tv Cybersecurity Intelligence Forum Part 1 CSPAN June 12, 2018 4:04am-4:40am EDT
ending in 1973. >> sunday at eight eastern -- 8:00 eastern. the health and human services secretary will be unhappy prescription drug pricing plan. they meet at 10:00 eastern with live coverage here on cspan3. several sessions from a daylong conference focused on diver security and intelligence. this portion featured fireeye ceo kevin mandia who highlighted his customers -- companies work and laid out the teen for the conference -- themes for the conference. >> good morning everyone. how is it going? is everyone ready for a great event? yes? let me hear noise.
yes? welcome to the cyber threat intelligence summit by fireeye. i'm the founder and ceo of fedscoop and i'm rilledou can join us. over the past decade my team and i have worked with the last three administrations bringing the brightest leaders from government and technology together around the white house technology priorities to talk about best practices and find ways to work together. we sit with the federal cio cocil every single week. we have lunch with them and sit down with them to talk about the things that are keeping leaders in our communities up at night. whether we are talking about cloud computing, big data, mobility or any of the given hot topics of the day, the number 1 issue that keeps bubbling up and is the top thing keeping everyone up at night is cybersecurity. today we will spk about a very specific area of
cybersecurity and that is cyber threat intelligence. fireeye is the world leader in this area. we are thrilled to partner with them and we have an amazing agenda with great figures from government and the technology community. lots of subject matter experts from fireeye and big names. are you excited about this agenda? yes? because we have a really jampacked day i will have our first speaker welcome us and kick off the event. he is thman of the hour, your host, please put your hands together and give warm welcome to pat sheridan vice president of public sector at fireeye. >> ♪ >> good morning. welcome. it is the fifth annual government for him and i appreciate you making it downtown today. any caps fans out there?
a huge night, great save at the last minute. everyone should be in a good od. seriously, thank you. each of you has other things to do today and i'm glad we are packing this room. i think there are a few more seats if those in the back want to sit down upt here. thank you for getting up earl and making it downtown. and for those of our -- those of you travelfr far away, i thought jeff brown from new york and we have folks from asia, europe, the middle east and south america. we have 103 different government agencies represented worldwide. i have seen this ent come along way over the st5 years. the first one had we had 350 attendees. i'm cited about this one because a lot of thought went into it and we have a lot of feedback after each of these forums. from each point of view out there, i'm most excited about this. the theme today, like she said is right -- cyber threat
intelligence. why is it important? right now, it is the things, the threats that matter. that is what is most important right now. we have a lot of organizations, commercial government that think they will solve the problem with technology. you cannot solve the problem with technology alone. there was a dhs report published this month and some of you may have read it. it talked about not having an awareness of the threat out there. this is what we do every single day. our expertise is on the front lines. the threat analysts and the organization that john watters started years ago, this makes us different from everyone else out there. i left the army 23 years ago and i have to say out of all the companies i have worked for, in that time, this is the one that i enjoyed getting up
every single day and working for. we have made a difference out there. not just for the u.s. government but state and local governments and governments worldwide. i don't wantto ke too much of urtime. let's get this kicked off. i want to introduce our first speaker. he started his career 25 years ago as an air force officer. a communication security office this officer at the pentagon. he is no stranger to washington, dc. he definitely is no stranger to working with govements worldwide. welcome to the stage, fireeye ceo kevin mandia. >> [ applause ] >> ♪ >> it is good to be in the city where if you show up at eight:30 there are other people in the building. i remember when i got here i
spent 21 years and i like to say i temporarily moved here when i was stationed here. 21 years later when my company was bought out i was forced move to california. i will never forget first time i showed up at the office. it was 7:15 and i walked in and said, am i in the wrong building? no one was there. i was a california rebel and i wore a suit and tie to work every day for the first 2 years. i was out california and there was a negative connotation to it. i went out every once in a while and i don't wear a tie there. i will go through as much as i can but i wanted to start off by welcoming you here and saying thank you for taking the time to be here. we have experts in the room were walking around and i hope you get to meet some of them. ask them the questions you want to. we are trying to solve complex
problems with cybersecurity. we are all confronted with those challenges and we hope we can share from our experiences and learn from yours. i also want to say thank you that i can stand here and represent the men and women of fireeye. it is a privilege to do so. i am always within 24 hours of our folks doing really neat things. last night i got a text from charles carmichael, one of our guys and you will get a call from a cio and we will take care of it. less than 24 hours from sitting down with heads of government agencies and dealing with challenges as well. we get a call when security matters most and people are under duress. it is a privilege to be here. if i spend three hours dealing with an hr issue i can pick up the frenetic -- forensic report and rita. as i stand in front of you with a fancy title of ceo, i am a cybersecurity person. is what i will do for the rest of my secure -- my career and
it is a privilege. i started the company in 2004. i will never forget, i had to make a website. you show up andyou do your work and you make your website. i remember going, our website will have the phrase security breaches are inevitable, don't be a headline. it was wildly unpopular in 2004. the analyst said you're flat- out wrong and your concept is ridiculous. but my concept of the company was, let's get on the front lines and respond to every single breach that matters because that is the front row seatto what needto be made. i felt at the time that every time antivirus triggered, people would say thank god it triggered but the reality is, what didn't miss for the last year? we better investigate it. i felt we need to get behind everyone else and do what's
required behind everyone else's and point. at the time i started, someone named john keegan wrote intelligence and war. it was probably published in 2003. i almost named the company orange leonard. pretty cool. we can get there but it was neat. when you start a company you have to name it. you spd more time trying to name it then writing the business plan. you need to get the domain so you come up with a name where the domain is available. i was reading book, intelligence and war recognizing even then in 2004 that this whole cyber threat intelligence thing did not exist but we knew what we were doing was intelligence. respond to every breach that matters and catalog what you learn from every single breach that matters because it is portable to the next one. it is fascinating. when you see that there is always a security gap, this is
my way of saying that security breaches are inevitable. the website was so unpopular that i changed it. this is why i will never be the head of marketing. i had to come up with anotr way of saying it was inevitable and i came up with this. you cannot solely rely on preventive measures. that is boring. is like a sleeper. that was our website. believe it or not. i believe this. but there is a lot of reasons for it. i can come up with 10 of them but i will share a couple. you can hack the u.s. with no repercussions. it is a freebie so why won't you do it? if you're sitting in russia right now and can get a good job, hack our company and extort them. the emanated to be -- the anonymity of that coin will cause these things to continue to happen. i've also seen and this has not changed since 1998 one track how people break in.
realizing we have a skewed vantage point. nobody hires us to investigate intrusions when they are five minutes behind the problem. when intrusions go to the scale and scope and folks need help, they call us and figure out what happened d what to do about it. the breaches we respond to are not solved by being exploited. we are the late -- the last line of defense and i could do a 10 second class on how to circumvent it. attackers are exploiting and that is a problem. there is a generation of folks used to communicating not face- to-face but getting evite's and whatever web-based links that they are used to getting to click on. they are exporting -- exploiting human trust. there is not a patch for that. hiding behind the anonymity of the internet is a problem.
if your anonymous, it does more to accentuate the activities of bad folks than it does to help good people. you see that on the internet. cyber attacks are reflecting geopolitical events. until we have world peace, and no espionage, there will always be cyber activity. it will not go away. as we respond to every single breach that matters, as a company, we do write down all the trace evidence behind these things. the infrastructure being used to do the attacks, the ip addresses, domain names, who registered, malware, different structures of malware, the pass rase is used and how they encrypt the commands they type when they are online after they hack in. we try to track these attackers with every piece of trace evidence. we are so boring, we came up with a schema to track trace evidence back in 2005. it was wildly unpopular but it had 635 different criteria so
as we do forensics we can catalog all the friends ask. over the years we have noticed patterns. when you look at things coming out of china, we have several dozen groups coming out of china. different buckets. we get the evidence -- all different groups that we respond to dozens of times. there is not a fuzzy bear up here. i've always wondered, how do you get into a board room and say sir, i know you're on the headlines and you were hacked by fluffy snuggle duck. that does not work. we are integers. but look at the nations that are being robbed. without clearly defined rules of engagement. we have two different groups, north korea. we say we are
tracking but the eyesight folks are outside of the victim networks. you will meet a bunch of folks and see john watters speak later today but it is an awesome component because you have our services folks in the victim network trying to figure out what happened and what to do about it. they are cyber nerds and cannot always think about attribution. all these buckets from the forensic standpoint is a time save. this is a pt 37 and here are the indicators, let's go look for them. that is what we look -- use it for. and we have analysts who speak different languages trying to figure attribution. we think attribution matters. north korea, we did a report in february on this. they had a couple of rites of passage. they developed a government capability. no patch can
execute it. they got a second wave of targeting and operate on a scale scope to target things besides south korea. you go to south korea and they blame everything on north korea. you go to the middle east and it is a digital cocktail party. the bottom line is, they increased the scale and scope of the operation. it is neat to see the rites of passage. vietnam.intuit. it just shows you that you have a hacker and an attacker and it scales well. vietnam is there as well. i figured that seven minutes into every hesitation you have a bubble chart. here it i isool to look at with neat figures. as a company we find more zero days than any other security company combined added up. we don't always find them --
that's okay. we find them when we are investigating an intrusion. and we are trying to figure out how the payload gets on the machine. the x-play, we've never seen it before. a pt 28 is russia. as i prepared the presentation, it's a privilege to speak to so many, i realize there is a disadvantage that we have as a nation in cyberspace compared to other nations. is not meant to be discouraging, it is reality when you consider the cyber domains. we have unique weaknesses compared to let's say russia or north korea. asymmetry, every nation has to deal with asymmetry. you would rather take the penalty shot then play goalie. i would anyway. it seemsmore interesting to do that. that is essentially it's. on offense, one person can creatework for millions of
defenders. when you look at the target zone in the u.s., it is the biggest target zone of any other nation. and the most divided target rvic target service. have an economy that relies on the internet and our infrastructure more than any other country. the s symmetry is broader -- asymmetry is broader here for us than any other nation. a few weeks ago i felt guilty saying this because it was taken out of context. i have said for years. if we had in the cyber domain, war, you can go to land or sea. let's just have a war in cyber. is all the weapons worked and all russia's weapons worked, we lose because we have more to lose. the same argument, if you are in a one million-dollar house a d hut, you lose because you had a one million-dollar house.
that is what we have in cyberspace. with other domains there is a balance of power. i think we are dominate in every domain but in cyber it is one if we are dominant on offense, the defensive side becomes an equation that is a challenge for us. there is a balance of power in the cyber domain. in fact there are probably other nations that prefer that if conflict sticks in cyber, we like that. there is a great ion room there and the u.s. is on the weaker side. we also, as a nation share critical infrastructure between us -- the public and private sectors. especially when you look at isyou ok at providers of communication. some nations, that is controlled by the government. they can shield up when they need to but we can't. we have to have a public- private consortium that works together during times of
duress. that is different and broader. there are no settled rules of engagement internationally. this fascinates me. i could spend a lot of time talking about it but i cannot figure out what is fair game for espionage. i don't know. but it is out there. we have the opportunity with china and thtaetarea should hkefor security purposnot economic me-- gain. our universities fair game? -- game? i feel like i would hack universities because they are a good place for intrusion. and that is where our and he happens. d rougho my career i haveement ways observed those rules. i observed him with china, russia and other nations. i don't know what they are anymore. i think we have all of a sudden seen the slippery slope with people drop -- broadening what is acceptable in cyberspace.
we have to think about rules of engagement during times of peace with other nations. i believe that when we do malware analysis and we have -- we can have public policy in malware. we can. weve some folks, malware analysts that have been doing this for over a decade. have the time when you look at malware they say i know this guy or i knew his father 20 years ago when he was doing the same thing. when we looked at it, we find malware that sometimes has a time to live and it doesn't run anywhere. -- anymore. who would do that? sometimes they don't work different geographies. who would do that? we should guard rail on malware formations like the u.s. but you see guardrails on malware from russia? no.
here's one found a couple of years ago. we looked at malware and it does 6 or 7 checks to see if it is being reverse. if it is being reversed, it overwrites your hard drive. i had a conversation last night and said, i bet we never do that. but maybe we do. this is what north korea does. 6 or 7 checks that if we find the malware and bring it into the lab and we are in a virtual machine and can inspect it, it looks to see if sandboxes running and overwrites the drive. that is annoying to deal with but that is a policy decision. they don't care what they destroy when they compromise something. i have a funny suspicion with our lawyers looking over their shoulders with offensive capabilities, we do care and we will not have collaborative damage within cyberspace. we saw with some of the self spreading box, exploits.
these are representative, in my opinion of public policy and we have to reverse it and analyze it. so what is the role of government? i could spend time on this but i was told i don't have three to -- three hours, i have another nine minutes. a couple other ideas, from my perspective realizing as i stand here i represent victim companies within the cyber -- the private sector. if you went to a ceo and said that cyber is complex and hard, what you want from the government to help you out, first and foremost is deterrence. how do we stop other nations from compromising us? i'm sure the anthem would be that they are not compromised and would not have to deal with lawsuits. you have to know who did it. period. attribution is the number 1 thing for deterrence. if i were in the oval office, i can give one line of advice to
the head of state and i would say you have to know who is doing the intrusions. without that, you have no proportional distant -- response. and you don't know who is behind the red -- behind the attacks so the minute we don't know who is behind the attacks as a nation, we have a problem. we have to figure it out. attribution matters. not only from a deterrence standpoint but also from liability. if you are hacked, you know it. if it is a 15-year-old kid from brazil, you are on your own. if you are hacked and you know it and it is a drive-by shooting from a server that was compromised, the reality in the u.s. is you will be gained as an organization as probably negligent or you did not do right things. it if you're hacked from a modern nation of military units, you may get more understanding. we saw this happen when sony pictures was compromised in 2014. everne went crazy saying, how
did you let this happen? you look -- lost your records, your pay, your movies and the president got on tv and did public attribution that it was north korea. the pendumswung from sony being irresponsible people to wait a minute, north korea did this. and that is crazy. the pendulum of public opinion swung. we don't always do that when opm is breached. we have to figure it out. but attribution absolutely matters and when you're hacked by a modern nation with great paper -- paper -- great capabilities, is different. i'm at fireeye and i get the question, can the russians hack us? i laugh as a response. yes. absolutely. if you bring the nation of russia's capability against fireeye, how will we do? we will not win.
that is the same for your organization. we have to think about the line. as a nation we have to figure out what industries are expected to withstand a cyber military attack and which aren't. that is a tough line. as a nation we have tacitly said that healthcare needs to withstand attacks from the chinese military. that is the right bar to set but we set it when we did not do attribution. we left the healthcare companies to deal with the problem. deterrence is first. how do we do it? it's tough. the good news is, i'm not a diplomat, i am a cyber security guard -- guide. what you do to deter a nation that does not have as much to lose when they do cyber attacks. i thought about this when john podesta was compromised and his email leaked. could we hack putin and take his emails and post them? probably but how many media
companies in russia would cover got posted? we have a free press but they probably, not as much. so they win. it is hard to figure out, when r frdom of the press and ith dependence on i.t. and the way we do commerce and business, it is just an unfair playing field. it is a difficult equation. this is what happens when you do treaties. when you have a dialogue of bilateral dialogue between nations. you can take a number of intrusions per month and reduce them. you're reducing the cost, burden and distraction on u.s. business. it is worthwhile to do. this is based on, used to see 70 to 80 attacks against china against u.s. companies each month. after a treaty, we had a remarkable difference. and how do we know we are missing them? if we aren't, we raised the cost for chana -- china.
the bad thing about chinese intrusions, they don't delete the evidence and we can find it. it is pretty nice. you can have an impact with diplomacy on the intrusions that. at least with some nations. secondly, this is something that goes information sharing. how do you do shields up in times of duress if we have a modern war? software will fight it. you have a bunch of compromise and cyber domains will have a weird impact on everyone. or thermostat may turn up to 98 degrees on a hot day. who knows what will happen and that is the interesting thing about cyber. when you do offense, you don't know what the results of the offense will be. you don't know. i can tell you that we did an attack years ago and had no idea when we did it -- that it
would have the results that it had. sometimes, you don't know what the results of an offensive operation will be in cyber. almost all the time you don't. you need guardrails but how do we do shields up as a nation. as a nation if we knew that the hospital would be compromised on friday and the russians hackers will shut it down, what would we do? can we impose a shields up at the hospital? can we safeguard patients? there was a time that i used this example 15 years ago and i said do you know what we would do? we would move every patient out of the hospital. i don't know what we would do today but we have to have an engine, a machine where the government can impose at that point a lift profile that is higher and better and stronger and more effective than the hospital itself can do. i can tell you that will expire
-- wilkes-barre hospital will not withstand a russian hack in cyberspace. you have to accept data, early warnings and indicators, whatever you want to call them. we have to have an infrastructure that can get better under times of duress almost instantaneously. and we have to have communation channels that are doable. we have to start small and deal with utilities. and deal with healthcare and start with critical infrastructure. shields up in times of war is important. establishing international rules of engagement. there are many working on this. the eu is working on it. it is hard to see it in cyberspace. i cannot tell you what the san electronic army will do tomorrow in cyberspace. i don't know what north korean offensive work will be in cyberspace. we have to get predictive. as predictable as -- was, we cannot tell you who they -- who
they would hack tomorrow because we don't know what mergers and acquisitions will be in china tomorrow. we don't know right now what the rules of engagement are. many folks will ask, what will -- do? i don't know. they have change behaviors. they had 18 years where they did not change the heavier but overnight they did three over things that they never did before. it is a weird face. we have other nations getting on. as the ceo we generalize and simplify. in 2015, i called the year of iran. the first time i responded to iran with our company was 2008. we did not know it was iran and someone tapped us on the shoulders and said we know you are there and you are responding with iranian hackers. they were terrible, they did not have good capability. they were obvious. they axle traded data by compressing c coiné.
they took the whole hard drive. it was the worst operation. it's like you get out of the classroom and go to it. but they have over a decade of real operational experience with no repercussions. you can learn in the classrooms but in the real world on offense, you will learn even more. that is where they are at. they are good now. they have modular offense and are good. you need rules of engagement and how do you hold other nations accountable? i have some ideas. i was in the government and you have to defend yourself first. then you want to reach out to the private sector and figure out, how do you help the private sector. as a nation we are in these phases and pretty well into them where the government is trying to help the private sector. dhs has indicators and warnings that are shared and we are trying to play private and public sector the right way. you defend yourself first and are helping the private sector. you cannot help everybody all
the time. sorry to the retailers that sell cupcakes but you're not popping a lift to defend cyberspace. healthcare ought to be and communications should be up there. you have to defend critical infrastructure and do the best to defend the nation. the work here at fireeye, our goal to help you do it. i told you, i'm not an entrepreneur sure -- entrepreneur as much as -- we are on the front lines every single day to respond with intrusions. we learn from it and when you have a front row seat to what needs to be built, it will probably never be done but we are going to work on what we are working on. we have over 300 folks investigating cyber incidents and answering what happened and what to do about it in 20 countries. we have 100 analysts that speak 32 languages in 18 countries
doing attribution because it matters. there was a time in my life when i said attribution doesn't matter. the first question i have if i'm getting punched in the face, you don't say who are you? you don't want to get punched in the face. but the reality is, in cyber you want to know. when you're trying to triage the priorities of 10 billion events in your logs you have to figure out which matter and what else to look fo it would be nice to get an alert and go, that is -- and here are 80 and other things we look for automatically because of what they do. we raised the cost of offense and made the defense more effective. attribution matters and this is the group that helps us do it. we do 650 investigations a year and we do over 10,000 hours of investigation. in a way, it is discouraging and in a way positive. we do over 300 different red teams every year.
break in and steal the emails or get the customer data or get the health records. we are successful breaking in a netwk of over 90% of the time. at least in 2017. we are successful, making the threat that the company did not want to become a reality become a reality 75% of the time. we do a bunch of these and this gives -- if you're wondering how good security is, somewhere you have the five things you never want to have happen in cyber at our company. and you test it. cannot happen from a hotel room down the street? get three great offensive folks anthem have five days to tap dance on your network to get to the emails. what i keep saying is, we have to build software until our team cannot get by it. it is fascinating. our teams are amazing to watch. they have to sit and wait for a
blip on the scream -- screen. they have kill shots for the majority of the tax -- attacks meeting the tech alone cannot solve these attacks. we have 1 million pieces of unique malware every day. do a lot of other companies. that is not a big deal but here is the big deal. we find during active investigations 65,000 pieces of malware a year. the scott by everything. these are the thgsthat matter. we reported 10 zero days next year and almost all of them used by nationstates. we saw one criminal group deploy a zero day. then i included slides since few of you will care.
maybe two of you but i will spend 30 seconds on it. many companies do nothing but malware analysis. we do malware analysis to decrypt the channel that the folks are using. we want insights. so why do they compromise you? what commands are they executing? what files are they targeting and what are they trying to take? we have over 150 different backdoor channels we can decrypt. and see this is within a month of time and we decrypted over 100 of them to see the actual commands. there are times that we can decrypt rdp and that is really cool. if we have one key server. if an attack is using valid credentialan get insight into what they are doing. that is the kind of company we are. you will hear more about it today and i want to say thank you. attribution absotely matters and we are a company that will always work hard to provide for every intrusion we