CyberWire Daily - Threat intelligence discussion with Chris Krebs. [Special Edition]
Episode Date: September 25, 2023In this extended interview, Simone Petrella sits down with Chris Krebs of the Krebs Stamos Group at the mWise 2023 Cybersecurity Conference to discuss threat intelligence . Learn more about your ad ch...oices. Visit megaphone.fm/adchoices
Transcript
Discussion (0)
You're listening to the CyberWire Network, powered by N2K.
Calling all sellers.
Salesforce is hiring account executives to join us on the cutting edge of technology.
Here, innovation isn't a buzzword.
It's a way of life.
You'll be solving customer challenges faster with agents, winning with purpose, and showing
the world what AI was meant to be.
Let's create the agent-first
future together. Head to
salesforce.com slash careers
to learn more.
This episode is brought to you by
RBC Student Banking. Here's an RBC
student offer that turns a feel-good
moment into a feel-great moment.
Students, get $100 when you open a no-monthly-fee RBC Student Offer that turns a feel-good moment into a feel-great moment. Students, get $100 when you open a no-monthly-fee RBC Advantage banking account
and we'll give another $100 to a charity of your choice.
This great perk and more, only at RBC.
Visit rbc.com slash get 100, give 100.
Conditions apply.
Ends January 31st, 2025.
Complete offer eligibility criteria by March 31st, 2025.
Choose one of five eligible charities.
Up to $500,000 in total contributions.
Chris Krebs is well-known and respected in the cybersecurity world.
As former director of the Cybersecurity and Infrastructure Security Agency,
now a partner at the Krebs Stamos Group, and an advisor to Sentinel-1.
My N2K colleague, Simone Petrella, sat down with Chris Krebs
at the MWISE conference in Washington, D.C., hosted by Mandiant and Google Cloud.
Here's their conversation.
So I know one thing that has been on kind of all of your talking points is how technological systems have really become part of enterprise risk management writ large. And then in addition,
business strategy. So I guess maybe to kick it off,
what are some of the things that you think security executives and the teams in particular
need to do to navigate between this kind of inevitable inseparation between technology
systems, security risks, and business objectives? Yeah. So there are two immediate thoughts. One is
that we really need security teams and security program leads to make sure that they're thinking strategically and not get trapped in the day-to-day shiny object procurement cycles.
Really start thinking about the broader risk to the enterprise rather than, again, diving down into a single capability.
And part of that is starting, as I see it, with a real full analysis and understanding
of what your threat model looks like. We do see a lot of organizations that get wrapped around
the axel on ransomware, which is important, and it's also probably the single greatest threat to
any organization. But at the same time, there's an increasing number of organizations that kind
of fit into an adversary's playbook. And what we're
seeing lately is much more aggressive behavior by particularly the Chinese Ministry of State
Security and the PLA, as evidenced by the bold typhoon and crimson typhoon activity that reported
earlier this summer out of Microsoft, that shows that they're preparing for conflict. And in doing
so, they would try to win the fight before the fight's actually begun. And part of that is going after U.S. critical infrastructure and our ability to
support the military as well as just general civil society. So, you know, I do think it's
critically important that organizations take a step back and say, how would I fit into an
adversary's game plan? And what do I need to do to step up from a security perspective?
But also, you know, how do I need to work better with government and make sure I understand the
threats coming my way? That's great, right? That's exactly where you need to start. How you get that
done is actually quite complicated, though. You start with a threat model, you run a gap analysis
against your current security program, and then you pull together the roadmap on how you do that.
A CISO or a security team lead in their own positions will not be able to get that done
in any sort of, you know, realistic timeframe or, you know, practically execute. It really does
require high-level executive engagement to ensure that you're pulling together a team that can
communicate the risks to the business. And that's across corporate liability,
shareholder value, operational reliability, and ultimately national security. And so it really
does start, as I see it, with communicating to the executive team and the board in ways that
make sense. You know, we in the security community have a different language. It's kind of all Greek
to some of the folks we deal with. And so how do you translate that down into, you know, again,
real business objectives and business language? At the same time, I've never seen a CISO be
successful if they don't have the full support of the executive team and the board. You can be
Phil Venables over at Google. And if the executive team doesn't
support you, then you're in a tough spot. So it is critical that you make that connection.
And then again, stay strategic. Don't get trapped tactically. It's a marathon, not a race. So don't
get wrapped around the axle on procurement and shiny objects. And then also realize, as I touched on a little bit earlier,
you're not alone.
It's going to take a collective approach here.
So make sure you're working across industry.
ISACs are great tools to make sure
that you kind of know what else is happening
in the sector across the industry.
And then, of course, keep working with government,
whether it's CISA or the intelligence community
and the FBI or foreign partners
that play a similar role.
You mentioned on the threat model side,
just as a starting point to kind of coming up with that strategy.
Obviously, in cyber intel,
we're pretty good at tracking and attributing campaigns.
We've done that across the MITRE ATT&CK framework,
across a number of different kind of threat actors,
but we're not so good at attributing it to people.
And so for the general purposes of cyber defenders on the ground,
does it matter if they know if the attacker is from Russia or China or North Korea?
From a strategic perspective, I think it does.
And yes, it is difficult.
I think in many cases, we're getting better insight
and we're getting better insight into the behaviors.
But at the same time, the adversaries know that we're getting better and they're getting better as well. So you're
starting to see a little bit of obfuscation and mimicry and third and fourth party collection that
makes you think one thing, but it's really the other thing. But again, this goes to the
importance of understanding the adversary's objectives. And I think you're right. We are
getting better at attribution. A lot of that's on the tactical level and the TTPs. That helps you from the day to day. But if you
think about where we're going geopolitically over the next three to four years, you really do have
to have a better understanding of what the adversaries' overall objectives are, where they
may be going, what are they preparing for, and how do you fit into their plan? And this does get much,
much bigger than just defense industrial base and even banks. Logistics, travel, you know, how do we move troops
into theater during a conflict? And it's under the Civil Reserve Air Fleet, which uses domestic
and international carriers, otherwise commercial airlines, to move troops. And now commercial
airlines are squarely in the sights of what I would see as a Chinese escalation.
Yeah.
So given that, do you think there is a common set
of intelligence requirements that organizations have
or they should have with respect to cybersecurity?
Common kind of depends upon the sector.
It depends on the sector you're in, the sector you play in.
It also depends on a lot of your supply chain dependencies and what you're relying on.
For per industry, is there a cyber risk registry that's consistent?
Yes.
How you feed into the risk registry and how you look out across threat model, there's
going to be some kind of tailoring to the sector and the subsectors.
So switching gears on you here a little bit, but since you
left CISA, the agency has been pretty much on the lead or pegged as the U.S. government's efforts to
help attract, retain, and bring in additional cybersecurity talent. And I'm curious, even from
your time and what you're seeing now, what are some of the skill sets that the agencies you've
worked with need the most when we think about kind of cybersecurity profession? Yeah, I think one of
the real turning points over the last several years, particularly at CISA, is, you know, the
ability as a, I actually, it's not too different from the private sector, right? It's the ability
to communicate risk in a way that makes business sense? How do you talk to not just the defenders
that understand how to, you know, they know what a yard rule is. How do you talk to their executives
that set their budget, that give them, you know, that have the governance and policy responsibilities?
And that's one of the big things that we really try to emphasize in my time. And I see Jen
continuing to do working at the senior levels to help them understand.
The best example that I have here is in 2020,
at the very end, January 2nd,
when the U.S. government took out General Soleimani
with the IRGC,
we were able to immediately get
not just some tactical information out to defenders
on here, the common TTPs for Iranian threat actors and
their proxies, but also flip it into an executive version that said, here's why this matters to you
in the private sector and the things they've done in the past, going after banks and other
critical infrastructure when they're agitated and how they've hit regionally as well as they've hit.
So trying to put into context why events matter to executives,
not just at the technical security level, but also at the business risk level.
That's the sort of thing, again, we need more people that understand
how to communicate in business terms.
I also think the thing that I've been really kind of heartened by
is the continued emphasis on building out.
This is a field force.
Jen Easterly a couple, it is a field force. Jen, I used to really a couple,
it was a month or so ago,
announced that they're going to be election state coordinators out.
And I understand they're in the process of hiring and interviewing for this.
I think that's fantastic to have dedicated election support teams out in the regions,
as well as the continued cybersecurity advisor,
so that you can get that last you know, last mile engagement,
that last mile tailoring of engagement. Because otherwise, if you're pushing this out of DC,
it's just not going to land, it's not going to resonate uniformly.
Well, I think what you're also pointing to is just the importance of being able to connect
and communicate, like what's happening relative to those business objectives,
whether it's an agency, whether it's a private organization, a corporation.
And that's sometimes beyond just the technical acumen that we see in raw cybersecurity skills.
Yeah, and there's another aspect of this is that I continue to encourage some movement
in between government and industry. I think it's only helpful if CISA has personnel that have either in government,
whether it's local, state, or federal, or out in the private sector,
that have practical experience managing networks.
The real, you know, the hands-on nuts and bolts of what it takes to operate
and maintain a system reliably that informs some of the recommendations that come forward
rather than just the pure security practitioner that sits in government.
I know one of the things we talk about is this idea that, you know,
we in the cybersecurity community have spent so much of our time
kind of focused on like finding those unicorns
or finding someone who has all that experience
and then can all of a sudden communicate it.
And it's partly because we focus on the individual and try and hire those superstars right off the gate.
But in reality, a lot of times they just don't exist until we grow them.
So, you know, should we shift our attention from finding those diamonds in the rough
and grow that workforce more than we have necessarily in the past?
Well, I think some of the programs that have been put into place for
hiring over the last year, including the cyber talent management system, is going to give a
bigger kind of top of the funnel for recruiting to bring in more technical people that don't stick
to the traditional GS scale that really is more of an administrative management approach. And,
you know, you don't really know how within the GS scale, how to hire and retain
someone that may have been, you know, hacking boxes since they were 10, 11, 12. And now they
just finished either a two-year school or maybe didn't even go to college. And it really does
prioritize the GS scale, you know, for your degrees. And that may not always be relevant.
And so CTMS should give an advantage, but, you know, there are still challenges in hiring the government. It takes too long. It's
far too bureaucratic. You have security clearance challenges at times as well. So, you know, we need
to continue looking to make sure that we're not over-classifying and over-specking positions.
And, you know, within my role at the Aspen Institute in the cyber working group there,
we have done some work on hiring
recommendations, including the make sure you're not over-spec-ing and things like that.
Well, my last question is probably the most important question slash statement, which is,
I have been told that you are known for your socks. And I wanted to, even though I can't see
them, I wanted to share with everyone your socks. Oysters. Oysters. All right. Just in time for fall. Yes.
No.
I kind of got away from socks for a little bit.
And then it mainly just would not wear them during the summer in particular.
We're just coming back into it.
Yeah.
Right.
There we go.
Awesome.
Well, Chris, thank you so much for taking the time with us this morning.
Really appreciate it.
Yep.
Thanks.
Have a great day. That's Chris Krebs you so much for taking the time with us this morning. Really appreciate it. Yep. Thanks. Have a great day.
That's Chris Krebs speaking with my N2K colleague, Simone Petrella. Thank you. Partner with ThreatLocker, a cybersecurity solution trusted by businesses worldwide.
ThreatLocker is a full suite of solutions designed to give you total control, stopping unauthorized applications, securing sensitive data,
and ensuring your organization runs smoothly and securely.
Visit ThreatLocker.com today to see how a default-deny approach can keep your company safe and compliant.