getting a lot better but we still have coverage gaps where XDR doesn't tackle all of the technology that we're using, it still has limitations and we talked about a lot of typical client environments, just depending on the industry, maybe running a lot of end of life systems, so especially with end of life technology, end of life software, there isn't full coverage of that and it's very difficult for any one vendor in the, in the space, providing protective technologies to reasonably be able to deal with all of that coverage and so I-- that's why I don't think XDR can be a silver bullet in terms of, of protection strategy, you know, just 'cause you put it in place doesn't mean that, you know, you don't have to do anything else, you know, wipe your hands and go home. In terms of threat intel, more intel is always better but you have to have a great-- a good means of ingesting and sorting through that information and, and making decisions about what to act on or not. So, I do think that additional threat intel feeds into our, our technology stack is generally a good thing.

Rick Howard: So, what I like about the idea of XDR is that it's not another whole set of technology that you have to put in the security stack. It's really basically a, a platform that reaches out to your existing security stack if it's working correctly, through APIs, right, and so you don't have to deploy new security tools. It's just kind of a, a metal layer over the top of what you already have, so that you can collect telemetry, that'd be useful, and you can, and you can send back the other way updates to configurations, like do you wanna block, you know, something or you wanna find Log4J or whatever you're trying to do. So, I-- that's what I like about it. The, the Gartner Hype Cycle puts XDR five years away from being useful, 'cause it's just really getting started. So, it's a promising technology. But, Denise, my question to you is, I see XDR kinda compressing or merging XDR, SIEM and, I don't know, SOAR technologies and it's all gonna be just XDR at some point, 'cause it's all-- they all kind of overlap in the middle. Are you buying any of that or do you see some other vision in front of us?

Denise Anderson: No, I think it's gonna be interesting. I, I think time will tell, you know, especially in healthcare, they're, they're just starting to talk about SOAR. So, you know, it's gonna be an evolution I believe. I think don't discount the people in this, you know, and the fact that what they can bring to the table. I think, too many times, we, we don't look at that and so I think we have to add that to the mix, the value that the people bring to the whole process and tying the dots together. So--

Rick Howard: Here's one from Doug Mayer, just a pretty simply question. What are the essential components of a zero trust strategy? Jaclyn, what do you think? I have my ideas but--

Jaclyn Miller: So, that is a fantastic question. Zero trust is fundamentally an architecture strategy, you know, it isn't--

Rick Howard: Yeah, a philosophy, yeah.

Jaclyn Miller: It is a philosophy, it's not a technology as much as the technology vendors would like you to believe, that you can buy it in a box.

Rick Howard: You mean, you just can't buy it and have it work out of the box?

Jaclyn Miller: No. [LAUGHS] It'd be wonderful if you can, but-- and some day maybe we'll get there. But it, it's-- I think one of the key things is to understand your-- you have to have a strong understanding of your access controls that are in place and your technology behind that because all of that needs to be integrated in and coordinated through your zero trust strategy. Then you need to have a really strong understanding of how users are accessing information and applications and what the requirements are for them to get access, both from a technology compliance standpoint; are they coming from a safe location on a safe device, and doing compliance checks. But also do they have a legitimate need from a business standpoint? And that's really where the intersection of this, of, of zero trust comes into play. So, I'm probably gonna give a, a pretty un-- maybe not terribly helpful answer in the immediate term, but on a true understanding of your access controls being in place and also your access and data flow processes from-- between users and applications is an incredibly important underlying prerequisite to starting to approach your, your zero trust strategy. From there, then you can start looking at technology components.

Rick Howard: That's a great answer, okay, and I hate to say this but we are out of time, alright. That hour flew by. So, ladies and gentlemen, on the behalf of my colleagues, Denise Anderson and Jaclyn Miller, thank you all for participating. Happy holidays everyone. Get some rest over the break and try not to stay up all weekend fixing the latest zero day exploit we've been talking about and we will see you at the next CyberWire quarterly analysts call in the New Year. Jaclyn, Denise, say goodbye.

Jaclyn Miller: Thank you. Happy holidays.

Denise Anderson: Bye. Thank you. Yes, Merry Christmas.

Rick Howard: Thank you all.

Denise Anderson: Bye.