tv Cybersecurity Intelligence Forum Part 2 CSPAN June 15, 2018 10:36am-11:39am EDT
back door channels that we can decrypt and you can see this was in a month of time. we had decrypted over 100 of them to see the actual commands. there was a how long time where we could decrypt rdp. that's really cool if we had one key whether a client or server side. if an attack was using rdp, we could get insights into what they were doing. that is the kind of company we are. you will hear more about us today. i just want to say thank you. attribution absolutely matters. we will always work hard to provide it for every intrusion we respond to. thank you very much. [ applause ] ♪ i got 15 minutes.
i haven't started yet. that's good. i will try to get through the last 40 years in 15 minutes. i'm going to date myself. this is really the evolution and cyber domain through the eyes of a middle-aged guy that grew up in texas. as you think about the '80s as we're rolling into the time line we're going to cover here, it started out with a bang. we boycotted their olympics. they decided to come to ours. u.s. completely shocked the world and beat the russians in hockey. the other big bang was j.r. was shot in march of 1980, one of the most popular shows in the world. but what was going on behind the scenes was a quest for intellectual property. they were in desperate straits going into the '80s.
the war was draining their funds. they were trying to compete. so they were trying to gain access to our intellectual property. the same way the chinese was trying to do back in the '70s. so we set up a false front with the french, sold faulty software. so that was behind nagasaki at the time. that was 1982. that was a digital created kinetic effect, roughly 40 years ago. i was in high school in '82. move back to economics. december needed beer money. how was i going to get it? i had three weeks left over there and british telecom was privatizing. at the time i said i had to figure out a way to get
involved. the most you could participate was $2,000. i say how am i going to get my hands on some money. i remember i had this emergency credit card my parents gave me. i said how can i get some cash on this and my parents aren't going to know about it for a while. they said well, take cash out, tell us where their bank is in dallas, we'll give you the money. got cash out, participated in privatization, tripled my money, sent the money back before it hit their account. so here comes the crash of '87. i'm working on wall street. we were selling portfolio insurance back at the time. we would get somebody with a $3 billion pension fund and say you got equity exposure.
if it goes down, we'll cover it. here comes october of '87. how do we hedge ourself? we're selling futures, you know, trying to hedge ourself. market went down 27% in one day. that was the end of portfolio insurance as you knew it back then. innovation outpacing your ability to protect it. so innovation, the security gap that kevin talks about is always going to out pace our ability to manage the risks. it is always going to create that gap. by the end of this decade, which shaped the future, wall comes down in 1989, began to see the collapse of the soviet union and the '80s were really a formative decade. here comes the '90s. for me it was the need for speed. it was the information super highway. early days of the investment career back then.
everybody was trying to figure out how to get in on this information super highway to create a digital infrastructure used to advantage the world. so big innovation we are, we're creating all this innovation and pace without even thinking about the consequences. so what happened when the wall came down and the soviet union collapsed is a super power of crime was born in russia. a lot of the former soviet union countries out of money. you see the same talent base we see now unemployed and trying to feed their families. so we are creating an opportunity to exploit it for criminal gain. you saw a real focus of shift of this talent base saying how can i make money through this thing called the internet? as we begin to move all of our commerce on line. so latencies out of the system, digital commerce is moving on line. the world is beginning to change and we create mammoth amounts of
speed in our environment. in fact, going back to the wall street piece, we used to sell on trading floors atm networks and all these different bandwidth protocols for being deployed. you would send one trade out and say i want this one to go in nanoseconds and i want this to go out in a minute. you would pay by the drink for how fast you wanted a trade to go because you were trying to beat other folks based on speed and pace. speed became the game in the '99s. that set the pace for the 2000s. for me it was a decade of pain. what a decade we went through. so it starts off obviously with a dot com crash. it created this huge run up on all these stocks.
i remember meeting with folks that are at the time retired and say i'm just looking for a safe return, 15%, 20% a year. so i'm just going to put it in cicero and dell and let it roll. they got a lesson learned in that one. when the dot com crashed, followed by the towers coming down, the globe begins to change. the world is at war on terrorism and a lot of things are really beginning to shift in the way we look at the world and the way the world looks at us. in that gauage we moved on to t telecom crash and the world is beginning to reshape. at the time everybody at their eye off the ball in terms of what was happening in the cyber domain because there was so much going on around us from the dot com crash to the towers coming down, moving into the great recession. if you went into a bank in 2008,
2009 losing half a billion dollars in cyber crime and said, hey, you know, if you use this capability, we can understand exactly how the adversary is targeting you and figure out how to build counter measures and defensive protocols to knock $100 million of losses out of your system. the response would be i just wrote off $10 million last week in bad mortgages. it just paled in comparison. the cyber domain was just ripe for the picking. and people were driving a truck through it. from foreign nations stealing intellectual property, from criminals stealing money, from adversaries and activists injecting their ideology through cyber campaigns, we were wide open, exposed and just taking it without even focussing on it.
so the 2000s gave way to what we're looking for today when the stakes have gone up. so if you look at the last decade, really cyber has been exposed. what happened in the start of the 2000s with the eclipse of cyber crime taking over the narcotics trade as the most profitable form of organized crime in 2009 as reported by the fbi, we have now given way to this huge economy that lived and thrived in our cyber domain. and all the advantages we used to expand was being exploited against us and created in effect the largest transfer of wealth from one sovereign nation to another when the chinese had taken our intellectual property stores and shifted them across the borders. so it was a tremendous decade. cyber exposed. so we see back to '82, selling
faulty software to create kinetic effects. now you see the inverse of that to try to actually create kinetic effects against a nuclear capability of a country. you also started to see aggressive campaigns actually destroy and disrupt operations. so you began to use digital campaigns to create kinetic effects. you saw exposed china activity for the first time through the abt 1 report. congratulations for creating an awareness level in the world of what had been going on for almost a decade of really what had just transpired. that started to give people thought and said, wow, this is real. you know, it is not this black magic. it is actually happening right in front of me. what do we do about it? so we move into economic consequences against north korea through all the sanctions we applied creating cyber repercussions. you convert a rogue nation into
a bank robber. so we saw that through the heist, $100 million was reported gone. of course they tried for a lot more than that and they had them stopped. so you are seeing crime take shape, funding those types of initiatives. in the prior decade when al-qaeda was being disrupted in the 2000s, a lot of times when we would find al-qaeda operatives, they had manuals to fund through local cyber crime activities to fund their day-to-day terror activities. that's not my problem as a dpovmt. th but that's a means to fund something. move into the elections and that's pretty obvious what took place there.
our sanitity as a country. when you see that under assault, that reflects a really big change in what's going on. all of these things in the 2010s lead us to common day is the fact that innovation that we have exposed and exploited to our economic advantage over the years, the innovator of how you exploit that innovation has always been the bad guys around the world. and our security innovation has to keep pace with the innovation of the adversary. that's our only way to effectively compete. this security gap will always be there and will always be exploited by the bad guys. the best you can do is shrink that security gap whereby as we're creating new technology, likely at a pace faster than we can secure it, we are tracking the adversaries as their tipping
and cueing saying here is how we will exploit it to build on our defensive mechanisms side by side with them and build innovation to protect our environment at the pace of their innovation. kevin showed the first chart, not the second chart. so chinese going after existing intellectual property. gives way to, okay, we'll stop hacking your environment, you know, formalized in 2015. we'll just go acquire it. at the same time you see an inverse relationship and all the amount of investment and acquisitions taking place with china acquiring u.s. intellectual property. present day. in the 27 years prior to the trump administration, blocked three times. the most notable was check point source fire. so three times now since the trump election you have had us
blocked technology transfer. so we're basically putting up the shield wrong but that's reality what's happening. when you think what this might result geopolitically you have to think through this may create a shift backwards if we can't acquire or invest we have to get it through other means. geopolitical activity is going to trigger cyber consequence. it has historically and will continue going forward. so cyber threats will always intercept tech mega trends. talked about that through the last 40 years how that's always happened and will happen in the next 40 years. what are the tech mega trends around us today. movement to the cloud. huge efficiency advantage. a lot of us are taking advantage of that. then you look at autonomous
vehicles, changing the way we move around from a transportation sector. all the iot, smart house. every home will be a smart house. hundreds of sensors. for me it's an infinite attack infrastructure, infinite way in. so many ways that exposes us. you look at mobility target of choice. adversaries are looking at all of these mega trends as exploitation factors. hackers targeting autonomous vehicles. you just going to continue to see us. the only way that translates into proactive security is having intelligence let security drive your entire initiative. understand what's happening, use that knowledge to advantage your defensive ability, and resource shift as that shift in the
adversary frontier faces. it will be continue to happen. only way you can attack security in the future. that's the way we do by. thanks for your time. that's my 15 minutes. [ applause ] let's give him another round of applause. that was awesome. thank you. [ applause ] all right. i'm excited to introduce our next speaker, he's going to be talking about cyber threat intelligence and support in npd's mission. he's the deputy san secretary for cyber security and communications at dhs. please put usual hands together and give a warm welcome to rick triggers. [ applause ] ♪ >> some old school jay-z as i came in. i'll take u2.
i appreciate talking about what we're doing insides the homeland security with regards to cyber security, particularly around threat intelligence information sharing and things of that nature. as i was listening to the introduction she used the nppd that nobody knows what it means. national protection programs director. headquarters organization that the cyber security organization sits in. we're very much a critical infrastructure security and resilience organization. we look at that through two lenses. one is physical looking at asset based protections from a physical perspective and the other side is really looking at from a cyber perspective which is what we do. you know, we made some pretty tremendous progress i think in the past probably four or five years with regards to what the department of homeland security is doing in cyber security. of course, at the same time the threat landscape is becoming more complex.
it's becoming more crowded. we've got nation state criminals and activists playing the game. while that's happening, the adversaries capabilities are becoming more complex. as you're very well aware. but interestingly the way that they are getting in the exploits, they are using or not. still standard tactics that they've been using for a long time for the most part. we see vulnerability scanning for unpatched systems and spear fishing. the last report i read is anywhere between 80% and 85% of the attacks we're seeing are incidents we're seeing are being caused by those simple factors. what we're not doing is imposing cost on the adversary. how do we do that? how do we impose cost toond seve -- cost on the adversary?
really, you know, if you're andrew or in government you want to harden yourself so they look at you and move on to the next, you know, the next business. as was pointed out by john, the attack surface is also growing. you know, i think the report i said is in the next couple of years, each individual is going to have anywhere between six to eight devices themselves that are connected to the internet. you know, that just -- that just makes the attack surface as was pointed out earlier go out into infinity. it's across government, across industry and across individuals. what are we doing about this? when i say "we" i mean the collective we. this is a team sport. this is not something the federal government can do on its own. i want requires strong, robust partnerships, engaged partnerships, not only with the
private-sector and critical infrastructure but i.t. security firms. requires partnerships with our international allies that have the same kind of behavior and norms and objectives as we do for a secure and safe kind of network and internet. we also -- we also with regards to partnerships we want to make sure we're partnering with the state and local community as well. we take our partnerships very, very seriously. there's two things inside of our organization that underpin everything we do from capabilities of doing hunt, to response, to vulnerability assessment, penetration testing, to our training and exercises that we do on behalf of critical infrastructure, owners and operators of state, local governments. it's about partnerships and it's about information sharing. we work every single day to try to build our partnerships, to try to strengthen the
partnerships that we have. we do this through formal, large kind of robust, you know, government partnerships where we sign peopmemorandums of agreeme and memorandums of understanding so we can open up the information sharing channels. we want to do this also informally. we want our analysts to have relationships and collaborate and coordinate with analysts in the private-sector. the private-sector, i.t. security firms pept represented and those that are not they have different visibility than the federal government because we're not looking at private-sector networks. we're looking at our government networks. we're getting also information from our international partners as well as from the intelligence community and law enforcement community. that may be the private-sector isn't getting. we want to take that information, and at the end of the day get the technical data
out to the cyber network defense community. at the same time we want the private-sector to share what they are seeing as well so that we can use that information and get that data out to the cyber network defense community so we can cover down on what we know is bad so that we can secure and make our networks and the internet, quite frankly, more safe. the federal government, as i said earlier, we can't do this on our own. we require the private-sector across really all industries to help us reduce and to mitigate these risks. it's about a culture change. i was just over in the uk last week or week before talking about culture change. on the physical side there's a culture security. if you go into any building there's usually somebody at the front door.
there's vehicle ballards where you can't drive up. even 7/eleven there's deterrence there. so those are all deterrents, but we don't have it on the cyber security side. we don't have that visible deterrence and that culture of security across, you know, across our nation. we do in certain aspects and certain places but for the most part we don't. and, you know, it's not lost that whenever something happens on the physical side, a private-sector entity is looked at as the victim. emergency management structure folds in on them whether it's local, state or national. with regards to cyber security that's not necessarily the case. the entity isn't looked at necessarily as a victim. they are looked at why didn't you protect the data better.
they are looked at as not necessarily protecting their customers. so how do we change this culture? how do we create a culture of security within not only the federal government, state and local government, but the private-sector? really, from our perspective this starts with partnerships, it starts with sharing information and making sure that whatever we have inside the federal government we're getting down to the lowest possible classification level and sharing it as broadly as we possibly can. obviously that doesn't mean we share it out to the public at large. a lot of the times. but we do have community of interest where we will share unclassified sensitive information. we have a private-sector security clearance program where we bring in certain folks from industry so we can read them in and give them security clearances to make known what really the threat landscape looks like across a particular
industry to get them to, kind of pay attention to this issue. earlier this month the department of homeland security just released our cyber security strategy. the department of homeland cyber security strategy. there's five pillars that underpin that. the first pillar is risk identification. how are we assessing evolving risk. second one is vulnerability reduction. how are we protecting the federal government systems and networks as well as critical infrastructure? threat reduction. what are we doing to disrupt criminal activity and criminal use of cyber space? and consequence management. how are we responding effectively to cyber security incidents? then the last one is enabling cyber security outcomes. and really how are we improving at least in the department of homeland security, how we're
managing our cyber security programs not only from text the federal.gov mission but to protect critical infrastructure, get information out so we can get the bad sff off the internet that we know about. how are we making security -- how are we making our systems more secure and more reliable. all of this goes to, you know, how are we collectively doing this. we've got three priorities for my organization, the office of cyber security and communications that we're focused on for the next three or four years. the first one is cyber workforce. how do we build a cyber workforce, not for us to recruit against but how do we build the cyber workforce as a national asset. right now we got about 300,000 unfilled cyber security positions across our nation.
i read a report a couple of weeks ago that said there will be over a million by 2026 across the globe. so what are we doing to engage k through 12, what are we doing to engage academic universities, what are we doing at least in the federal government our hiring practices and our human resource apparatus so we can bring on cyber security talent, we can keep them engaged. but we can't do this alone. we have to work with try. you guys are facing the same challenges that we are. obviously you guys have some different incentives that you can put on the tabling that the federal government can't but at the end of the day how do we from a nation perspective build out a cyber security pipeline so we can have this type of skill and talent at the ready to bring on to help us with this particular mission. the second one is driving down systemic and catastrophic risk to our critical infrastructure own earns operators so that we
can make sure that we're looking at supply chains. we one what supply chain risks are. and that we are covering down on those risks. it seems to me that when i look at supply chain and i look at any supply chain it starts for whatever reason when you start to peel back the onion somebody is starting. we've got to evolve past asset based protection, we got to look at critical services and functions and those critical services and functions that underpin our national security, economic and public health and safety. then the last piece is collective defense. this is pretty much what i've been talking about the entire time i've been here. this collective defense idea about how do we get the entire nation engaged in the cyber security mission. we can't do it alone.
we have one of our flagship programs is automatic indicator sharing system. we are sharing indicators at machine speed. since 2016 we've shared about 1.8 million unique indicators. those indicators are coming from our international partners. we have 11 international countries that are hooked up to ais. we also have all of the departments and agencies in the fed.gov and several hundred private entities but information sharing and analysis centers and other organizations like the cyber threat alliance that are further sharing those indicators throughout their partnerships. what we're not seeing and what we would like to see more of is the private-sector sharing back into the automatic indicator sharing system. so that we can, again, push those indicators out to the broad cyber network defense community so we can get what we
know is bad off the networks. we're making some changes to the automatic indicator sharing system so we're providing more context around the indicators. there will be sightings available so you can understand the quality of the indicators as well. we're doing this as a direct feedback from the private-sector. we've listened to you, heard you mangering those investments in the automatic indicator sharing system. and we will continue to do that. we need your feedback so we can make sure that that system evolves and keeps pace with what we need to. and then we also are looking at, you know, how do we auyou auta defense. how are i.t. vendors putting out different devices, how can we compel them to automate the security in those particular devices? and, you know, the market will
have to do that. the individuals and the companies and the government that are buying those types of devices are going to have to demand that that happens. you know, as i say, it's kind of a little bit funny but kind of true, you know, don't make my mom turn on a cyber security feature in a wi-fi router or in the iot device she has. make her turn it off. she doesn't know there's a default password in her router. she doesn't know what a router is, to be honest with you. so we've really got to get smart about how we scale security in this particular mission space. again, we can't do it alone. it's going to take the collective "we" to put in a real robust collective defense for cyber security. with that, that's my time. thank you very much. appreciate it. [ applause ]
let's give him another round of applause. thank you, rick. [ applause ] our next speaker is here, although from new york city, we're excited to have him. the name of his talk is new york cyber command, government's role in protecting citizens and the economy from cyber threats. he's chief information security officer of new york city. please put your hand together and give a warm welcome to jeff brown. [ applause ] ♪ good morning. >> good morning. >> so i have some prepared remarks but before i get into that i just wanted to first thank you for the warm welcome. and i want to say it's incredibly humbling to stand up here in front of a community that i owe a lot of thanks to.
thanks over tory single person in this room who is involved in the mission. we all know what that mission is and it's absolutely critical to the defense of this country that we all love. also i want to say a special thanks to john who already spoke today and their company they built. incredible partner for new york city. and has been pivotal to me professionally in my own success and success that i represent in what we're trying to do on behalf of our city. also thanks to rick for the great partnership and the working done with dhs for some critical things that i'll talk about today. so, again my name is jeff brown. i'm the ceo of new york city and head of new york city's cyber command. so, what in the world is new york city cyber command? so let me talk to you a little bit about that. this is kind of setting the stage for remarks today.
okay. so, we all know new york city, right? new york city global leader, absolute presence not just here in our nation, but a global leader in, you know, commerce and culture and all those great things. so new york city cyber command created on july 11, 2017 by mayor de blasio. he signed executive order 28 which school district up the team. we're charged with leading the city cyber security efforts across 100 government agencies. what makes up the city government of new york, can you imagine all those critical things that are provided to new yorkers each and every day. the stored teams nypd, the water utility, sanitation, finance, you know, all those things that make the city run, makes up that city government. what makes our approach unique in the city from our optic,
there are a number of duties and authorities that are invested in new york city cyber command, but i'm going give you a couple of highlights. what you see in the slide breaks down this elegant two page executive order. i encourage anybody to rated. we're very proud of it. not a long read. just two pages. but let me highlight a couple of things. one, this organization can mandate the deployment of technical controls that we centrally operate. giving us the ability to see and respond across the over 500,000 computers and various ways make out the technical landscape of the new york city government. not only can we say these are the technical controls that we'll put on these machines, we'll operate those controls which is very important in centralizing a mission. another highlight, we can review city agency requests on cyber spend. so, when it comes down to it that allows us to make sure that we're unifying the effort and the efficiency of how we spend
new york city taxpayer dollars. and finally, we do report directly to city hall. so that tells you the type of executive sponsorship that cyber security receives in new york city. this is, you know, to use the private-sector term this is certainly a boardroom issue in our city. and why is this important? why are these sort of authorities and duties in new york city cyber command important? really the executive order signals our city's recognition that cyber security needs a center of gravity, even across what's a highly fedderated technical government and services delivery environment. think about these hundred plus agencies as separate businesses. separate businesses some of which have been around for over 100 years and invested in various infrastructure and technology projects since the beginning. so to be able to say what are the things that we can do to be
effective in cyber security in that very federated landscape. you need unification. you can really conceptually think of new york city cyber command as command center for agencies. we're accountable to city hall and the neerk. we act as a technology disrupter. since we're in full build mode, we're actively building this team today, and how we, you know, how we use technology in our process. using modern day science and behavioral approaches. we're not afraid of the cloud.
underlying all our work in new york city cyber command is a realization our city uniquely at the municipal level has responsibility to critical services and infrastructure that new yorkers depend on for their society to function. these are core areas like our water utility, life safety services, traffic system, our health surfaces, and city government's financial system that's completely interwoven into the daily sustainable operation of the city. new york city has no choice but to be responsible for the cyber security of these functions. these are the functions that are the very life blood of our city. where are we going? we have a lot of important work in front of us. i am not naive that the mission is not completed. there are many, many critical gaps to fill. everyone, you know, in this room can be in a similar position.
but the city now has a team dedicated to this mission and resource for growth. that's the baseline on new york city cyber command and as you can see our portfolio spans a variety of issues. i'm address the city's growing prioritization in the public domain. here's a way of thinking, a way i'm thinking about cyber security in new york city and it really goes to, you know, something my wife tells me which is expectation management. i really like manage expectations. get home when you say you're going to get home. if you're late tell me you'll be late. i fail at this. but when it comes down to it every day i wake up i want to succeed in that critical mission. i want to succeed every day and i don't accept it as inevitable i'll fail. i don't. i fail often. but i don't accept it. every day i wake up to succeed. i think our industry sometimes,
our expectations in that regard need to, you know, maybe be evaluated carefully. what i do mean? i think sometimes we aspire to manage the risk of cyber threats but not defeat them. our technology providers that do great work from text their clients. how do we define client. a client usually someone who contracts and pays. does it go the size of the problem. when i think about the word cyber security i know it contains a word cyber to represent technology and interconnections of our digital life and word security which represents safety and resiliency and reliability against people out there trying to disrupt our way of life. we must approach a threat to any one person, organization, business or government is a threat to all of us.
events in previous years have shown us consequences are very sobering and real. when we're talking about critical services that we rely on it's that much more sobering. if our purpose is to be involved in securing the peace of digital space now is the time to move through public technical defenses at scale that meets the public's right to privacy. we should accept the challenge as our obligation in this mission. what i've just covered is really some of the formative thinking in new york city. we decided to confront this. we started by first recognizing our role, our role and primary responsibility of government from text its citizens, to deter crime and respond to emergencies when they occur. safety to sues an essential service. we, therefore, have a responsibility to bring that same commitment to cyber space. mayor bill de blasio initiated this with the announcement of new york city secure.
this is what he said. our streets are already the safest of any big city in the country and now we're bringing that same commitment to bringing new yorkers into cyber space. new yorkers manage so much of their lives online. we'll ensure we're applying the best protection efforts to help new yorkers defend themselves online. keeping with the mayor's vision, nyc secure is built own fundamentals. one cyber security is a public safety issue. we must work on behalf of all new yorkers. too often the only people and businesses that are deferred are either those who can pay or have deep technology knowledge. two, we believe cyber security does not need to come at the cost of public privacy and,
therefore, we're building solutions that are technically provable to respect user privacy. so, with nyc secure what are we doing? increasing public aware ne. we're committed to promoting city wide awareness of cyber threats. we will educate new yorkers on cyber hygiene and literacy. this will begin in earnest with a media campaign. we're also making committed to making a measurable technical difference. we're adopting tactics that's technical. for example, the strength in our mobile defense this summer nyc secure will make it available for any member of the nyc a free detection app. engineered in deference to the privacy of users. any new yorker that's interested in this app can go the app store and download it. the strength and protection of the wi-fi environment in the
city's public spaces nyc secure is working with nonprofits global alliance and cloud 9 across all systems. if the city owned systems public space where new york provides the public with wi-fi. nyc secure believes our responsibility simply is to help you stay safe when using something we give you for free and we think other providers of free wi-fi in public spaces should avail themselves of similar solution. solutions that will help people not hit that website that's only put there by a criminal to victimize them. we think if you walk into a coffee shop, a lobby where it's free to connect to wi-fi, proprietors should think about whether they should do something about you being victimized. we know these measures will enhance security and privacy, because we'll keep the bad guys from invading the privacy of the person that gets victimized.
we're not collecting the data. the city is not collecting the data and we're starting to give the public a fighting chance to protect their personal data. wee strengthen partnerships with academia. we partner with nyu to support their masters program. we recognize that these are our initial steps. we'll need to continually evaluate our technology and how we're doing and get more precise and build new approaches as new techniques emerge. we're counting on new approaches. in fact we're challenging the industry, it can be a giant company, academic setter, brand-new start up that just moved into their garage to build something, right? we're challenging the industry to build solutions that can scale to our great city and help new yorkers defend themselves online and fully protect their privacy. new york city believes that a strong, safe, fair and
prosperous city depends on securing the digital space where so much personal and economic activity happens. we hope the new york city secure initiative will spark a discourse on how governments can take action to improve the cyber security for the public. all of us are deeply honored to bend the city's infrastructure and help new yorkers to begin to protect themselves online. in closing, make no mistake in new york city we're having a conversation about the role of government in cyber security on behalf of its people who walk its streets every day and if there is an event that, you know, impacts those services that they rely on, those critical services, hits home. not necessarily in the big towers, in the big sky scrapers in our city but hits home to every single person who expects to safely conduct their life on our streets. again, i want to thank you for your time this morning, and look
forward to listening to everybody as the day proceeds. thank you very much. [ applause ] let's give him another round of applause. thank you, jeff. [ applause ] all right. i'm excited to introduce our next session. the topic is under pressure, effective and fast how cyber intelligence forms incident response. we have some subject matter experts on this topic for sure. i know a couple of them well. we are going to welcome charles carmichael. brad mediary. and our moderator is ron bouchard.
please give all three of them a warm welcome. [ applause ] ♪ >> the goal of this event was to feel and look and feel like a tent event. that's a high bar. trying to keep the energy up for you guys as we go through this. we have an interesting topic here from the panelists and we'll dive right into a few key questions on how we can use or leverage threat intelligence to better pursue the adversary and get an advantage, maybe leaning on what jeff just talked about. how do we not only think about defenses but prevention as well in cyber specifically with government systems, data and critical applications and assets. charles, i'll start with you with a question. where do you see based on our knowledge of threats and threat trends where do you see in 2018 and going forward trends focused
on government, targets, and where do we anticipate potential risk areas that we need to focus on across the government space? >> first of all, before i start. a little bit about my background. i run a team of instant responders. i've had an opportunity to work on over a thousand breach investigations. what i've seen is a significant increase in the disruptive attacks that threat actors are causing. by disruptive, any breach is disruptive. when somebody steals data from an organization that causes a lot of disruption. what i'm trying to talk about is the threat actors trying destroy systems, take businesses off line, publicly shame organizations, extort them. what we're seeing is that increase in that type of disruptive activity and for a lot of organizations we work with they are dealing with that type much activity for the first time. they are pretty familiar with the typical data theft types of
breach scenarios, but dealing with extortion matter for the first time is quite challenging. the biggest challenge is figure out whether or not the threat actor has access to the data and systems to even claim they have access to. for every real threat that's out there there's five other fake threat actors trying to scam somebody to get information. there's a great opportunity to share lessons that have been learned from dealing with disruptive threats and dealing with exthe organization a with extortion. brad, any other thoughts? >> you know, over the past few years we've been dealing with a lot of ransom ware attacks. but one of the things that we're starting to see is a much more sophisticated level of attacks we haven't seen in the past. we're working in our job and we're doing forensics and found this piece of advanced
persistent ad ware. we had to correlate a lot of data to detect that. what was interesting, when we reverse engineered that and went back to its origins, it turned out not to be malicious, but it was basically an in memory attack, established back to an ad ware company based in israel, and had a complete command and control and could have stolen data at will. thankfully they were just trying to follow users around the internet to sell them minivans. but when we look at that, it was an ad ware company in israel that likely employed someone that obviously had nation state level capabilities. so now we're starting to see the pro propagation of more so advertise if i indicated attacks.
we're not prepared for that. >> maybe just one thing. what we're seeing right now we're seeing a particular government threat actor that's targeting a number of banking organization, and clearly they are interested in gaining money from those banking organizations. so one of the things we see them doing, they are getting access to swift alliance systems in an attempt to gather access. they are destroying the rest of the environment. this is a pretty big problem in latin america. unfortunately not a great collaboration or learning opportunity. so some extent the banks are sharing that information. this is a big problem that will continue to happen until we do a better job of guesting that intelligence out there. >> that's an externally focused kind of threat view. i want to switch the attention to something that's often
overlooked which is internal intelligence. switching gears and thinking about we have a massive amount of data we're collecting every 20 minutes in the government space. 24 hours a day, seven days a week, 365 days a year. a lot of it is information you normally wouldn't think as intelligence driven or intelligence useful data but there are opportunities that we may be missing to utilize compliance data, other types of vulnerability information to information and focus efforts in hunting incident response engagements. brad, i would like to get your thoughts on that and some ideas how we can leverage that rich data source for advantage and incident response. >> we've been involved in the city program for several years, and back when we first started it was interesting looking across the federal agencies. dirt levels of maturity. some had complete asset
visibilitity. others were underreporting their total assets by potentially over 100%. so, you know, today through the program, the program has done an amazing job in terms of getting that baseline of asset configuration and other types of data sets. we saw that in action, you know, over the past, you know year to 18 months on a tax. three to five years ago the question would come down what's the potential impact of this level of attack. the only way you would get an answer is be able to go out to the agencies and conduct a bunch of data calls. collect it on spreadsheets and get an answer which wasn't accurate. when we saw some of these recent attacks, you can get the answer in a matter of seconds because cdm was able to correlate and provide that data set. that's the first step. that's basically looking in the
rear view mirror in figuring out what the potential, the kbaskt an attack would be. moving forward as the program matures we get more data and telemetry data. that allows us to do more rich proactive set of hunting. one thing we see across our ma trm mature data clients is to go out and look forced a severe sears on the network. >> charles, anything to add? >> i think from a caseload perspective many years ago when we first started doing this in response work what we found was most of the organizations that we worked with learned about a breach because a third-party told them about it. fast forward by several years and today what we're finding half of our clients are detecting breaches and other
half learn from a third-party. the data that they have in order to hunt their environment would help them more quickly be able to detect the tax in a much shorter period of time and always better to learn about breaches on your own than wait for somebody else to tell you about it. >> i think i heard from several of the panelists today or lamenting about the lack of ability or lack in sharing threat intelligence information in a useful and meaningful way and in a timely way. i think we're still dealing with the challenge out there where threat intelligence tends to be produced and consumed like media, like stories. how do you see or charles take this one. how do you see useful threat intelligence data being driven, ingested and actually brought into a format that can be used in a rapid useful way in response to hunt teams. >> one of the things we like doing. we like leveraging indicators of compromise that help describe an attack or behavior.
the thing about that you have to have the context around the indicator. knowing an ip address doesn't necessarily mean that if you see that, an ip hit today is evil. the attacker could have owned the machine many years ago. having some context behind those indicators is helpful. i likeingi finished intel story line. i want to see the technical indicators and observe that within an environment or00 for that i want to know the story. the what are attackers doing with that information. what are their goals? what are they objectives. how are they leveraging the tools in their operation. i also like to be able to hunt through a collection of raw intelligence myself because some of the data that might be prepared for organizations, in general you want a high fidelity indicator so you weed down the intelligence shared. hunt through a database and
large collection of raw information could also help you fine other indicators you could hunt for in an environment. >> one of the things, we've been engaged in the threat for a long time and we first started, we would send threat reports and intel reports and indicators to clients and the first question that we would get is, okay, this is great. now what i do do with it? should i resign? and the industry has come a long way since then. one of the things we're seeing now is we're getting much more mature from a threat intelligence where we can cure indicators and provide better contacts. once you get that data what do you do with it? a lot of breach that we look at our clients have the who's who set of tools. but the problem is the tools aren't tuned to the threats of today. so i think that -- in my mind the key question to ask is based upon the intelligence, how do you operationalize that within
your enterprise. it includes your security operations team to make sure you are tuned to detect and prioritize the threat but also to be able to tune your sensors, your end point security tools, to be able to actually operationalize and pop the flag around these high priority events. >> one additional note to that which i found useful building capabilities for actual operators that are running in the environment. so the ability to drop in a question and maybe this is a good use of ai. you'll hear a lot about ai. in our experience being able to have a work bench area where a bunch of operators are used to working and being able to drop in information and have machine learning algorithms kick back whatever it knows about data set in real-time has been a huge asset to our operations teams and it's a key component of thinking about the problems, the
usability factor and not enforcing users to pivot to multiple tool sets but having a front end work bench solution that allows them to easily access that information in a way they are comfortable doing that. >> i think the automation piece is important for a few things. one you need to be able to respond at machine speed. anything that you can automate to remove the human from loop will accelerate your ability to respond. the second piece we see there's a high turnover in cti staff. just on our team, you know, the turnover rate is so high because the skill set is so in demand. it's pretty obvious we'll never be able to keep up with the gap in talent. so looking at automation to accelerate the response and also to compensate for the talent gap is key. >> last question. maybe start with brad on this one. we talked about the legacy cdm
capabilities we can leverage. how do we see the landscape shifting with the new cdm initiatives coming down the pike and other federal initiatives? where do we see those focus areas evolving to over the next couple of years? >> i think that -- i hit on this before. i think the key thing is moving beyond compliance. compliance gives you a good snapshot. there's mandatory reporting requirements. only way we can get out in front of the threat is to go on the offensive. to be more proactive. in my mind that's two things. one is applying more advance threat hunting. using, employing telemetry data to attack the most adversaries. second point is how do you determine how effective you currently are in terms of being able to detect threats. that's one of the things that most of our clients can't answer. you go into a security
operations center and say what's the last athlete yofst threat y. they always say nothing has happened. that's not true. the other piece moving forward being able to refine your security program by conducting more continuous red teams to be able to measure your effectiveness. >> charles? >> i would reiterate with find one of the most effective ways is to conduct a red team exercise against the organization. i find that companies will engage penetration testers but say you can't test during certain hours, can't test certain parts of the environment and if you find a vulnerability you cannot exploit. it gives a false sense of security to the board. great. i think that's our time. i want to thank the panelists today for a great discussion and looking forward to continuing the conversation. thanks. [ applause