A View from the Front Lines of Cybersecurity

Video Statistics and Information

Video
Captions Word Cloud
Reddit Comments
Captions
yeah I always thought the most revealing question was Robert DeNiro or Brad Pitt but I learned a lot sitting backstage and watching who stood up and who didn't so I've got a good feel for the crowd I consider it absolutely an honor and a privilege to be able to speak to you for the next there's no counter next seventeen and a half minutes and I'll be joined a little bit later by sander Joy so I'm gonna give a little bit of a historical perspective of my experience in cybersecurity since 1993 to 2017 sander Joyce is going to come up and give so what did we witness in 2018 and then we're going to talk about what do we think is next based on what we've witnessed one of the things I also want to do at the front is just thank all the men and women that are here at RSA that cybersecurity is your calling and I appreciate all the work that you do and let's hope that that work becomes easier to do every single year and everything I'm speaking about is based on direct observable just things I've experienced I may be wrong I may have had different experiences than many of you as you were practitioners over the last several decades or even before I started doing this my first job was computer security at the Pentagon and I have to admit it wasn't my first choice I got stationed as a second lieutenant to the Pentagon and the best I can recall all the other choices didn't seem very enticing so I chose computer security as the least bad of the other five choices and 27 years later here I stand can't do math very well 26 years later so the first generation of cyber incidents that I saw comes from that perspective of I was in United States Air Force and at that time when we saw intrusions between and the first one that I saw was in 1995 from 1995 to 1998 the intrusions that we saw where servers being compromised they were on the Internet it was UNIX systems being compromised ultimately when we did the forensics the exploits were publicly available the code to do the exploits were usually publicly available it was a technical challenge we didn't have lawyers showing up we didn't have business line owners showing up yet and anything we saw was either government on government or it was in fact an attractive nuisance and probably the first case that ever worked was in the summer of either 96 or 97 I should say the first case where I saw evidence that made me go okay this is going to change things was I was doing network security monitoring I had a site where back then whenever we did consensual monitoring we did have to brief the Judge Advocate General that we're getting fruitful responses to our monitoring on a daily basis so for those yeah I think the government watches everything all the time at least when I worked for the US government we did not and we had to go through lots of approvals to do so and it was pretty aggressive when we did we would monitor and minimize as much as possible and on the first day that we did this network monitoring at a university the first thing I witnessed was well as the next day because at a post process and get this it was lippy cap format files had to replay them and write on replay we saw somebody come in from at that time it was registered that a Beijing communications Bureau come into this university use an account that will used to belong to a student that graduated a year before and from that account they did nothing more than back then telnet and they tell NetID to at least 25 military bases in the first connection that I saw and what was amazing about this session what made it different and other things I'd responded to when I was in the Air Force was I already solved division of labor somebody was logging in they would hit wright-patterson air force base then Brookhaven then Oak Ridge and Los Alamos National Labs just they were just validating credentials so whoever was telling it through site and the very first command they did when I got a prompt to just go to next one and all the user accounts and passphrases weren't the same so they already had in my opinion someone over there had figured out let's vet the accounts we have let's make sure they work and then it was like a different person or a different group potentially that was coming in behind using those counts to do things but bottom line 1993 that's when I started doing this by nineteen 95-96 we're seeing at least the cases that I worked we would have attributed at that time to Russia or China but I have a very us centric set of experiences at that stage right around 1996 is one I think Windows NT starts to propagate you can now point-and-click to do a server people are going online to make money and you're starting to get web servers running NT 3.86 you have is web servers going out there and you're having the databases storing credit cards either on the same machine or just you know one hop away with no segmentation in between and we see cybercrime hit this so you have the ongoing state versus state but now you enter new operating system you enter new way to make money and wherever money goes crime follows and we started responding to much more incidents that involved making money and just yesterday I was talking to a reporter Joseph man he wrote a book on the cult of the dead cow and I started thinking about it in the 90s everybody starts hearing about hacking because of things like what they did at loft crack what they do at the cold a dead cow with back orifice and I remember my war story from that era they're never really that fun because I remember a lot of times when an attack came out there wasn't an available patch we didn't get that battle rhythm yet as a community finds erode a patch quickly good to go I remember an attack called the MDOC attack in 2000 there's a dll that shipped with Windows NT is web servers that was vulnerable and just somebody was spraying the whole Internet and I remember spending my Halloween which in my 20s is still great holiday and I had to go from computer computer at a major bank just patching machines to make sure it didn't happen so cyber crimes here to stay it's changed more recently but again I didn't see a change so the third phase in my career of just responding to breach is figuring out what happened and what to do about it came when I got a phone call from somebody and I could tell that the groups that I was responding to in the US military that were hacking the US military had pivoted to the United States defense industrial base and at that time it was a targeted Spearfish there was no defense for it I felt that the private sector were sitting ducks for what we were gonna see if this pivot occurred that pivot did occur and we saw espionage units starting to broaden their targeting broaden to scout which they operated and now we have a tax that our government on government and government versus private sector which I always said equated to your grandparents in an Ultimate Fighting Championship bout it's not pretty the government's will beat the private sector when they start doing that and we have to live with that even today and you're gonna see an acceleration then of phases because for the first 20 years of my career of doing computer security at only three phases in August of 2013 all of a sudden were starting to deal with something called the Syrian electronic army we hadn't heard of them before and it was it took me that long 18 years of responding to breaches before I saw a pattern between geopolitical conditions and what attackers were doing and I had to hear it from somebody else in fact I just would show up as a nerd and go here's what happened here's what to do about it let's get out of Dodge suddenly we're responding to media they're being compromised the Syrian electronic army and at that time there's use of chemical weapons in August of 2013 by Assad troops against Syrian rebels and the United States had a doctrine to intervene in the use of chemical weapons anywhere in the world so there was basically a threat of armed conflict at that point and we saw whoever to see an electronic army was they were using hacking to get their message out and I know I miss plenty of examples on that hacktivism has been around a lot longer but what I want to show you is the acceleration of phase changing because in 2014 something else also happened and we'll get back to 2018 in 2014 November that year right before Thanksgiving I got a call about the Sony breach and one of our frontline folks respond a priest says it thinks it's North Korea 2015 August of 2015 something I've never seen in my whole career happens all in one month we see in August of 2015 Chinese cyber espionage campaigns come way down and they didn't change their methods they just literally decreased volume of attack against United States one month before our head of state met with their head of state to have a treaty signed and at the same time frame we saw Russia do three things differently one start targeting universities not for defensive purposes but to steal the email of anti-putin professors second they stopped doing the count of forensics and OPSEC that I was used to seeing in forensics and third we were responding to breaches putting eyes on target they knew we were watching them and it didn't cease their activities which meant they were getting a little bit more bold so a lot of change in 15 in 2016 we saw additional changes in 2017 I kind of dubbed it the year of Iran and the year of the self-propagating spreaders you know you have one a cry of non petia and petea and these are things that are indiscriminate go out and hack what you can and create lots of collateral damage so you're seeing an acceleration of the phases that were going through in cybersecurity now I'd like to welcome to the stage our senior vice president of threat intelligence sander Joyce she's gonna take the lessons we learned from frontline responders from over 150 threat analysts that speak 32 languages that reside in 19 countries and from thousands of our product customers and she's going to bring that to light so sundar would you please join me sandir yeah 9 minutes and 48 seconds right so let's get right to the point okay 2018 let's see some of the observables there of what you saw and what the team concluded well as the head of threat intelligence I never get to tell good news but I actually have some good news for you today we publish M trends every year and these are the indicators and the the events that are happening as we do our incident responses and what we learn from there and what we saw was that dwell times continue to drop globally and this is very important because most incidents that happen actually start with legitimate credentials so you really need to pay attention to what's happening post breach and what we saw was the median global dwell time drop in 2011 from 416 days down to 78 in 2018 so that's good news we have more good news later but we want to spread it out so I want to get right to some of the modern nations and by the way we're not anti China we're not anti Russia we go where the breaches are we do attribution because we think if you hold people accountable you can at least impose risks or repercussions or at least have dialogue about rules of engagement it just so happens that the first country I would like to talk about is North Korea and some of the observables we have on what they did in 2018 right so we have two groups I want to talk to you about North Korea that we looked at in 2018 very specifically so one of them is apt 37 and this is a North Korean sponsored group and the reason it was really interesting to us in 2018 and we wanted to tell the global security community about it was because we watched this group we used to call it Reaper just target very locally to the peninsula but then we watched it evolve over time we watched it become more technically and sophisticated started to use it and exploit zero-days they started to target internationally and they even had some evidence that they had destructive malware they hadn't used it yet but we thought this was definitely something we needed to keep an eye on and North Korea continues to punch above its weight class definitely and there's four out of North Korea I'm fascinated by the next group right the next group is apt 38 and the reason this is really interesting as before we used to always think of nation-states really as purely espionage doing the things that carry out national security goals and what we saw was a group abt 38 that was actually financially motivated remember the North Korea exists pretty much outside of the international financial system they have the pressure of sanctions and they're a p38 was incredibly sophisticated using espionage skills to steal money from financial institutions all around the world so this was basically bank robbers with the skills of spies and they not just that once they would move the money out and I'm talking hundreds of millions of dollars once they would do that they would deploy destructive malware to distract our incident responders so this was something we definitely wanted to put out publicly so that people could be aware of it that's fantastic and now North Korea is not alone a lot of other nations are developing offensive capability and following so you know it's not like they published their cyber doctor and here's what we will do and here's what we won't do what did Iran do in 2018 Iran was really interesting because in apt 39 is a group we've also been tracking for a while but what we saw with this one that was really unique was that it was carrying out national security goals that were really targeted to individuals so telecommunications industry travel industry the word less about the organization's they were targeting and more about actual individuals that were of interest to the Iranian government okay and again I did Doug 2017 from my perspective inside of the walls of fire I the year of Iran it was a year where we responded to breaches from Iranian threat actors or what we would have attributed to Iranian threat actors almost as much as from Russia or China so I think they're getting much more active and by the way we have internal bets on what's the next nation we're going to start seeing out there as we do our attribution have to have a conversation about China and how prolific they are right and China never really stopped stealing intellectual property but what we saw them do differently was they started to change from commercial IP theft after the Obama XI agreement and we started to see them actually really focus on military and dual use technologies one group in particular a PT 40 really stood out to us because they've been doing traditional espionage for a long time but this is something where they're really promoting a very international agenda through the Belton Road initiative and also to uphold the maritime and naval capabilities of Chinese government and so we've watched what a group that we used to call periscope abt 40 would go ahead and target organizations that anything to do with the Belton Road initiative to further their agenda and then you know the big four when you look at Western targets and what nations are attacking those Western targets what could you tell us about what brushes activities were like well Russia continues to be very disconcerning for us you know when we think about them in 2015-2016 sandworm team targeting you the Ukrainian electrical grid and then they moved on in 2017 - what a ICS framework where the they used Triton malware and the thing that was really disconcerting about this was that it wasn't just about you know espionage or anything like that they actually targeted the safety systems of an ICS plant and that means that that was the last step I mean the safety systems at an ICS facility or the last thing between you know that risks human life there so that actually resulted in the shutdown of the entire plant something that we're not we don't think was actually intentional Wow so I got a sender we got three minutes and 40 seconds what's next so we brought you through from 1993 till now as fast as we could talk New Jersey auctioneer speed what's next from your perspective unfortunately if things continue the way that they are with brazen actions increasingly destructive and disruptive attacks with no guardrails on it I think people are going to get hurt I think people are gonna get hurt you want to expound on that or well what we're seeing is that sometimes even the main target of what some of these destructive attacks are doing don't actually end there we're seeing secondary and tertiary effects you know if you look at not Pecha that might have been targeted at Ukraine because it actually it used a software update mechanism in ME doc which is a tax preparation service but we all know what happended up happening tens of billions of dollars were actually resulted in damage from that and we're not sure that that was actually the original intent so as these things continue to get out of control we really need to think about what steps could be taken to to curb those threats well Sandra I want to thank you very much I love this honorees about 2018 and in the next 2 minutes and 20 seconds I'll tell you what I think is Thank You Sandra by the way somebody will be saying well where's United States and all this we report what we see so if the United States is on offense they must be doing it in countries that don't hire us to respond the and and they're not hacking for money in the United States so what is next from my perspective one of the things that I do believe in is we are gonna have to come up with a set of rules the asymmetry between offense and defense it's always harder to defend I've always used the 1980s analogy that's how long I've been doing this it's when you're up against nations and and and every time we meet a victim compromised by one of these groups they're not just military it's not the government it's the private sector being compromised and they're starting to go why would a nation hack us it's because we don't have established rules and we're starting to set baselines where we expect certain industries to withstand cyber military attacks so I think it'll go a long way for all of us to figure out how do we stop the escalation in cyber and when I look at 2018 by the way it's my conclusion and I try to read all of forensic reports I didn't see an escalation in 18 compared to 17 it's almost like the whole global actors sphere said hey let's kind of plateau a little bit the thing is all we can determine about doctrine is by what we observe and I know there are groups working on doctrine but because of the asymmetry that one good hacker can create the work for all of us defenders it's just an unfair fight right now and it'll change the way life the second thing that I think will happen is the world's already starting to balkanize the internet based on expectations of privacy anonymity and identification period it's just starting to happen you see with data sovereignty issues you can see that privacy is a cultural decision by either the regimes that run countries or by the populations depending on government type and it doesn't appear that one set of rules fits the whole internet and we should expect that but what I'm witnessing over the last few years and as I travel the globe I do feel like there's more of a compartmentalizing the data countries kind of circling the wagons on their perimeters and the great thing that connected us is kind of coming and closing in a little bit and the last thing I'd say is as we come up with rules for how countries should behave during times of peace we'll have nations that abide by them nations that don't Nations that wish they could but don't even have the IT infrastructure to prove they are the citizens and the nations I can't abide by those rules will end up having drastically different experiences on the internet than the folks that are in a more free world thank you very much for your time appreciate it you
Info
Channel: RSA Conference
Views: 36,741
Rating: 4.8640428 out of 5
Keywords: rsaconference, Business Perspectives, infosec, Keynotes, rsa, information, rsac, security, cybersecurity
Id: 7EH7ehAY3_w
Channel Id: undefined
Length: 20min 49sec (1249 seconds)
Published: Wed Mar 06 2019
Related Videos
Note
Please note that this website is currently a work in progress! Lots of interesting data and statistics to come.