Threat Intelligence & Incident Response

Threat Intelligence & Incident Response
Does the concept of Attack Surface Management vs. Attack Surface Analysis make sense to you?

Top Answer: Speaking from a security standpoint the two terms mean different things and they should be distinguished. Attack Surface Analysis is an analysis of the number of exploitable vulnerabilities. It can be used by both sides to discover weaknesses in a system. You start by scanning the target for vulnerabilities and then checking which ones have exploits available, and you choose the attack vector. OWASP has an attack surface analysis cheat sheet. Attack Surface Management is the process of, discovering/resonance, inventorying, classification and monitoring of the systems. This is more on the offensive (attacker) side point of view. You are looking at what IT assets are exposed inside the organization and to the internet.


What is the current state of ransomware attacks? What level of defense and preparedness do companies have from their backup support?

What advice would you give security practitioners regarding evolving cyber threats?

Top Answer: Just like you can’t defend what you can’t see, another hard truth is that you can’t secure that which you don’t understand. I think the #1 issue in this space today is the pace of change and the difficulty that security practitioners have keeping up, especially in environments that have multiple generations of technology. If I had one piece of advice for security practitioners, it’s that you need to stay current with new technology as, or before it's being adopted in your firm. Your colleagues can’t and won’t put their deadlines on hold to wait for security to catch up. I can't emphasize that enough. If you take a job as a CISO or security analyst at an AWS shop, you need to be getting AWS knowledge and certifications to demonstrate to your peers that you understand the space. If you take a job at an Azure shop, a GCP shop or a mainframe shop, you need to be gaining knowledge on those platforms and technologies that you're responsible for securing.  Fundamentally, you can’t do it without your colleagues and teammates, and if you don’t understand mainframe security, the mainframe operator who's been doing it for 30 years isn't going to listen to you. If you're not constantly learning and taking courses from places like Coursera or Pluralsight or somewhere, you'll be stale in two years. The idea is to stay ahead of the curve, which is only possible if you have already caught up and can keep up. And if you aren’t caught up with today, it’s almost impossible to anticipate the attacks of tomorrow. 

Will the US government’s response to ransomware be an effective deterrent for bad actors?

Top Answer: The degree of political pressure or danger for ransomware operators is more real today than it was a year ago, but it's definitely not enough to be a deterrent. When I talk about ransomware, I always try to frame it as a business model rather than as a piece of malware, because it got popularized by grandpa getting phished and we've gotten stuck on thinking about it that way. Ransomware is the ability for a financially motivated bad actor to monetize things that would've been worthless in the absence of ransom as a business model. And that suggests that it will continue to evolve and innovate. There was an interesting campaign against MongoDB and Elasticsearch around 2018, where ransomware operators were saying, "I have your data. Pay me and I'll give it back to you." But they weren't doing that. They were just deleting everything. At the time, that would probably get you hurt by your competitors as a ransomware operator, because they pride themselves on being able to support their customer. But now we've moved on from that. Now there’s this idea of a secondary take around disclosure and spreading out information in that sense just seems like what I'd want to do as a bad actor. So what's next? It doesn't seem to be fading away as a means for cyber criminals to make money.

What are your current concerns about the state of cybersecurity?

Top Answer: What scares me is that only 88% of us do manual scanning. That means that even if you had access to all the necessary information, or that cybersecurity knowledge base, you're still making a bad call. Why is that? That's where my curiosity is today. Something is missing that’s causing a lack of alignment. For some reason, even though the community knows that there's a problem, we haven’t experienced that iconoclastic event to make us rethink what we’re doing. 


What is the future of cybersecurity and what changes are organizations making? Should the government implement more defined rules to protect businesses from cyber attacks?

What makes operational technology (OT) particularly vulnerable to cyber attacks?

Top Answer: PLCs and other 30-year-old equipment are running Windows CE or Windows 95, which can't be changed. You can't put EDR on them because it doesn't take an agent, so what do you do? You either have to take it off the network, put it in its own VLAN or segment it off the network to keep it from talking to anything. I always hear that the bad guys are just sitting in your network waiting, and it frustrates the heck out of me. That's why I came to Air Gap because we ring-fence every device on the network, and we're doing that for operational technology (OT) environments. But another factor is that at many manufacturing companies, there's an OT team and an IT team that are in conflict with each other all the time. The OT lead will say, "The IT team doesn't get it because our machines are running protocols that no longer exist in the IT world.” OT is running ISA cards in the machines and IT is telling them to upgrade to USB. But OT says, "No, because that will break the manufacturing line and then it will be your fault when production is down." It’s an interesting problem to solve: how can we get IT and OT to start working together, or be one group? It's not easy.

What misconceptions do people have about attack surface management?

Top Answer: I like to describe attack surface analysis tools, like CLAW, differently from the common industry definitions. What we do is often described as attack surface management, but that is kind of a misnomer. CLAW is a step beyond management as it’s more of an analysis tool. Therefore we qualify ourselves as Attack Surface Analysis instead. You don’t want to manage cybersecurity threats, you want to analyze and solve them. Think of CLAW as Google Maps for cybersecurity. Similar to what keyhole satellites were for Google Maps back in the day, we can zoom in and using a graph algorithm, we can generate a more accurate, refined and higher-resolution picture of the cybersecurity situation. It’s similar to a cybersecurity MRI: I can tell you with confidence exactly where the cancer is, how big it is and what it’s doing.

What ransomware challenges are on the horizon?

Top Answer: It's the adversary’s job to figure out what to do next to get what they want, which is how they stay in business. When you think about it through that lens, it's a competition of creative forces: bad actors compete to get an outcome on their side, while we compete to prevent it. Ransomware is not going away. I pay close attention when there's a major strategic shift in what motivates the adversary. Shifts in tactics, techniques and procedures (TTPs), are predictive of what's coming next.