Know Your CyberEnemy: Thoughts from the Highwire PR RSA Cybersecurity Panel
Conferences are a time to share information and discuss big challenges. That is always easier when you can bring some of the smartest people in the industry together in a single room. Fortunately, the breadth of clients we work with in the cybersecurity industry means that we speak to many of them on a regular basis. Each of them have a diverse perspective and approach to the security problems facing organizations today.
This year we hosted the second annual Highwire PR RSA Cybersecurity Panel series to bring our cybersecurity clients together to share their thoughts on what is driving defender and attacker agendas. We partnered with WSJ Pro Cybersecurity to host a series of panels discussing major trends this year in the security space. A special thanks to our panel moderator, Patrick Coughlin Co-founder & COO, TruSTAR.
Every conversation about cybersecurity focuses on trends in either the offensive techniques of attackers or the new tactics of defenders. With such a broad panel of experts, our discussions were able to inspire interesting perspectives on both.
What are the bad guys up to?
Cybersecurity is as much a human issue as it is a technical one, because unlike many technical problems there is an active intelligent adversary behind every attack looking for deliberate holes. But why do they turn to hacking?
One answer is because it is so easy. According to several of our experts, it’s only getting easier.
“The barrier to entry is very low. If you have the ability to search on Google, you can find the tools you need and have the ability to become an attacker,” said Dave Lewis, Global Security Advocate at Akamai.
And Endgame Chief Social Scientist, Andrea Little Limbago, pointed to three recent self-propagating worms—WannaCry, NotPetya and BadRabbit—that all stemmed from a single exploit leak. “Hackers can leverage what’s already put out there in the open source and leapfrog ahead. The lack of resources required to have an outsized impact is really phenomenal.”
The easy availability of these exploits mean that hackers do not even need to be on the cutting edge of technology to do significant damage. Jeremiah Grossman, CEO of BitDiscovery said “I haven’t seen the bad guys use AI, frankly because they don’t have to. The hacks are so easy. The number of systems they can compromise is so vast.”
These factors make it all too easy for new hackers to get started, and for experienced hackers to level up. “[Attackers] are way ahead! Not just in terms of technology but also in social engineering,” said Simon Thorpe, Director of Product & Account Security, Twilio “A zero day just pops and you are inundated.”
Unfortunately, it doesn’t take much for a hacker to breach an organization.
“The sad truth is the bad guys are getting in through low hanging fruit, such as not patching,” Justin Fier, Director for Cyber Intelligence and Analysis at Darktrace. “I run into a lot of teams that say ‘Until I get a major breach, I’m not going to do anything about it.’”
Bad patching processes are one thing, but the move to the cloud opens up another realm of possibilities for hackers. The urgency to move to the cloud can lead to IT teams making configuration mistakes in their rush to adopt new infrastructure.
“That’s why you see breaches with people moving into the cloud quickly with their S3 Buckets opened up, cryptominers installed,” said Sumedh Thakar, Chief Product Officer at Qualys. “People find about these cryptominers in their environment after they get the bill. I joke that the incident response team is finance.”
The expanding attack space of the digital world, driven not only by cloud adoption, but also by the shear number of new devices.
“If you look at my home, there are probably 80 different addressable devices,” Brad Bell, CIO of Infoblox. “You may not have direct interaction with them now, but they do represent a potential threat vector.”
“I set up a commercial firewall at home and ran traffic analysis for three months. At the end of three months, I found that 8% of my traffic was going to China,” added Jackson Shaw, Vice President of Product Management at One Identity. “I’m not ordering chinese food from that far away. It’s not just a threat at work but also in our homes.”
What do we do about it?
The situation may seem dire, but by leveraging these insights about what drives hackers, the cybersecurity industry has some hope of gaining the upper hand.
Casey Ellis, founder and CTO of Bugcrowd, noted the importance of focusing on the basics, like regular patching, saying “One of the challenges I see in how products are being taken out to market is a focus on APT, which to me is the equivalent of trying to cure cancer while we forget to wash our hands when we leave the restroom.”
Cyber hygiene is important, but perhaps even more important is to identify the advantages we have. When asked about the asymetrics advantage hackers appear to have, Chris Wysopal, CTO of CA Veracode pointed to enterprise detection systems. While breaching a system may be easy, “if you set up your detection correctly, the hacker only needs to make one false move and not look like a regular employee on the network.”
The other advantage defenders have is the vast amount of information we have about hacker activities. Sharing threat intelligence on information exchanges allows cyber defenders to gain a broader picture of what is happening around them and respond to new threats more effectively.
“Organizations are discovering that it is helpful to them to enter into these exchanges,” said Karl Sigler, Threat Intelligence Manager at Trustwave. “I think that any single organization has such a microscopic view of the security ecosystem as a whole. Once you start sharing information suddenly your whole perception changes.”
But of course, while the adversarial side is not purely driven by technical issues, neither is the defender side.
“What I feel is missing the most is the education of the end-user at the very beginning. People are not aware of the threats they could be facing,” said Filip Chytry, Threat Intelligence Director at Avast.
And Scott Register, VP of Security at Keysight added, “When I’m on Facebook and I see those little questions, like ‘What’s your stripper name?’ the questions you answered to get that—your pet, the street you grew up on—how often is that also a security question.”
One step to solving this problem is to demystify the cybersecurity space, according to Michael Daniel, President and CEO of Cyber Threat Alliance. By involving people with other backgrounds in the cybersecurity space, they will bring their unique perspectives with them to help solve the problems we’re facing and bring their understanding of cybersecurity back to their peers.
“We need to diversify our understanding of the security workforce. We need more economists who understand incentives. We need more lawyers who are cyber-smart,” said Daniel. “We need a lot more of the other disciplines to bake cybersecurity into them so that you have a broader understanding.”
Knowledge is power. And in the cybersecurity world, knowledge is also protection. Gathering the smartest minds in the cybersecurity space to discuss what is driving hackers to make the choices they make reveals a lot about what cybersecurity defenders need to watch next.
You can watch the whole panel series on the Highwire PR YouTube Channel here.