Cool. Do you want to get started, Joe? Yeah, let’s go for it. We got a good group of people on it, looks like. Yeah, absolutely. Well, cool. Yeah, I’ll introduce you really quickly and then I’ll pass it over because it’s your show. Thanks everybody, for joining this Wednesday morning or afternoon, depending on which part of the world you’re in.
We’ve got a great show for you today. Joe is going to be on talking about preparing for cyber war, defending against nation state attacks and retaliation. This is a great show that Joe’s done once before and he got some great feedback, so we thought we’d bring it to all of our fellow PlexTrac webinar attendees. So, yeah, Joe, let me pass it off to you and you get started. Great. Good morning.
So my name is Joe Perini, and as Dallon mentioned, I’m here today by special permission to PlexTrac, where I’m actually the product evangelist. I’m a 20 year plus offensive security veteran. I began my It career back in the 90s with Windows It administration. So actually I had my fair share of systems breached and I grew really frustrated because I didn’t know why, I didn’t know how. And back in the 90s, there was very little guidance or direction around cybersecurity. Back in the 90s, it was the Wild, wild west, and most of us were still winging it for the most part. In fact, I remember one company I worked for, every single workstation in the company had a live IP address on the Internet with only the Windows 95 local firewalls preventing disaster.
So every month, I’d go scan our corporate network from my residential ISDN line and I’d look to see what was left open. So this kind of fired my interest in passion and cybersecurity. And over a time, I acquired the skills to perform internal, external, application, wireless, mobile. And more importantly, over time, I hired really, really good practitioners who could share what they knew with me. And that improved my career immensely. This career has allowed me to travel the world, helping organizations increase their security. And in doing so, I’ve gathered experience and a unique perspective that has permitted me to create leading pentest practices and author a large number of methodologies and guidance docs.
So I’m honored to be here today to discuss what I think is a timely and important topic. And as Dallon mentioned, I’ve given this one time before under some interesting constraints. Due to political reasons, I couldn’t actually name the countries that were suspected of attacking United States public and private targets, but now I can. So I can say Russia, and I can say China, and I can say Vietnam, but if you catch me just kind of being vague because the speaker notes are probably still need a little updating.
All right, so welcome to our session preparing for war, defending Against Nation State Attackers and Cyber retaliation. So, a lot has happened since the first time I proposed this topic. I wrote the first draft of this presentation before war, and I can say the Ukrainian war that has kept us glued to our TV sets. I still follow it on Twitter, social media. When I first started considering this topic, there was an equal amount of speculation and a huge amount of saber rattling. What’s happened since has been less than we’d feared, and unfortunately, this talk remains timely and relevant. So today, I hope to touch on these learning objectives that you see on the screen with a combination of old and new information and a little bit of personal advice.
So to start, we need to begin with acceptance that cyber attacks are actually happening. This is war. Americans have been pretty lucky. We have not had a significant or an extended war on American soils since the war of 1846 with Mexico. Now, this has led many of us to be reluctant to admit when we’re at war or even when we’re at risk. So we’ll discuss that and how to value your assets in a global cyber war. It’s not just stolen credit cards, health records, or PII that’s at stake.
We’ll talk about how your assets can be monetized and for what purpose. It’s important to understand this, as well as how any of these things will affect your decisions of prioritization and resilience. Now, I want you to review your current plan, and after this talk, do so with a fresh set of eyes, and we’ll touch on where to invest in defensive measures, and we’ll identify some of your allies and resources. And then finally, we’ll build a quick checklist of steps that you can take to protect yourself and remain resilient while under attack.
Now, we’ve had numerous advanced warnings, yet each time an attack occurs, we appear surprised.
As far back as 2002, smarter people than me have been having thought exercises on the impact of cyber war 20 years before the ubiquitous internet technologies that have more of our attention and controls more of our world. In 2003, the Cyber Security and Infrastructure Security Agency, or CISA, had cyberstrategy that included dozens of references that cyber attacks can burst into the nation’s networks with little or no warning and spread so fast that victims will never even have a chance to hear the alarms. Now, even with forewarning, they’d likely not have the time, the knowledge, or the tools to protect themselves. Now, in June 2011, the US. Defense secretary, Leon Panetta, used a cyber Pearl Harbor warning more than once. Now, in his Senate confirmation hearings, he said, I’ve often said that there is a strong likelihood that the next Pearl Harbor that we confront could very well be a cyber attack, adding that this is a real possibility in today’s world. Now, we’ve been talking about it since 20 03 20 02, probably even as far back as in the 90s, but there are still detractors to the cyber war theory.
Some have argued that the online attacks we’ve seen are either espionage or sabotage, because it doesn’t count as war until somebody dies. We’ll actually touch on that in a little bit. Now, other people like to point out that squirrels have caused more blackouts than hackers, suggesting that, as the Guardian put it in 2016, that cyber warfare remains a slightly overblown fear. All right, maybe I’ve had my fair share of birds and squirrels blow out power and our Internet went down, but it doesn’t detract from the fact that people are still targeting us.
Now, if we look at what’s occurred in the past sorry, I’m looking at and thinking, oh, look, I don’t have the speaker note, so let’s talk about this. We are at war. It goes back as far as 2010 with the stucknecks warm 20, 14, 20, 15, 20, 16 recently, with Solar Winds 2021, constant contact was nailed and the US agency for International Development released a whole ton of records. We have proof of nation states targeting the United States, and we should probably pay attention to who these people are and what sort of threat they pose to us. So we need to know the enemy. Who are we up against? If you’ve seen the movie Hackers from 1995, you’ll probably recognize the quote from Agent Gill, who went hackers penetrating ravaged delicate, private, publicly owned computer systems, infecting them with viruses and stealing sensitive materials for their own ends. These people, they are terrorists.
It’s a wonderful quote, but according to the Cybersecurity and Infrastructure Security Agency, or CISA for short, it declares it’s not the black hoodie Red Bull swilling hackers of the movies that are enemy. In fact, they say that the large majority of hackers do not have the requisite trade craft to threaten difficult targets such as critical US networks, and even fewer of them would have the motive to do so. Okay, I might agree about a motive, but when it comes to the trade craft excuse me, I’m a personally insulted. Yeah, there’s a segment of the hacker population that’s nothing more than a script kiddie, right? They can cut and paste and they can run nessus that sort of attacker. But to be dismissive of the rest of us in such a broad stroke, it gives a false sense of security the US. Private sector. Now, while it’s true that US hackers may not be politically or financially motivated to attack critical infrastructure, you know what, there’s relatively little stopping hackers in foreign nations from turning their attentions toward assets here in the US.
Should the motivation arise. Now, the hacker collective Anonymous might also take issue with this assessment. Their recent exploits include infiltrating state controlled television doxing or detailing the contact info of 120,000 non US soldiers hacking a central bank, as well as multiple government, corporate, and news websites. So before you start dissing our trade craft, maybe you should spend a little time in an Anonymous discord or on the less popular, more CD edges of Twitter.
Now, when people talk about hackers and breaches, they talk about the Apt. Now, what is the Apt? Well, the Apt is defined as the advanced persistent threat that uses continuous, clandestine, and sophisticated hacking techniques to gain access to a system or remain inside for an extended period of time. Now, any group can be considered an Apt, and many times the term is thrown out. There sort of a cop out, like, hey, it’s not our fault we were hit by an advanced persistent threat using a sophisticated, long term and multi staged attack by a group of highly skilled and motivated threat actors.
So, strangely, all these sophisticated, long term, multi stage attacks usually have really super simple initial vectors in common, like social engineering and fishing. So should we really be using the moniker of Apt if it’s not all that advanced? Yeah, I get it. It sounds a hell of a lot better than, Oops, we screwed up, and they were in our network for a long time. That’s also too much of a mouthful. So Apt seems to work better. Now, more seriously, in terms of the threats the US. Faces, nation state hackers are the most serious.
Now, the Heritage Thinktake says that two countries prevent the most sophisticated cyber threat. Now, like I said at the last conference, I couldn’t make their names, but I can tell you that in April, the United States secretly removed malware from computer networks around the world in recent weeks as a step to preempt cyber attacks and send a message to Russia that they were a step ahead of their adversary. And in July of 2021, US. Allies were formally accusing one state based hacking group, China, of being behind the exploitation of an estimated 250,000 Microsoft Exchange servers worldwide earlier this year.
All right, let’s move on to learning. Objective number two understand what value your assets have in a global cyber war.
Now, in the past 25 years or so, online retail channels for stolen data evolved from the BDS dial up forums to online chat rooms to specialized web forums and now online anonymous marketplaces, also known as the Dark Web Marketplaces. Now, these dark Web marketplaces for online activities and transactions are, I want to say, largely untraceable, but I also know that’s not true if you screw up. So it depends upon how good you are at using the tools you have. Now, one of the reasons that cyber crime continues to grow is that criminals have become better at monetization, in part because of the available let’s try this in English in part because of the availability of cryptocurrencies cryptocurrencies for whatever opinion you have regarding Bitcoin and the others. They do make cyber crime easier by increasing the anonymity and by simplifying money transfers. It’s harder to track. Now, historically, after state sponsorship, the sources used to finance war have been from the sale of resources under the control of the invading army.
So we’re going to pay for this war. We go in, we steal their oil or their gas or agriculture, or there’s money in arms or drugs, or if you attacked a certain country, there is the sale of antiquities, or even there’s really good money in kidnapping. But economic sanctions make it more difficult to use traditional means of financing or reap the rewards of the spoils of war, making alternative sources of revenue necessary. And this is where bitcoin and cyber currencies have really kind of dropped in to fill that niche.
Once breached, your companies will be piecemeal down and sold to the highest bidder. So it’s not just your intellectual property or trade secrets that are at stake. Your assets include your financial information, employee and corporate bank info, ACH and credit card data. Your HR data has value on the dark web from user PII and Social Security numbers to help data. Plus, your Internet facing systems can become wares and piracy servers that allow for downloading, malware or hosting terrorist recruitment sites. I’ve spent enough time in your networks to know that the individual PCs, servers, and file shares can be plundered for your employees financial records, their credentials, their banking, their credit cards, their stock trading information.
I get it. Because they spend more than a third of their lives at work, they often feel like this workstation is theirs, and they can use it as an extension of their personal lives. It’s not that uncommon to see that they keep all of their work and personal password files in a file name, password, TXT, along with their e trade and their Tinder account info.
Just as an aside, there’s an uncomfortable intimacy that occurs when I’ve breached a network. I mean, I’ve read the vows that people were going to use in their upcoming weddings, and I’ve seen the evidence they’re going to use in their upcoming divorce.
My teams have seen who’s cheating on who and who’s ripping off the company. We just wanted better passwords. But you guys shared a heck of a lot more. Now, fortunately, we are the good guys pretending to be the bad guys. But think of the disruption someone could do if they got creative with that information. I mean, how would someone react if they got an email saying, hey, we know you’re cheating with Sarah in sales, and we’ll tell your wife, unless you download and install this little bit of software on your system, hey, you do that will disappear. This would have never happened.
Your wife will never find out. I mean, your people are just as valuable in this world as your systems. And as they say, all fair and love and war.
Why a cyber war? Well, bullets are expensive. The packets are relatively free. The procurement of arms requires capital and a wide network of people to bribe, cajole, or threaten in order to acquire and transport the materials of warfare across borders. It ain’t easy. The borders of cyberspace are far more circumventable, and they have few centuries or guards. Cyber wars, too. You know, they’re a really good distraction.
So far, we haven’t seen an extended nation crippling cyber war, but we have seen effective pockets of distraction. In the latest conflict in the Ukraine, attackers used destructive malware to destroy computer systems and render them inoperable. Whispergate wasn’t ransomware. It was built with the purpose of destroying systems. And hermetic wiper was built to destroy the boot record of a machine. These attacks are critical targets in the theater of war by providing a smokescreen and a disruption for upcoming kinetic attacks. So they were effective.
And despite knowing full well that these attacks of this nature were on their way, they were still able to create an impact in the field and consume resources that should have been used someplace else.
Now, we cling to the idea that our cyber attacks have never killed anyone. So this ethically ambiguous position gives us an uneasy comfort with health care systems traditionally considered off limits to attacks. Now, it gave us perhaps a holier than thou place to launch our attacks from. But things have changed. It’s gotten ugly. This rule of staying away from hospitals and schools is no more. And as a result, recently, a patient died when she was forced to seek health care at a more distant hospital, unaffected by the malware impacting the hospital that she needed to receive treatment from.
This is the first time we’ve been able to trace a death to the packets launched at our targets.
If that was your line that you didn’t want to cross, that you said didn’t make it war, well, that line has been crossed. We’re at war now.
And I know you’re thinking, okay, but what has this got to do with me? Right? If I run a company, it’s probably we’re not a huge caffeinated beverage company out of Atlanta, Georgia. We might be a small ecommerce place. We might be a new startup. What has it got to do with me? Well, sometimes you’re the target. And if you’re not the target, you’re at least the stepping stone. I mean, ransomware incidents have disrupted critical services and businesses worldwide schools, banks, government offices, emergency services, hospitals, energy companies, transportation.
There were disruptions in the supply chain for meat packing. I mean, ransomware attackers have targeted organizations of all sizes, regardless of where they’ve been located. And the global economic losses for ransomware are pretty significant. Ransomware payments reached over $400 million globally, especially with the use of cryptocurrency to help fund the tax more easily than with fiat currencies. We’re also seeing an uptick in ultra high net worth, individual attacks, key executives, and other high risk individuals that can be targets for kidnapping. For ransom. Several of my pentest practices engaged in open source intelligence gathering and corporate breach attempts with the sole purpose of determining what was the risk to the corporate executives into their families, and because there have been numerous cases identified of ISIL, al Qaeda, and their affiliates engaging in kidnappings for ransom and extortions in order to generate funds.
All right, I get it. There’s a war occurring. I have my systems and me, we have value in this war.
What do the attackers have that I don’t? Well, these well organized groups have four things that your pentesters and consultants don’t have. For starters, they have nearly unlimited time and money. They’re also fueled by a nationalist motivation. Money gets me up in the morning, but it’s not enough, really, to want to go out and try and take down nation state resources.
That nationalist motivation lets them get fired up, organized quickly, and they can then turn their attention to a target like a dog with a bone. Let’s use an example colonial Pipeline attack. That hack took down the largest fuel pipeline in the US. And it led to shortages all across the East Coast. Now, hackers gained entry into the networks of Colonial Pipeline at the end of April through a virtual private network account, which allowed employees to remotely access the computer’s network. I mean, that’s what it was there for. It wasn’t for the bad guys.
It’s interesting to note that the account that he used was no longer in use at the time of the attack, but could still be used to access Colonials Network. I mean, they just never shut it off. And the account’s password had been discovered inside a batch of leaked passwords on the dark Web.
I’m not surprised colonial employee used the same password on another account that they did for this corporate account, and that other account had been hacked through something. Now, the VPN account didn’t use multifactor authentication, a basic cyber security tool that would have prevented a lot of this. So it allowed hackers to breach using just a compromise username and password. So take a step back. Let me explain, then, how this kind of happens from the attackers perspective, where some of the things were screwed up. So they set their sites on Colonial Pipeline, and so you’ve got your target, and then you do your open source intelligence gathering for any pentest, red team and real world attack. OSINT is where it’s at.
You’ve got to spend a fair amount of time finding out what are the assets that are out there, what services are they running, what are the user account, what do they look like? Who are the users there? I mean, you’ve got all sorts of sources that you can go through. The point is that in this attack, the hackers did a better job of asset management than Colonial Pipeline. I mean, Colonial Pipeline had forgotten all about this VPN and all about this account, but it was discovered by the attackers. So once they found it, they found the VPN, they tested it. They determined that there was no MFA, and they pulled a list of compromised passwords. Now, I don’t know where the password came from. We could get cheeky and say it was corporate email and Ashley Madison.
We’ve seen in our attacks, we always go and try and pull most recent breaches, grab the credentials, and use that against our customers when we’re doing Pentest engagement. And we have seen where for some stupid reason, they’re using their corporate account for non corporate and sometimes dicey sketchy sort of sites. So it happened, and once they got it, they were in that’s it didn’t take much. They just did a better job of asset management and knowing what this customer had than the customer themselves.
All right, so next we get it.
We’re not doing a great job of protecting our networks. So what is there for us to do? We need to have a plan in place, and most organizations have some sort of plan in place. So let’s review that plan. What does that look like? Now, I apologize if this offends any of you, but your plan, if you have one, sucks. Then I know this because for the last 20 years I’ve been in your networks and I’ve had a front seat, up front personal view. All right, maybe it’s not 100% accurate. There have been some companies that have whipped my ass, but those companies were focused on keeping out the bad guys, not just keeping out Pentesters.
And that’s an important differentiation.
A lot of tests result in the company becoming really good at setting up controls for a discreet and artificial set of circumstances where the rules are engagement are well defined, but the time is really limited. And it’s set up really not for a real world attack, but for that Red Team or for that Pentest. So you get really good at preventing Pentesters from hacking you, but you have no idea what it’s going to be like in a real world attack. Now, the companies that have whipped my butt all shared the same cyclical philosophy of evaluating their environment, testing it with as few constraints as possible. We do have to throw some rules of engagement in there for uptime because we don’t want to knock stuff over.
And then they do the testing, they reduce their footprint, they mitigate their weaknesses, and they repeat. And they do this over and over and over again, trying to make this as realistic as humanly possible, as possible as the budget and time will allow.
And this is the issue that I’ve seen in many organizations, is that they really don’t know where they’re at in terms of their security maturity. Now, this is a framework that I’ve put together and that I speak to a lot. The security maturity framework is designed to give companies an idea of what testing phases are necessary as they move towards total security. Now, we start down at the end with bone scans, and these are automated high volume tests they’re noisy as hell, they produce a lot of false positives. But this is where you need to start. You shouldn’t be jumping ahead. Get here.
Pentests are overtime restricted tests, oftentimes with a specific goal in mind, like we want you to come in and we want you to go after the HR data, or we want you to go after our CSO, or we want you to go after our SQL database people. You’ll spend about ten to 20 grand and you’ll have your report right about a month or so. Now, these are not intended to test your detective controls, so don’t get excited if your security operations center see the attacks occurring.
I mean, we’re not trying to be covert or sneaky or clever at this point. We’re trying to cover as much ground as possible to find as many of the low hanging weaknesses you can. But if you don’t see any of the attacks during this, then you should panic. Then you’re not doing a good job at anything. Now the next step. If you’ve done vuln scans and you’ve moved onto your Pentest, you’ve done a few of those, and your remediation list is becoming smaller and smaller, and you’re feeling good about your security, then you can have a Red Team exercise. Now, a Red Team exercise is a covert engagement designed to exercise and train your Blue Team and your sock.
Now, they’ll take a slow and slow approach to testing, and as a result, it will cost you more. But there’ll be a closer example to what your teams might see in a real world attack. A Red Team exercise is there to train the Blue Team to make the Blue Team better, and they’ll use a combination of off the shelf and bespoke tools. Don’t expect them to blow zero days on your network at anywhere between 2100 grand. You haven’t really paid anybody enough to break out the big guns. That’s where we move up to adversary emulation and Adversary simulation, and they are different. Emulation is a test that answers the question of can we survive an attack by a well known apt group targeting our industry or vertical.
Now, these teams will use the Miter Attack Framework or Sites Library or similar apt repositories and do not move to this level of testing until you’ve gone through a significant number of Red Team exercises or some seriously deep pentests. Adversarial stimulation is different from Emulation because in Emulation they’re just repeating what APG 23 or one of the other groups has done, well known attacks, and they’re going to follow it, and your team is going to look to see if they can see the attacks, if they can identify them and stop them. Adversarial simulation is performed really out there. There’s a limited number of practices that are any good at it, and testing is entirely bespoke, and it’s designed with unique characteristics, again in English, unique characteristics of your organization in mind. You want to know if your oil rig or processing facility could be breached, if your organization could lose millions in unauthorized financial transfers, or if they could make your planes fall from the sky. I mean, these are the tests that you want.
Remember, though, the level of effort is equal to the value of the target, and the small business is going to attract ransomware, affiliates and low level hackers. I mean, they’re easy to get into. They’re a quick hit for money.
State owned airlines or power grids or critical infrastructure will attract only the best with the confidence that they’re going to get in. Now, a script getting may get lucky, but most of the time, the sort of people that are attacking the very valuable targets are the ones that have the most elite skills. All right, to begin your evaluation, start with where you’re at in the Security Maturity framework, right where you’ve been focusing your time and attention. Use the success and failure of each step to identify the effectiveness of the previous step. I mean, if you’re getting continuously breached during a pentest, you’re not ready for a Red Team. So you might need to go all the way back to the vulnerability scan phase and determine why. Maybe it’s that your environment is too dynamic or the cadence of your scanning is too low and you would need to increase the number.
Or maybe your patch management program can’t keep up and you need to make investments there. Maybe it’s your asset management is weak and you don’t know everything you own. Whatever the case is, focus on the stage you’re at to ensure you’ve nailed it before you move on.
All right, so you don’t have unlimited time and you don’t have unlimited budget. So where should you spend your money? I’m going to pull a consultant phrase that I hear all the time, which is, it depends. Every consultant in the world will give that answer, and every client in the world hates it. But I don’t know where you’re at exactly. I have, however, created a short list of recommendations that should cover nearly every situation.
This is what I want you to do instead. There must have been a Ted Talk three, four or five years ago just on Red Teaming, because suddenly our phones were blew up with organizations who had no business asking for Red Team exercises, trying to get them set up. And as I said before, a Red Team covert exercise is usually best. That once you A, you’ve got a Blue Team, and B, you’re ready for that level of examination. But as we’re preparing for war, we want to learn as much about the effectiveness of our defenses as possible without being sneaky or clever. Time here is of the essence. Skip straight to the overt testing.
Tell your attack team everything. Everything you know about the environment. Obfuscation is not a security control, and when we’re just weeks away from war. We need answers ASAP. We don’t need to play games. Spend a day or two walking the team you’ve hired. Through your architecture and controls, they might be able to immediately see flaws you could correct before the start of testing.
As I mentioned before, Ostent is exceptionally important, so give them extra time to perform open source intelligence gathering.
This phase of a test has the team looking into the environment at the IP, the domain, and the personnel level to find information you might have missed as part of a collaborative testing strategy. That team should come back and ask about the new assets and let you adjust the scope to include them, and then give the team as much time as you can afford to perform the test and then get the hell out of their way. I’m not suggesting that you let them run wild for weeks at a time, but simply that you would spend more time than you normally would. And please respond quickly to any requests. I mean, I’ve been on engagements where we burned out hours when the team was blocked or had questions, but the important people, the people who could answer them were gone. They were off at lunch. They just weren’t engaged in the process.
And they need to be there because your company’s life could very well depend on them. And then once you get results, please do the remediation. I can’t tell you the number of tests that I performed where I found exactly the same things that we found in the prior test a year previous. If you’re unsure of what to prioritize using, use the Pentest team to help. We genuinely are on your side, and I promise we have the experience to assist in prioritizing where you can get the best bang for your buck. I would even go so far as to suggest that you ask them if your planned remediation will work. I can think of a couple of instances where my client went off, spent a half a million dollars on security controls that we were able to break or bypass in just a few hours.
Most companies are solution agnostic and aren’t there or shouldn’t be there to sell you a specific solution. I mean, without exception, all of us want to see you succeed, and we don’t really care how you do it. Now, once the dust has finally settled, get your Pentest team together with the blue team and go over the attack step by step. Make sure that everybody understands how the test was performed and how the attacks were chained together. Your goal at this point is to take the mystery and magic out of the test.
Have a contingency plan. I like tabletop exercises because they’re excellent for asking the what if questions that you can use to build contingency plans and a tabletop exercise. You can ask questions like, all right, well, what if we don’t fix this step in the attack chain, what would happen? How would that make our defense different? Ask all sorts of different questions, like what happens if the CISO was on vacation? Or if the network guy is out sick? Use these results of these tabletops to modify the scenarios and build contingency plans. You don’t have to have the answers to everything, but what this will do is build a corporate muscle memory so that when real attacks occur, you can immediately jump into action.
All right, now let’s identify your allies and your resources. You’re not alone in defense of your systems. When you’re attacked by nation state attackers, you should have access to nation state defenses.
There are allies at many different levels. The local, the federal, and the international level. At a local level, we have the High Technology Crime Investigation Association, or the HTC. Now, this was performed to provide education and collaboration to global members for the prevention and investigation of high tech crimes. At a local level, they bring in some of the highest quality practitioners in digital forensics and incident response. I participated in these meetings for about the last five or six years or so. You know what, I find them to be a wealth of information and they allow me to network with law enforcement at a local and federal level in my area.
And building those relationships now is important should you ever need a quick response in the future. Now, at the federal level, the FBI is the lead federal agency for investigating cyber attacks and intrusions. In regard is a partnership between the FBI and members of the private sector for the protection of US. Critical infrastructure. They have a few tools the Igardian system, where members are encouraged to submit intrusion specifics directly to the FBI, including digital malware, infections, website defacements, denial of service attacks, and so on. The iGuardian program likewise affords InfraGard partners access to information and intelligence derived from related incidents.
Then there’s the Cyber National Mission Force, which kind of sounds like something Tom Cruise should be a part of, but the CMM F is responsible for tracking and disrupting specific nation state actors in foreign cyberspace. In Defense of the nation. It’s the only cyber force within Cyber Command that essentially conducts offensive and defensive operations. Where defense of the nation’s infrastructure includes private sector assets. The CNMs will work with industry leaders to aggregate information on a taxes necessary. Then you’ve got the Department of Homeland Security CISA. They’re a huge ally in our national defense and partners heavily with the private sector.
And then if you have business units across national borders, you want to get in touch with Interpol. They have expertise in international cryptojacking and they have the ability to take down command and control systems in foreign countries. So once you’ve identified our attack is coming from here, these are the systems, these are the guys that can bring it down.
Now let’s understand your resources and this is a short list of resources that many defenders have told me are valuable to them. Now, for starters, get to know CISA, the Cybersecurity Infrastructure Security Agency. They have a ton of free cybersecurity tools and services to help organizations further advance their security capabilities. They’ve got a repository of cybersecurity services that are open source tools, free tools and services provided by private and public sectors. A lot of information. One of the ones I like a lot is the Known Exploited Vulnerabilities, or Kev. It’s a relatively new resource providing details on emerging threats to public and private.
The Known Exploited Vulnerabilities are issues that CSA has specifically stated are being currently used in the wild. It’s kind of crazy. One of the ones, in fact the oldest one, is from 2002. It was a Microsoft Windows vulnerability, and despite its age, it’s currently being exploited with sufficient frequency and impact that it shows up on their radar. It was CVE 20020 367. Even Ms 867 isn’t on the list. So I find decisions to include certain items particularly telling, and we need to pay attention to that.
Now, there’s also automated indicator sharing AIS with CSA. They provide a real time exchange of machine readable cyber threat indicators. And to complement that, mandiant keeps a list of current threat actors that include the target sectors. So you can say in my vertical, who are the groups that are attacking us? And if you’re at the point where you’re doing adversarial simulation, you can use that information to set up your red teams and adversarial simulation attacks.
All right, share your intel. I can’t express how important this is to the community, and I know there’s a reluctance on the part of many to keep what they’re seeing to themselves because they don’t want it to impact their brand, they don’t want it to impact their stock. And sadly, that type of information hoarding will impact all of us. So the NIST special publication, 800 and 150 will tell you what you can share and how you can share it. The Cybersecurity Information Act of 2015 provides increased authority for sharing amongst private sector, state, tribal, local, territorial, and the feds. And it provides specific guidance for the sharing of information privately. So it builds on the guidance from NIST 800 and 150.
Now, if you’ve been breached, all states and the District of Columbia, Puerto Rico, the Virgin Islands, they’ve all enacted legislation requiring notification of security breaches. In addition, depending upon the types of informations that have been involved in the breach, there may be other laws or regulations that apply to your situation. You can get a hold of the Department of Homeland Security at the email that’s listed above, and you can find any additional state or federal laws with specific regulations or requirements for your business.
All right, moving on. Build a checklist of steps that you can take to protect yourself and remain resilient while under attack.
Okay, let’s take an eight step approach to our defense, starting with accept. Now, I hope that during this time, we’ve pretty much nailed that one down and you’re willing to accept that we’re in a current state of cyber war and that you’ve been given the tools to be able to articulate this to your team back home. Great. So let’s move on to recruit. Recruitment is necessary to get the right stakeholders in your organization. So begin by making a list of all those people who should be part of the process and ensure they have the necessary information regarding the current state of your security, what your current risks are, what investments need to be made, and so on for you to be secure and resilient while under attack. I mean, we all know that security starts with the CEO, but we also have to have everyone else on the same page, and that includes the teams from Human Resources, Legal Facilities, Operations, It.
Hey, you may have key customers or third party vendors that you need to recruit because they’ll either be heavily impacted or they’ll be in a position to assist. So you must have a complete list of those first responders and the individuals who can make the decisions under difficult circumstances. Then you need to assess. We use the Five W’s and the One H approach. Who? Hopefully you’ve answered that during your recruitment step. You know who your stakeholders, your teams, your customers that will all be called into action during an attack. Then what’s being attacked? Asset management is the hardest thing out there.
But if you’re not 100% sure of what you’ve got, how can you protect it? So then where are the blogs, the alerts, the data points for determining your situation? Then when do you enact the plan? What is the threshold for declaring an emergency? When do you determine that this is more than just maybe an accident or somebody doing a major fishing attack? And then why? The why is used to determine the reason and the possible motive for the attack. I mean, is this human error or are you being subjected to an actual attack? And then finally, the how. You’ve got a fully documented plan that details each step. Having that is critical to your success when you’re being attacked. And then test and do more than just pentesting. I love pentesting. Pentesting is awesome, but it’s just one tool in your arsenal for identifying your weaknesses.
Use more than just the results to craft a strategy. You’re going to want to perform stress testing for denial of service attacks, backup restoration tests, data retrieval tests from cold storage. I’ve heard of companies sending stuff to Iron Mountain, but then they couldn’t find it when they needed it. They test your cold and your warm cutover tests and generator tests, and so on. Any procedure that you identified in your assessment plan should be tested to ensure it works. They say train like you fight and fight like you train. And the idea here is all about building that organizational muscle memory and then evaluate.
When you’re done, go back, take a brutal evaluation of the results, see where you landed, ask the five W’s and one H again, make sure that you’re satisfied with the results, and then remediate fix all the things. Look, and it’s easy for me to get up here and say, Hey, fix it because it’s broken. I mean, I don’t have the staff or budgetary realities that you do, which is why I encourage you to lean on a partner. Someone with no other skin in the game, no additional hardware or software to sell you, someone who can give you that fresh set of eyes without bias. Gives you some ideas around prioritization. Use them to help build your priorities and get the best bang for your buck.
Then monitor your systems for incidents and your team’s response to it. Observe, identify and act. The methods and the tools of system log analysis are many and varied and would be the topic of an entirely separate talk. Plus, getting them all set up will take in a significant amount of time and effort, but you need to monitor your team’s response to issues in the time to remediate and recover. The time to do that is now. And then repeat. I can’t decide for you what cadence of testing for the different elements of the plan would work best for you, but I can give you a rule of thumb that if you find yourself failing each test, regardless of where you’re at in the security maturity, then what that means is you want to take a step back and go back to basics.
Nail each step sold before moving on.
Alright. In review, I hope this talk is giving you information and tools that you can take back to your organization and discuss how you can prepare for war and cyber retaliation. I hope I made it clear that this is happening and your assets have value in a global cyber war, even if you’re not the primary target. I hope you’ll go back and review your plan and discuss where and how to prioritize your investment in defensive measures.
We only briefly touched on the allies and resources, so I encourage you to go back and identify the more specific resources in your area and industry to find your allies and resources. And finally, I hope we started a conversation around the checklist of steps that you can use to stay secure and resilient.
All right, if you have any questions, now would be the time. Let me see. In the QA, despite Costa Rica having a cybersecurity strategy in place and being ranked among the top digital government countries in the UN, it got attacked by a Russian back hacker group known as Conti. What is your opinion about this? It seems that to have a strategy is no warranty to prevent attack and that’s true, that’s the problem. They only need to get lucky once. You have to be lucky all the time and it’s just a matter of testing, evaluating the results, fixing any of the weaknesses and repeating. You have to be a continual cycle every time, raising the bar, making the test either harder for the Pentesters or harder for the blue team.
But make it so that you’re doing this consistently.
As a cybersecurity student and recent cybersecurity engineer, how do I take the steps to become a penetration tester down the line? I get this question a lot. There are a lot of resources out there for you to test your skills. At Offensive Security we have a resource guide for 2022 for people wanting to break into security and Dal and I can forward that to you so that you can look at the resources you have. And if anybody else wants a copy of that, by all means please let me know.
All right? With no other questions, let’s see what else we got. You can reach me on Twitter at j perini and on LinkedIn at Joseph perini. And we’re also starting once I get off this webinar, we’ll be publishing our first inaugural edition of a monthly newsletter called The Cup of Joe Cafe Times. And please, by all means subscribe, give me suggestions on what you’d like to see, comment on the format. I hope to make this a dynamic, useful document that we can send out once a month.
So unfortunately we are out of time. We are a little bit over. We’re still good. Do I have one more question? Let’s see. Do you suggest for personal computer protection, is the VPN good enough? What I recommend is for valuable resources that you are connecting to either within the company or in your own personal financial accounts. Make sure that you’re using multi factor authentication with a decent complex password. I think you need to go overboard with a 25 character uppercase lowercase numbers and special characters password, something at the 16 character twelve to 16, but use multi factor authentication that will make the difference.
You also have to look at your risk profile. Now if you’re a gazillionaire, you probably don’t want to use SMS as your second factor, but if you’re like me and you’re living paycheck to paycheck, that’s probably okay. You’re not going to be targeted quite as heavily as somebody with a heck of a lot of money. Keep in mind the level of effort is equal to the value of the target. So if you’re a big deal, they’re going to spend a lot more time going after you than if you’re not.
And I think with that talon yeah. You want to join us again? Hey, yeah, I’m here. Thanks so much for the talk. I can get us wrapped up and get people on their way. Thanks so much to everyone for joining the chat. Thanks to you, Joe. What a great conversation and a great piece of information for all attendees.
Yeah, this webinar will be sent out the on demand version to you, so if you have time, you want to watch it again or send it to your coworkers or peers, it will be on YouTube. And yeah, keep up with us on all the social medias to be informed about all the stuff PlexTrac is doing, but also upcoming webinars and things like this and yeah, that’s all I’ve got, so thanks everybody and have a great rest of your Wednesday.
Thanks much. Have a great day. Reach out to us with any questions, subscribe to the newsletter and we’ll talk with you again soon. Thanks for your time this morning. Take care. Bye you.