Responding to a Cyberattack

We talk a lot on the podcast about the threats out there on the dark web. But what happens when one of those threats becomes a full blown cyberattack against your organization?

What happens on the fateful day that your organization is hit by a cyberattack?

In this episode of The Dark Dive we’re joined by incident response heavyweight Caleb Barlow (former head of IBM X-Force and now CEO of Cyberbit) and Searchlight Cyber’s Head of Threat Intelligence Luke Donovan to discuss the best ways to respond to a cyberattack.

Caleb and Luke share war stories, talk about what progress has been made in the cybersecurity industry (and areas of improvement!), and each give their own take on how organizations can best prepare for the fateful day that their network is breached.

The Ted Talk discussed at the 39 minute mark is “Where is Cybercrime Really Coming From?”.

Speakers

Aidan Murphy - Searchlight Cyber

Aidan Murphy

Host

Caleb Barlow

CEO of Cyberbit

Luke Donovan

Head of Threat Intelligence

In this episode of The Dark Dive we discuss:

How Incident Response has changed over the years

Caleb and Luke share discuss progress (and sometimes lack of progress!) in incident response practices.

Where threat intelligence fits into the Incident Response Process

In particular, the role attribution has to play in incident response. Does it help to know who exactly is attacking you?

Why an eight-year-old Ted Talk now seems remarkably prescient

Devastating cyberattacks, dark web criminals, and pandemic preparation - doesn't this sound all too familiar?

Transcript

Aidan Murphy: Hello and welcome to another episode of The Dark Dive, the podcast that delves into the depths of the dark web. My name is Aidan Murphy and I’m your host as each month we take a look at a different aspect of the dark web. We talk a lot on the podcast about the threats out there from this hidden part of the internet. But one aspect we...

Aidan Murphy: Hello and welcome to another episode of The Dark Dive, the podcast that delves into the depths of the dark web. My name is Aidan Murphy and I’m your host as each month we take a look at a different aspect of the dark web. We talk a lot on the podcast about the threats out there from this hidden part of the internet. But one aspect we haven’t covered so much is what exactly happens when those threats hit and organization. What happens when you’re the victim of a cyberattack? How do companies respond on that fateful day when they realize their network’s been breached? And what should they be doing beforehand to prepare themselves for that day? Joining me to discuss these questions and more is one of the leaders in the incident response world, Caleb Barlow who led IBM X-Force threat intelligence organization and is now CEO of the cybersecurity development company Cyberbit. Thanks for joining me, Caleb.

(TC: 00:00:56) 

Caleb Barlow: Pleasure to be here, Aidan.

(TC: 00:00:58) 

Aidan Murphy: I’m also joined by Searchlight Cyber’s own Luke Donovan who regular listeners will remember from our episode on dark web data leaks. Luke is head of threat intelligence at Searchlight Cyber and has had his own forays into the world of incident response, helping companies cope with the fallout of cyberattacks. Hello, Luke.

(TC: 00:01:15) 

Luke Donovan: Hi, Aidan. Hi, Caleb. Nice to be here today.

(TC: 00:01:17) 

Aidan Murphy: Brilliant, thanks guys. So, before we kick off, I think it would just be worth giving listeners a little bit of background on each of you. So, Caleb, do you mind giving a little bit of an overview?

(TC: 00:01:24) 

Caleb Barlow: Yes, sure. I think as it applies here probably, you know, I’ve had the opportunity to work at both small companies as well as a really big company at IBM where I ran the IBM X-Force, both with threat intelligence business as well as incident response. What’s, kind of, interesting coming out of that is it was an opportunity the time, and this is back, gosh, it’s five, six years ago now, where you were responding to some very large-scale breaches and very large-scale incidents that often times impacted multiple companies at the same time. You know, things like WannaCry and NotPetya. And, you know, what was amazing to me coming out of that was you really started to realize that right of boom, companies are woefully unprepared. You know, you would work with companies that left a boom, had bought all the tools, all the capabilities. But when it actually hit the proverbial fan, executives didn’t know how to make decisions. You know, I think this really changed my career and, kind of, the trajectory and a lot of what we’ll probably talk about here today. You know, I started to think about, ‘Wow, how do you not only build that muscle memory and all those capabilities left of boom? But how do you build those same capabilities so when you do end up right of boom, you dramatically reduce the risk?’ You can create teams that can migrate through the uncertain quicker and that’s a combination not only of skilling but also really having access to good intelligence. You know, interestingly enough, that then led my career to really start to pursue this and buildings things like cyber ranges. I mean, at IBM, we came up with the first really physical, commercial cyber range. And the backstory on that is it 100% came out of the frustration of responding to these incidents where the lackluster response from executives would cause more damage than the threat actor. And now I run a company, that’s what we focus on every day. So, that’s me.

(TC: 00:03:31) 

Aidan Murphy: Brilliant, Caleb. I mean, you’ve already brought up a load of stuff I want to talk about and this is why you’re such a good guest for this podcast. And just before I move onto Luke-, sorry, I’m going to get to you in a second, Luke. Because in my mind, X-Force and IBM, I think they’re almost, kind of, the pioneers in this incident response place. Is that how it felt at the time?

(TC: 00:03:50) 

Caleb Barlow: Well, I think-, I mean, look, there are a lot of people doing incident response. I think the part that we really pioneered that no one else had touched was the concept of incident command in that-, and you have to understand, like, I can’t remember what the percentage was but, I’m guessing, it was probably like 25-30% of my team had prior military or government experience. I personally grew up in the emergency response community. I literally grew up in the back of a fire station in my younger years. And the thing is, in those types of careers where, you know, think of physicians, think of firefighters, EMTs, military. Like, you learn how to make decisions differently, you learn how to build run-books, to pre-plan for what the worst thing is that could happen. Basically, these are careers where you plan for right of boom. Those things didn’t exist in corporations. And, I mean, probably the most impactful event for me was WannaCry. I had 14 customers that had dropped in a matter of a minutes and I had no telemetry and no ability to make decisions. And, granted, WannaCry was over with pretty quickly. The good news is all those customers fared great. But doing the retrospective on that, we sat down as a team, we were like, ‘Never again are we going to have this situation.’ And that led to all kinds of innovations around how to plan for things, how to build incident command systems where you could make decisions across multiple customers in a large-scale incident. And I think a lot of, kind of, new ideas came out of that. Now, IBM has since, you know, largely divested of those businesses. But I do think that that’s where a lot of it came from and we now see those things replicated all over the world.

(TC: 00:05:46) 

Aidan Murphy: I’m just going to pull out WannaCry just in case any listeners weren’t in the cybersecurity industry when that happened. But, Caleb, maybe you could explain. Because it wasn’t just IBM, right?

(TC: 00:05:55) 

Caleb Barlow: It was the whole industry. Like -.

(TC: 00:05:56) 

Aidan Murphy: Yes. Yes, everyone was shocked by the scale of WannaCry.

(TC: 00:05:59) 

Caleb Barlow: We’re all standing there and things are dropping like flies and nobody understands what’s going on. And, you know, it’s this-, you know, in a lot of ways, like, you never know what novel issue is going to cause multiple systems to go down. I mean, probably the most recent example of this wasn’t even a cyberattack. It was, you know, the failed the patches from CrowdStrike, right? But the reality is-, I mean, was that technically a cybersecurity incident? No. Is the response absolutely identical? Yes, it is. Like, the only difference was you knew it wasn’t a bad actor. It was actually a good actor that screwed up. But you still have to make decisions on a fly. You have to mitigate risks, you have to decide what you’re going to do. And I think, you know, you saw some companies fair really well with that, relatively speaking, and others really had some severe failures. 100% of that comes down to your planning and exercising right of boom.

(TC: 00:07:05) 

Aidan Murphy: Well, and speaking of people who have a military background. So, Luke, finally I’ll get onto your introduction. Maybe you can give people a little bit of an overview of where you’re coming from on this and your experience of incident response, which I think is a slightly different perspective to Caleb’s.

(TC: 00:07:19) 

Luke Donovan: It is, it’s a very different perspective to Caleb’s. Like Caleb and yourself already mentioned, I come from a military background. I was in military intelligence. So, I started off in 2005. And then in 2016, I then adapted my understanding of incident response, of threat landscape and intelligence, and started working in the corporate environment, started working with the public sector and private sector, depending on who my client was at the time. There was numerous different clients we were working with. Throughout that period of time, I’d been involved in a significant number of incident responses, both from a cyber environment and also from a more kinetic environment. So, I remember times of being in situations and incidents where an IED had hit a vehicle, you know? An IED had hit a vehicle, we’ve got a security incident there, we’ve got to do something about that incident. As a section, if you’re not trained, if you’re not prepared, all hell breaks loose. You don’t know what’s going on. You don’t know how to take command of that situation, you don’t know what your next steps are going to be, you don’t know how to deal with any casualties you’ve got.

So, from an incident response perspective, what we end up doing is going back to our training, going back to the plans, going back to everything we’ve put in place, putting out cordons to contain the threat or to identify the threat. Getting involved in communications. You know, bringing in the technical expertise to help us whether it’s medical evacs, whether it’s explosive ordinance individuals to remove any devices, drawing all that experience together. So, I went from that environment all the way across into the cyber environment where there’s a lot of similarities, whether it’s somebody breaching your firewalls, gaining access to your systems. You know, looking for those indicators and warnings of threats. And so, since 2016, I’ve been in a cyber environment. I previously worked in a smaller organization than Searchlight Cyber. And then since the start of this year, I’ve come across to Searchlight Cyber as the head of threat intelligence.

(TC: 00:09:22) 

Aidan Murphy: So, presumably, what Caleb was saying just a minute ago about a lot of people, kind of, pioneering the space of incident response have a military or emergency services background and the experience. That must completely resonate with you. That’s similar to your experience.

(TC: 00:09:35) 

Luke Donovan: Yes, absolutely. And I think it comes down to a lot of the process which are in place, you know? I think if you look at the cyber processes when it comes around incident response, the preparation, the identification, containment, eradication etc. Those steps you’re going to take when you’re conducting an incident response in the cyber environment, exactly the same if you’re in a military environment. You’re still going to go through those same steps.

(TC: 00:10:00) 

Aidan Murphy: Okay brilliant. With that, I’m going to go back to you, Caleb. So, this is a very top level question and I apologize because it’s probably the hardest one to answer. But from your perspective then, what are the, kind of, fundamental tenets of incident response? In which I mean, you know, if an organization is coming to this and maybe they’re not massively experienced, what should they be thinking about?

(TC: 00:10:19) 

Caleb Barlow: Well, let’s talk about this from the perspective not so much from the actual incident responders, right? I mean, there is a-, you know, the incident responders are going to be going through obviously a very technical process. But let’s talk about this from a board room perspective, right? You know, I think there’s a couple of really core principles that they didn’t teach you in Harvard Business School of if you think about your classic executive challenge of how do you solve a big problem? Like, you’re going to-, you know, how many times in your career have you been told, ‘Slow down. Think. Get more data. Maybe get the opinion of others.’ Well, the first thing you have to recognize, the minute you have an incident of magnitude, and, you know, there’s a whole other step we can talk about about how do you know when you have an incident of magnitude, is time is not on your side. Time is the most valuable commodity you have. So, what does that mean? It means you need to make decisions fast and you need to make decisions with limited data. You know, there’s a great quote out there that if-, I can’t remember what the exact numbers are. But, you know, if you wait until you’ve got 70% of the data that you need to make a decision, the decision’s already made for you in the event of an incident response. So, you’ve got to increase this pacing. I think one of the first things you’ve also got to recognize is that you have to make decisions with the people in the room. Like, if the CEO’s on a plane for the next 12 hours, then the CEO’s not part of the incident response process. You’ve got to make sure you’ve got the delegated authorities to respond urgently. And, look, here’s the test I always give people, right, is can you assemble the team you need to assemble at three o’clock in the morning on Christmas Eve? That’s the team you’re working with. So, that’s the team you need to practice with. Who’s on that team, who are their delegates, and how do you do that and how do you exercise it? So, that’s a big part of where we need to start.

(TC: 00:12:12) 

Aidan Murphy: Amazing. And then I’m just going to come to you, Luke. So, just from the psychology part of things. So, like Caleb says, this a stressful situation, you have to make decisions quickly. Psychologically, that must be super tough.

(TC: 00:12:24) 

Luke Donovan: It is. It’s very tough. But as long as you’ve got the training, the background in place, then you can adapt that and improvise on that, then you’re sorted for the situations. In the incident response situations I’ve been involved in when it comes to cyber related, end users will come to us with an issue, whether they’ve hit by a ransomware attack, whether it’s been a DDoS attack. You name it. There’s a wide variety of incidents out there. When they’ve come to us, it’s very eye opening how many of them have not prepared for that situation. They’ll come into the call, they’re panicking, they don’t know what to do. And, as Caleb said, that’s a lot of time wasted because they don’t know who to reach out to. They haven’t got the team in place to be reacting to that incident which is giving more time to that threat actor to go and conduct their activities. But, yes, it’s that timing, that panicking. How do you prevent that?

(TC: 00:13:16) 

Aidan Murphy: So, what I’m getting from both of you, and this is not an original thought when it comes to incident response, but a lot of this comes down to preparation beforehand, right? So, like you say Caleb, you need to know who those people are going to be there at three in the morning. And if you don’t know who those people are and you don’t know the lines of command and all these things, then you have a problem. So, what are the best practices in terms of preparation? So, I mean, Caleb, you talked about some of the things that IBM did, you know, creating cyber ranges. But presumably simulations, tabletop exercises, playbooks. Is all of this part of the rich tapestry?

(TC: 00:13:48) 

Caleb Barlow: Well, it’s all part of the rich tapestry. I think the other thing that really comes into this is you have to learn some new skills, right? So, you know, just like there is executive decision making, there’s crisis decision making. And that is a very, very different mental model of how you approach things. So, for example, if we’re teaching-, I’ll give you one example, right? If we’re helping an executive team really understand, you know, how is crisis decision making differently, we really spend a lot of time talking about a concept called an OODA loop. You know, some of your listeners are probably familiar with this. It stands for Observe, Orient, Decide and Act. It’s a methodology that was developed by a US air force fighter pilot that was trying to articulate how do you make decisions in a dogfight. And, you know, if we think about this overlaid to cyber, right, first thing you do is observe. What has happened? How has it happened? What do you know about it? The next thing you try to do is orient yourself, you know. Is there other information you could bring into this? Is there something unique that’s happening in the environment right now? Is there something unique that’s happening int the company? Like, maybe an acquisition. Could you get informed through threat intelligence from the dark web with tools like Searchlight, right? So, you’re going to really orient yourself. You’re going to make a decision on what you’re going to do and then you’re going to act. But here’s where this really separates from executive decision making. In a board room decision, you make a decision and, you know, maybe you come back a month later to say, ‘Hi, how’s it going?’ And there’s probably a lot of resistance to changing that decision. With crisis decision making, you immediately go back to that loop and start over and reorient yourself. Did the decision work? Did anything change? And you’re totally open to going back on your own decisions based on new data.

So, this sounds like a very simple concept. It actually takes a lot to train people to think and make decisions differently and process through these OODA loops. In the case of, kind of, the example where this came from in a dogfight, right? He who processes their OODA loop faster wins the dogfight. Well, the biggest thing I always try to ground executives on realizing is that in a cybersecurity incident, you are up against a human adversary. There is someone on the other side of the glass that is watching what you’re doing, can make decisions based on your response. And until you recognize that you’re up against a human adversary, your natural inclination in board room decision making is to try to approach things with a formula. There’s no formula or framework for this. This is much more analogous to a boxing match. And you need to be prepared for that.

(TC: 00:16:23) 

Aidan Murphy: Yes, I guess that’s why the OODA loop is such a great analogy because, yes, you’re against another pilot, right? There’s someone else. You’re trying to get away from them and they’re trying to get you.

(TC: 00:16:33) 

Caleb Barlow: Exactly.

(TC: 00:16:35) 

Aidan Murphy: Yes. It’s a really interesting way of thinking about it. And, again, sorry Caleb, I’m chucking all the hard questions at you. But how well do you think organizations are doing at, kind of, taking on these skills? Presumably, since your IBM days, people are much more aware of these type of methodologies than they were before. But is this still something that you find?

(TC: 00:16:54) 

Caleb Barlow: Pretty lousy in general, right? I mean, look, okay. The professors at Harvard refer to cybersecurity as a novel risk meaning that it’s unpredictable risk, that you can’t predict and you don’t necessarily know how to respond to. And when they first came out with this definition, I looked it, I said, ‘Yes, you’re spot on.’ I’ll tell you though, I think we’re starting to see more of this as a hybrid risk of a lot of things that are occurring now from a cybersecurity perspective, they’re not the highly sophisticated, nation state adversary that everyone-, with some unique, zero-day. 99% of what occurs is completely predictable. You got impacted by ransomware. Let me be very clear, that was 100% avoidable. So, you didn’t have the policies in place, the procedures in place, or the defenses in place. Getting impacted by ransomware nowadays isn’t any different than your building burned down by a fire. Like, it was a predictable risk and either you had the things in place to mitigate that. The equivalence of, you know, the smoke detectors and fire suppression systems and sprinklers. Or you didn’t. And unfortunately, we’ve gotten so enamored by the risk and deflected by the cost of mitigating it that a lot of times we just try to punt that risk to insurance, hope it won’t happen. And then we’re all surprised when it, you know, when one of these companies gets impacted. But the other thing we have to recognize here is that every time a company pays a ransom, you are literally the venture capitalist for the next incident that occurs. Look at the size-, do you know what a million dollars buys in Moscow? Like, you just paid for that whole team a Lamborghini, a really nice party, and everything in between, right? On one incident. And I think until people really realize that, we’re not going to change the dynamics of this any time soon.

(TC: 00:18:59) 

Aidan Murphy: People listening can’t see this but Luke is nodding his head and smiling. So, I’m going to assume he’s in agreement?

(TC: 00:19:04) 

Caleb Barlow: Luke’s trying to think about what car he wants to buy if he can win one of these ransoms.

(TC: 00:19:10) 

Aidan Murphy: Luke, what was your experience? How well are organizations doing?

(TC: 00:19:15) 

Luke Donovan: Yes, it’s pretty poor. It is pretty poor. I’ve dealt with multiple organizations globally when it comes to different incidents. And their understanding is lax. There’s a number of different frameworks, a number of different, sort of, methodologies you can take to identify threats, mitigate those threats. There’s one called the F3EAD cycle, so, where you find, you fix, you finish the target. Then you’re going to exploit the information which you got and then you’re going to analyze it. I’m not going to go into it any great depth. But it’s something for the listeners to go off and review. Cycles like that, cycles like the intelligence cycle, if you’ve got a firm understanding of them and you apply them to an incident, or even prior to an incident, you are going to be in a really good shape. It’s about identifying that threat first and people just don’t do it.

(TC: 00:20:02) 

Aidan Murphy: And do you think the reason people don’t do it-, do you agree with Caleb? Is there this, kind of, reluctance to engage with the problem, I guess, is one way you could put it. Or a belief that the problem is just too big and too insurmountable, you know, that it’s too hard to prepare for these scenarios.

(TC: 00:20:16) 

Luke Donovan: Yes, I don’t think it’s too hard to prepare for these scenarios. I think a lot of it comes down to resourcing and experience within teams. You know, a lot of these teams, they’ve got their work cut ut. They’ve got a lot of pressure on them dealing with the security of organizations that to add in additional complexity around incident response, around monitoring, say, the dark web, it just becomes a little bit too much for them.

(TC: 00:20:41) 

Aidan Murphy: Okay. But I think something interesting that Caleb said is that actually the novel risk element is reducing and a lot of this is predictable. And surely some of this comes down to, kind of, increased access to intelligence. And maybe this is a difference, I don’t know, Caleb, tell me what you think, again between maybe five, six, seven years ago and now. The access to threat intelligence that organizations have, is that likely to play a role in people improving their incident response if they do engage with it?

(TC: 00:21:10) 

Caleb Barlow: Well, you know, absolutely. So, think of this five, six, years ago, no one cared about attribution, right? It was, you know, you got malware in your system, you need to eradicate it. It doesn’t matter if it was a nation-state adversary or a bored teenager. That’s no longer the case. Now, first of all, it is absolutely possible in most cases to get fairly reasonable levels of attribution. You may not know the person’s name, but you probably know the actor, the campaign, or the motivation. And that becomes very important because it can impact decision-making on, ‘Hey, was this an employee that clicked on a link they shouldn’t have in some sort of large-scale operation that they just got unlucky? And we’re going to mitigate that and not worry about it. Or are we actually being targeted by a very specific actor? In which case, we need to up our defenses.’ So, I think that makes an enormous difference. But here’s the other thing, right? Is that threat intelligence now can help us stop something before it even gets started, right? If we see a campaign emerging, if we see that our company or one of our executives or maybe parts of our supply chain are in the target zone of the motivations of that actor or that campaign, then we can do things to mitigate that before that attack occurs. You know, I don’t usually like to use military analogies here, but this isn’t any different than how a military uses intelligence, right? If you can disrupt the adversary before they attack, that’s going to be a heck of a lot more fruitful than waiting until you’re already a victim.

And I think in the case of threat intelligence nowadays, because these threat actors are typically, you know, loosely coupled organizations of professionals that don’t necessarily even know each other, they’re all communicating via dark web forums and Telegram. So, it is absolutely in the art of the possible to intercept your company’s name, your company’s logo, your executives, during that initial formation of a campaign. And although we talk a lot about-, we were laughing a little bit about, you know, the level of sophistication of people that respond, the reality is the more sophisticated organizations, you don’t hear about because they’re either preventing these incidents before they ever occur or they’re rapidly mitigating the incident as soon as it starts to occur because they have a very good idea of who’s coming at them and what techniques they’re going to use.

(TC: 00:23:50) 

Luke Donovan: If I can just continue on some of those points, what Caleb just mentioned there, I dealt with a private sector organization a couple of years ago. They were hit by a DDoS attack, okay? And they’d come to me and said, ‘We’ve been hit by a DDoS attack. It was a fairly significant DDoS attack.’ Took out all their systems. And they’d come up with a lot of analysis, a lot of assessments in terms of who they thought was behind it, that attribution aspect. Were they going to be targeted again? The organization I was doing this work for didn’t have any threat intelligence in-house, okay? This is their security team’s making the assessments. So, they tasked me to go off, try and identify who was behind it. I went off, I went off onto the dark web. I went off to some forums and PACE sites etc. And through doing some analysis, through doing some searches, based on their organizational name, based on some other entities, it was very, very clear who the adversary was, who was behind the attack. The attacker posted way before the attack that they were going to target the organization, how they were going to target them, and the IP addresses they were going to target. Everything was laid out there on a piece of paper for them. So, if that organization had had any threat intelligence in place looking across the sources where they posted the content, they’d have had this early warning that there was a threat there and they could have done something to prevent this. You know, increase their resourcing, increasing their DDoS protection. But because they didn’t have that in place, it eventually meant that they were hit fairly significantly.

(TC: 00:25:27) 

Aidan Murphy: Yes, I think this is a really important point so I want to just, kind of, stick on this for a second and really drive it home. Because I guess what we’re talking about here-, I mean, it’s still within the realms of instant response. But to use a phrase that you used, Caleb, which I really liked, we’re almost talking now about acting left of boom, before really the real impact of the incident has taken place. You know, as Luke was just describing, you might be being targeted in a dark web forum, they may have already identified a way of accessing your system. But this is before, I guess, the dreadful day where your computer screen has frozen and you’ve been given a ransom demand. Is that what we’re saying, Luke? Is that what you were describing there?

(TC: 00:26:09) 

Luke Donovan: Yes, absolutely.

(TC: 00:26:10) 

Aidan Murphy: Brilliant. I did just want to come back to this attribution part of things as well which was the first point you mentioned, Caleb, because I thought that was really interesting. I think, I mean, I’ve heard before people argue that it doesn’t matter who’s attacking you. What matters is what happening. That might be quite a controversial statement considering what we’re talking about and I could see Luke grimacing a little bit. Is that wrong if people are saying that, if people believe that it doesn’t matter who the attackers are? Have they, kind of, misunderstood what we’re trying to do here, Caleb?

(TC: 00:26:41) 

Caleb Barlow: Well, I think historically it probably didn’t. But here’s the way to look at it. Who the attackers are probably doesn’t matter a whole lot in the attack you’re in right now because you’re already a victim. It definitely matters a lot for the next attack and trying to prevent that.

(TC: 00:26:54) 

Luke Donovan: Yes, absolutely, Caleb. It’s about identifying those-, the intention, their capability, their tactics, their techniques, their procedures. If you can understand that, you understand how they might traverse through your system if they breach your system. And therefore if you know how they’re going to traverse through your system, you can then work out how are you going to contain that threat and then eradicate that threat.

(TC: 00:27:16) 

Caleb Barlow: I’ll give you a perfect example, right? So, real world incident. This is several years ago when EDR was still new. You know, a Chinese adversary is all over the company’s network. And, you know, we find it here, there, and everywhere. The problem is the company does not have EDR tooling, so it’s difficult to figure out where the adversary is. And in this case, you knew how the adversary was coming in. So, the decision is do you just-, do you close the door on the way the adversary’s coming in? Or do you get EDR deployed first? And the argument was if you close the door, you stop the damage. The counterargument was not necessarily because you don’t know if they’ve established any other back-doors, which they probably have, and that adversary can then immediately pivot and jog. So, the decision was made to just close the door. And then they started a slow roll-out of EDR. Well, guess what they found? Which was as they started a slow roll-out of EDR, they found the adversary was all over a whole bunch of other stuff, right? But that was multiple months that it took them to realize that. And of course, the adversary sees this EDR deployment that was taking months to deploy and my guess is the adversary’s probably still in there, right, and just continue to pivot and jog to places they couldn’t find. Whereas had you understood the details of the adversary, had you understood their sophistication and their techniques, what you would have done instead is deployed an EDR solution over a weekend to everything so that you could have immediately found all instances and eradicated everything all at once in a rapid fire fashion and likely had a better chance of eradicating the adversary, right? So, there’s a really good example of what I think were best intentions. Because they weren’t properly informed by understanding the adversary, the campaign, and their motivation, probably resulted in a bad result.

You know, on the other hand, I’ve seen similar incidents where you understand the motivation of an adversary, you understand what their target is. And you might make some radical decisions, for example, to take that particular target offline for a period of time until you get the necessary provisions in place, right? Like, if you know your whole company can keep running but you’ve got to maybe disconnect this one production system from the internet, and it can run disconnected, then do it, right? Like, if you know that that’s what their target is. So, you know, I think having a threat informed defense is incredibly important. And I don’t think this is a question of anyone being wrong in the past. It’s just we can do things we couldn’t do two, three years ago. And, look, I mean, this is where tools like Searchlight come in, right? I mean, the ability to look through all of the data on the deep and ark web at an incredible level of sophistication, to identify what is relevant to my company and then use that to make data based decisions? That’s the stuff that moves the needle on things like this.

(TC: 00:30:25) 

Aidan Murphy: Well, I’m going to throw out another provocative comment here to Luke. So, Luke, I’m not going to name the event. But you went to an event recently and they were, kind of, suggesting that threat intelligence was a nice to have but maybe not a security priority. But I think what Caleb is describing here is that that’s not the case. And I think it comes back actually to what we were talking about right at the beginning. You have to make decisions really quickly and Caleb just gave two brilliant examples of this can really inform your decision making if you understand what the threat is. So, yes, what’s your thought on that event, Luke, I guess, and that kind of approach of threat intelligence being a nice to have?

(TC: 00:31:04) 

Luke Donovan: Yes, so, I think if you class threat intelligence as a nice to have, you’re reacting to events, okay? You need to know what’s coming up and how you can prevent that attack, not reacting. There’s so many different ways a threat actor could target your organization and exploit you that you re not going to have a game plan for every single event. Therefore, being forewarned is being forearmed, you know. You can prevent that. Now, obviously a lot of the organizations, there are budget constraints, there are resourcing constraints when it comes to human resources, okay? So, they are considerations which organizations have to consider. Large organizations, they might have threat intelligence teams. They might have dedicated incident response teams. The smaller organizations, they might not have those in place. But you still need that plan and you still need to understand where can you gather this information from? There’s a lot of feeds out there, threat intelligence feeds, which can help organizations. I think sharing within the threat intelligence community has increased fairly significantly. I still think there’s a lot of sharing which should and could happen. But, yes, ultimately, if you are reacting to a situation, you’ve lost straightaway.

(TC: 00:32:20) 

Caleb Barlow: You know, just to extend on that though, I think even the smaller teams, they’re probably now going to be working with an MSSP that maybe has access to that information when they need it. Or are paying someone to monitor this on their behalf. I mean, at the end of the day, you have to recognize that, you know, your typical SIM, your typical security monitor, is looking for the known knowns, right? What we’re talking about here are the unknown unknowns, right, where intelligence can inform you of what you don’t know and you weren’t aware of.

(TC: 00:32:51) 

Luke Donovan: When it comes to outsourcing either threat intelligence or incident response, there are aspects which organizations should consider, okay? These ae going to be your lines of communication. Who should they report into? How does that information get passed backwards and forwards, okay? Because if you’ve been hit by an attack, potentially your lines of communication have been impacted. So, how are they going to communicate? You’ve got to think about that outsourced organization, are they up for the job? You know, do they know enough about the organization as well? These are external to your organization. Making sure that they’re well informed so that they are going down the right paths when it comes to incident response or threat intelligence. So, just a couple of bits there to think about when you do outsource or if you do outsource any of that, sort of, content.

(TC: 00:33:41) 

Aidan Murphy: Yes, no, that’s brilliant. Thanks, Luke. And I did, I guess, just want to lead, yes, some of the practical advice. So, again, I know this is a really difficult thing to do. But, Caleb, now when you’re talking to organizations, let’s stick at the executive level, you know, if someone says to you, ‘What advice will you give me to improve my incident response? I lie awake at night and I worry about this terrible day.’ What, I guess, is a parting note to that listener, would you say, as maybe one or two things they should prioritize today?

(TC: 00:34:12) 

Caleb Barlow: Well, I think first and foremost is, you know, practice and rehearse, right? There’s actually some really interesting brand science behind this as well. When this incident occurs, it is going to be unbelievably stressful to you and your whole team. And, you know, what happens in crisis is that your brain naturally switches into that fight or flight mode. And there’s a different part of your brain making decisions. You know, so if we think of emergency room physicians, firefighters, EMTs, law enforcement, right? The way they get past this is to practice and rehearse over and over and over again so that their decisions are thought out ahead of time and that they’re operating off of red-books. Now, this isn’t just so that you have something cool that’s documented for, you know, assessors and auditors. This is actually so that you can think through clearly the decisions you may need to make when you’re under stress and you’re under crisis and, you know, your veins are just full of cortisol and adrenaline, right? Because the reality is that’s what’s going to happen. So, practice and rehearsing over and over again to the point at which your response is muscle memory is what makes all the difference. And even when you get hit with something you don’t have a red-book for, you haven’t practiced or rehearsed, because you have imagined incidents that are close enough, you can easily adapt to that. You know, I can’t tell you how many times I’ll go in on an incident and you walk into the room and there are other people with the company that are introducing themselves to each other there very first time. It’s the first time the, you know, the CEO’s maybe meeting their IR team and the first time everybody’s meeting the crisis comms team. That can never happen because when I see that, I can already tell you how that incident’s going to go. It’s going to be very slow, there’s going to be a lot of internal arguments. And the adversary’s going to outpace, you know, your best defense. So, getting in there and practicing, having a threat informed defense. I mean, those are the big things I would leave you with that can make a real difference.

(TC: 00:36:21) 

Aidan Murphy: And you, Luke? Is there anything that you would add on top of that or?

(TC: 00:36:24) 

Luke Donovan: I’m definitely in agreement there. I will bring up one additional use case, if that’s okay though. Fairly recently, I worked with a global bank. With that global bank, one of their suppliers had been hit by ransomware. The global bank received a notification off their supplier that said that their confidential information wasn’t leaked but because they’re a supplier, they were letting them know that they were involved in a breach. Now, that bank, they could have believed that notification. They could have said that, ‘Yes, our third party, they’re being honest with us. They’ve been involved in a ransomware attack and our content isn’t out there.’ But they didn’t take that for face value. They engaged with myself to go off, identify the ransomware content, review the content which was breached to see was their third party being legitimate? Was there anything to do with us out there on the dark web? When I reviewed the content-, okay, so this is, again, part of incident response. When I reviewed that content and I went through it, there was loads of stuff to do with the global bank out there which could hae been used by a threat actor to gain access to their system. There were credentials and all sorts of information. So then, from a reputational damage point of view, that third party who was breached, who was going through their incident response policy, on the outside it looks really good, you know. They sent off the correct communications, it looked like they had a good, firm grasp as to what was breached. But then you drill into the detail and you realize actually there was some gaping holes there in terms of what was actually breached, what information was out there. Again, it’s just one of those examples how threat intelligence and incident response can help you, not only for the initial, ‘What’s going on here?’ From a reputational damage point of view. And that communication is going out to the end customers.

(TC: 00:38:18) 

Aidan Murphy: Yes, and I think really highlights the thing that we talk about a lot on this is about going to the source, going to the dark web, seeing what you can identify. Because that is the most, kind of, reliable first point of data.

Just before we finish up, I can’t end this recording without bringing up a TED Talk I watched in preparation for this that you did, Caleb, which was titled ‘Where is Cybercrime Really Coming From?’ I’m going to put it in the show notes and actually really recommend everybody watch it. But, as a quick summary, in that TED Talk you described firstly the devastating effects of cyberattacks, very sophisticated, kind of, banking Trojans. And then you talk about where cybercrime is really coming from which is actually something you’ve said on this podcast just now which is that mostly it’s coming from these organized gangs and not nation states, in spite of what some organizations may claim maybe to defer regulators for a little while. And you discussed then the dark web where they hold these operations and talk about a lot of the stuff that we talk about on this podcast. The slightly disturbing things was that this TED Talk is from November 2016. So, eight years ago now. And I honestly think you could probably release it today and get away with it.

(TC: 00:39:29) 

Caleb Barlow: I think the funny thing is, it’s almost comical because it was, kind of, one of the-, it wasn’t the first TED Talk on cybersecurity but it’s one of the very early ones. So, it’s almost comical to listen to and a little bit frustrating because not a lot has changed. There are some interesting points in there, like I-, this is pre-pandemic, and I talk about the great response you’d see from countries over a pandemic. Not so much. So, you can get a good laugh out of that. But, you know, here’s the fundamental crux of all that, right? The vast majority of cybercrime or cybersecurity incidents comes from organized crime. That’s a fact. That can ultimately be mitigated. And the way to mitigate that is to stop paying ransoms. You have to change the economics for the bad guys. Now, that’s a very difficult thing to propose. But I think that premise still exists out there that a lot of this can go away. We just have to be willing to stop paying for it because if the venture capital goes away, then so too do the attacks. Unfortunately, to do that, a couple of companies that got impacted would probably have to fold. But I would argue, as I did back in 2016, that that might be a worthwhile price to pay. Because this is now a multi-billion dollar industry. Like, I mean, some statistics now have this over a trillion dollars a year. It’s easily over in the several hundred billion a year. To put this in perspective, like, that’s bigger than the GDP of most European nations. And, again, that’s just the crime side of this. So, you know, I think that might be a worthwhile listen if you want a little bit of a laugh. But the bigger point is, like, we haven’t moved the needle on that at all. If anything, things have got worse since that TED Talk.

(TC: 00:41:22) 

Luke Donovan: Caleb, can I ask you a question based off that TED Talk?

(TC: 00:41:24) 

Caleb Barlow: Sure.

(TC: 00:41:24) 

Luke Donovan: During the TED Talk, you mention about the importance of sharing information. Do you think, since that TED Talk took place, that the sharing of information, threat intelligence information, information to do with incidents, has increased, decreased?

(TC: 00:41:39) 

Caleb Barlow: I actually think that’s probably the one real win. Threat intel sharing is exceptional right now. I mean, the reality is if you develop a unique, let’s say, barrier to malware, once that is detected and that, kind of, falls in the drag net of one of the larger companies, that is in everybody’s hands now in a matter of minutes. I mean, we’re not talking 30 minutes, 40 minutes, couple of hours. I mean, when I did that TED talk, it was days. This is now something that’s probably sub five minutes. That’s exceptional because what it means is the minute these things are dedicated, that campaign is useless. Or at least that variant of that campaign is useless. Now, that’s the good news. The bad news is we’ve automated the hell out of this and there’s not a lot of human beings involved. And I think we need to look no further than the updates from CrowdStrike to realize that when that goes wrong, it goes wrong on a very big scale. So, you know, the good news here is we’re all sharing threat intel. The tough thing is now we need to figure out how to do that with a very high efficacy without ever causing a problem, like what we saw in the case of the CrowdStrike updates.

(TC: 00:43:00) 

Luke Donovan: You very much covered off where I was going with that, Caleb.

(TC: 00:43:04) 

Caleb Barlow: Well, I mean, look at their response. Like, so first of all, George and the team there did an amazing job at being transparent, right? But when you read through their, you know, final lessons learned, the part that I don’t think they come out and say outright is, ‘You can’t do this without it being automated.’ Like, there is no way to do what they do if a human being has to approve it because it can’t happen fast enough and the volume’s too high. So, if that’s the case, and if you’re literally doing things that can mess with the kernel, there’s always going to be a risk there. And I think this moves from a situation where-, so, first of all, we need to accept that risk and I think the industry has. But there probably are some ways we can mitigate it, both in the CrowdStrike side as well as in every company, right? I mean, do you want to have a completely homogeneous answer for everything that you do? Maybe not coming out of that. And, look, I’m not trying to, like, get into the litigation side of this. But I think, depending on where this Delta lawsuit goes, the discovery of that could be fascinating. Not so much from a, ‘Who’s to blame?’ And all that. But, like, how dependent have some companies become on a single vendor literally having the ability to take down everything? And maybe we need to think about that in new ways.

(TC: 00:44:27) 

Aidan Murphy: Yes, I think it’s a really, really interesting point. One thing that I also-, sorry, just going back to the TED Talk, that I also think is a slight difference now, and actually we talked about it, again, earlier in the podcast, is that in the TED Talk, you do say, ‘We’re never going to know who these actors are who are attacking you.’

(TC: 00:44:44) 

Caleb Barlow: Yes, that’s totally changed.

(TC: 00:44:45) 

Aidan Murphy: ‘And they’re definitely not going to be brought to justice.’

(TC: 00:44:46) 

Caleb Barlow: You definitely know who they are.

(TC: 00:44:49) 

Aidan Murphy: Yes. And that’s I think-, I mean, just to try and end on a positive note, I think especially in the last year, we have seen a shift in that in terms of, you know, people like the guy behind LockBit being identified. Maybe not quite being brought to justice yet but certainly, with the very little room to maneuver, I would say, from a law enforcement perspective, you know, he’s never traveling to the States. Let’s put it that way.

(TC: 00:45:11) 

Caleb Barlow: He’s never going on vacation again. Like, well, I mean, I think that’s a good example where governments get involved to help. I think the other reality is, you know, talking with people that do ransomware negotiations all day, they literally know who’s on the other end. Like, based on the response they get and the phrasing and everything else. ‘It’s Bob again.’ You know. And, I mean, this is a business. It might be an illegitimate business but it’s a business like everything else. There’s reputations, you know who’s on the other end, you know what they’re going to do, you know whether you can negotiate with them. So, think about how informative that is, you know. You’ve just been locked up with ransomware and the person that is negotiating that, whether they’re with Palo Alto or Arete or Codeware, they probably know who’s on the other end and they can inform you and go, ‘Hey, we know this guy. Here’s what’s going to happen next. And if you pay him, they’re going to do X and Y and Z.’ Right? Again, that’s threat intelligence. That is incredibly informative as to what you want to do next.

(TC: 00:46:11) 

Aidan Murphy: Well, going back to the OODA loop example, you know who’s in the other plane. You know whether they’re trained and you know their tactics. It changes -.

(TC: 00:46:16) 

Caleb Barlow: Exactly. And you know, ‘Hey, this guy’s going to settle for a $100,000 so let’s throw that out there.’ Or, ‘Look, if you don’t pay this guy, here’s what he’s going to be coming back after and either, you know, harden your defenses or get ready to write a big cheque.’

(TC: 00:46:32) 

Aidan Murphy: Brilliant. Well, thank you both for joining me. I think that’s a good note to draw a line under this episode of The Dark Dive. If you have a topic you’d like us to discuss on the podcast, please feel free to get in touch through the email address or the social media accounts in the show notes. And if you can’t wait to find out more, remember you can always follow us for free on Apple Podcasts, Spotify, YouTube or whatever podcast app you use, and get all of the episodes of The Dark Dive as soon as they’re released. Until next time, stay safe.

[Read more]