Kentik - Network Observability
More episodes
Telemetry Now  |  Season 1 - Episode 11  |  April 4, 2023

Data-Driven Defense: Exploring Global Cybersecurity and the Human Factor

Play now


Today's cybersecurity landscape is about less about knowing all about hashes and encryption, and more about understanding data, politics, and how adversaries operate in the real world. In this episode, TJ Sayers, Manager of the MS and EI-ISAC’s Cyber Threat Intelligence team at the Center for Internet Security, joins us to talk about data-driven defense and how the human factor plays a much bigger role in cybersecurity defense than we realize.

Key Takeaways:

  • [00:01 - 01:10] Introduction
  • [01:20 - 03:49] Meet TJ Sayers, Manager of Cyber Threat Intelligence at The Center for internet Security
  • [03:50 - 06:53] Unconventional paths to network engineering
  • [06:54 - 09:29] The most prolific threats happening today, and what we should be worried about
  • [09:30 - 11:19] Criminal syndicate models in the cyber world
  • [11:21 - 15:30] A defense in-depth layered approach to network fires and alerts
  • [15:45 - 21:25] Observing malicious activity on the network and determining incident information
  • [21:59 - 24:55] Comparing tremendous amounts of data, and subjectivity
  • [24:56 - 26:57] Combatting alert fatigue through a Security Information Event Manager platform
  • [26:59 - 29:20] The mission of The Center for Internet Security
  • [29:21 - 30:43] Working with organizations to monitor, audit, defend, and report on cyber threats
  • [30:43 - 33:30] What types of telemetry data TJ and his team use to detect threats
  • [33:31 - 39:43] The focus on improving the cybersecurity landscape
  • [39:53 - 43:09] Punitive measures to combat bad actors
  • [43:12 - 50:09] Threats to our public utilities grid


Security incidents, malicious cyberattacks breaches.

They often manifest themselves in some sort of performance degradation.

So maybe a slow application or maybe a slow network, sometimes to the point that services become completely unusable, But sometimes an attack isn't so obvious, especially with today's more sophisticated methods, sometimes we don't know when we're under attack for days, weeks, or even months.

So how can we ever really truly understand what's going on today in terms of security especially when our infrastructure is distributed across campus, across a remote workforce, private and public cloud, microservices architectures, and intertwined with the public internet itself.

Joining me today is TJ Sayers, manager of cyber threat intelligence at the center for internet security, a nonprofit group that helps private and public organizations secure their infrastructure, data assets, and implement secure best practices into their own operations.

No small feat, no easy task. And today, we're gonna answer that question.

I'm Philip Jervasi, and you're listening to telemetry now.

DJ, thanks so much for joining today. Looking forward to talking to you, about this for a long time now. So thank you for joining. Before we get into it though, I do want for our audience to say to, to get a quick explanation about your background in the field and your experience in technology and cybersecurity in general.

Yeah. Perfect. Thanks for having me on, Phil. I really appreciate the opportunity and looking forward to, profitable discussion here on on the visibility side and then the security side. So my background has been rather unconventional getting into the space. So I actually started off in a political science and public policy, for my collegiate studies.

After I finished a bachelor's degree, I was like, what am I gonna do with my life? And the military seemed very appealing at the time. So I ended up enlisting in the Navy, as an intelligence specialist, and did a brief stint on active duty and hopped into the reserves.

And I had the same kind of epiphany when I got done with the military training going into the reserves is what do I wanna do now? You know, I did the military thing. I'll be in the reserves.

What do I wanna do civilian side? So there was a graduate program, that was of interest to me. I got into the grad program and one of the requirements was an internship.

And I should note too, even my grad program was public administration focused. It had some sub disciplines in homeland security and cyber security. And because of those two things, I ended up taking a course, in cyber. And I've struck up a good professional friendship with my instructor, who brought me on as an intern, at the center for internet security.

And I was in the internship for a while, and I was hired on as a full time employee.

I've been at the company for about six years.

I'm still full time in the navy as an officer as well. And pretty much all of my cyber experience since that point has come from on the job training, and certifications and things like incident handling, computer forensics, malware analysis, and reverse engineering in variety of different roles. So we use on capacity, down with DHS.

I was the elections analyst for a time at the organization when the election security component, was first being stood up. And I spent probably the majority of my time just looking at cyber threats across what we call the SLTT landscape. So the site, state local tribal and territorial US government.


You know, I I have to say, we've had many guests on on the podcast and other podcasts that I've done in the past. And it is such a common theme that we come to this field, whether it be security or traditional network engineering or whatever, to have an unconventional path to get there. Absolutely. Yep.

You know my background, DJ? Yeah. You you know my background. I started off as a high school English teacher for the first for five, six years of my life before getting a help desk job.

And then for whatever reason, getting into network engineering instead of whatever other, you know, avenues I could have taken So it's really interesting to hear that. And I think it gives us you and me and others not to say that people that don't have an unconventional path that have a very computer science degree and they go right into an internship that that they're lacking. But I I do feel that we haven't a unique ability to see things a little bit differently.

Perhaps like for my sake, being able to communicate in customer presentations and and and do that sort of thing. Again, not to say that people that don't have that background can't do that well, of course. I work with them every day. But I I do appreciate that. And and I think, it's a it's a benefit probably in a security field as well. I have to assume with your background in public administration and and that sort of thing. Right?

Yeah. Absolutely. In fact, that's one of the things that we when we go around and speak to schools and things at the company, you know, we try to encourage the students that not necessarily a computer science, you know, very technical degree degree program that you get into this industry. There's a lot of different pathways into it. And I think one of the biggest value adds that we can derive from that unconventional pipeline is that we bring in people who can public speak, we bring in people who can take very technical content and put it in terms that, you know, a broader community would be able to under stand. And that's a challenge that I think coming from a purely technical background.

People encounter is that they're very versed in the technical material.

All they talk about is technical content. They talk about it with peers who are extremely technical, and then going and trying to communicate that to people who are not in the field. You know, it's hard to digest.

And it's also interesting too. I've I've moped this over recently. You know, cyber and networking, they're technical, but there's a lot of other industries out there that are also technical. Right? Like, I think of Navy, right? I'm in the navy.

Monitoring and and doing things with like radio frequencies, looking at Sonar for submarines. Right? There's entire disciplines that are aged around that stuff and they're extremely technical. Even legal disciplines, you know, health care, they're they all have their technical jargon and their technical in different ways.

So I think the real, you know, focus is critical thinking. You know, it's something I I communicate to applicants coming on to the team in the organization. It's critical thinking is huge. Are you able to communicate your thoughts effectively verbally and unwritten form?

And a lot of the technical skills you can learn for job.

And you you mentioned a few of the tasks that you've done over the years earlier, and they sounded pretty technical to me. The the types of forensics and investigations that you did. So well, you know, and that actually leads me to my first question. I I'm familiar with some of the security attacks and and the things that are going on simply because our company does have a threat fee that we ingest and that we disseminate to our customers and we use as part of our database But what would you say in your experience are the most prolific threats that are actually going on today that we should be worried about and thinking about?

Yeah. So I I've probably been this in two categories. It's a great question. The the first would be financially motivated threat activity.

So this is everything from, you know, theft of intellectual property.

It's goes all the way towards like ransomware incidents, right, where they're deploying a ransomware payload on your network, and then they're trying to extort you to get your data back to pay that ransom demand. And we've even seen offshoots of that where we call double extortion where they're then exfiltrating the data off the network. After they've encrypted or prior to them encrypting it. And then they're saying we're gonna post this to the public if you don't pay us.

And now you have added pressure for them to, you know, for you to pay. So I would say that's the first one is financially motivated stuff. It's extremely prolific. Everything's interconnected now, and there's just endless ways for for bad actors to make money, by attacking organizations in the cyber world.

And then I would say that second is the more persistent nation state affiliated, threat out there. This is much more slow and you know, steady and low trying to float below the radar, gain access into government networks, even organizations like yours or mine.

You know, private sector industry, health care, pretty much every industry you could think of there's valuable data there. Right? There's value by just being able to get access to the network and gain some level of backdoor access or persistence.

And or countries like China, Russia are known for doing this, where you will see hey, we're seeing some bad activity on the network. And then you go and do a forensic workup to investigate and you realize they've been on there for two plus years. So that that's definitely a huge concern, but it's not as much of a halting your operation and disruptive concern on the nation state side. The financially motivated side of things will certainly bring an organization to a grinding halt.

So is there validity to that, this narrative that's going around that a lot of these bad actors, right, these bad guys. It's almost like a company unto themselves where they have practically an HR department and and their own staff, and they take off on the weekends and holidays. And they're there literally just to make money. And their but their method, their their business plan, so to speak, is to, attack you and and to use ransomware, whatever other means, to to get money from you. But but in any case, you know, means aside business plan aside, they kind of operate like a business. Is that is that true?

Yeah. They do. They they we have seen the typical, you know, criminal syndicate model move over to the cyber world. Right? There's then that's been been one of the biggest changes over the last few years and decade, you know, is that it's gone from, you know, one actor having some techy skills and able to, you know, conduct the breaches and steal information and and and and do bad things to full blown organizations that are operating to make a profit in the criminal underworld.

So this is especially true when we look at countries like Russia, Right? Russia pretty much has this policy that as long as you don't attack us, you can attack anybody else, right, and and make money off of it. So we we do see organizations, everything from people who are doing the malware development, people who are coding and, making the delivery aspect of it right through compromising network devices to make a botnet. And you see it all the way down to money laundering, partnering with certain people, insiders at banks or, you know, using cryptocurrency using mules.

So it is a very elaborate, it is a very elaborate organization in in a lot instances when you're dealing with some of these sophisticated cybercriminals.

And and so a moment ago, you mentioned when you see something going on in the network and it maybe fires off some alert, and then you go to investigate it.

What what did you mean by that? What are you looking at out there in the world? What is, you know, obviously, it's different for different context. I'm sure. But what are you actually looking at to tell that there is something bad going on.

Yep. So it's from I could speak, you know, confidently from my organization's perspective, a lot of other organizations have somewhat of model, but I I think typically it's some type of defense in-depth layered approach, where you have, you know, firewall at the perimeter or some form of network IDS or IPS.

That's monitoring for traffic at the network level. Right? We at CIS have what we call Albert, Albert to network network IDS that runs off of Suricata. And basically, we capture Netflow and anything that matches the pattern for the signature will then send an alert to our sock for them to analyze.

So that's a network piece. Okay. So we're looking particularly for anything that's abnormal. Right? Are we seeing connections from services to obscure ports that they would not normally connect to?

Are we seeing significant, you know, bit transfers across things that we've not observed before. Right? That's just at that level, and then you'd go down to Suricata.

Saying, you know, we know this particular domain or this URL pattern is associated with this particular malware. If we observe any of that and it matches the signature, that'll send an alert to us to investigate further. And usually we'll work with the member to help identify, did it go any further? Was it blocked?

We also run into some issues too across the industry of where exactly is the IDS or IPS placed, right? Is it before the firewall? Is it after the firewall? Is it in line? It's out of line. So that also complicates collection there a little bit at the network level. So the the the other things there would be you know, host level detection.

So things that we would look for on the host, which there's two different forms. There's there's like XDR, which is, you know, extended the detection and response. And then there there's industry term CIDR endpoint detection and response. And these are basically just, you know, more, heuristic based host level antivirus solutions that organizations can deploy, below the network level. So this is gonna monitor things like you know, spawned processes, registry changes, new files getting created, you know, files being created by things that should not be creating files, escalation of privileges, so that's a normal user, and all of a sudden, the user is becoming an admin user.

The user accessing resources they haven't accessed in the last six months, maybe accessing certain resources that should never be accessed by that user. So just monitoring things at the host level to kind of give, you know, some more detailed host level insight into whether or not this is normal user behavior or this is more indicative of, you know, some type of intrusion or malware infection.

So you're this certainly sounds like a defense in-depth like you because you mentioned, DPI. You talked about packets. You talked about flows. You're talking about host level information. And by host level, I have to assume that you're talking about endpoint, but also the host as in, like, the resource themselves.

So, you know, if I'm some organization with remote offices and a primary and secondary data center, hundreds of bare metal servers and thousands and thousands of VMs, a public cloud footprint SaaS providers. I mean, those are all hosts, and those are all different metrics and logs that you wanna collect. Right?

Yeah. Abs absolutely. And that's one of the challenges in fact that we have is the sprawl of infrastructure in some of the organizations that we, we, seek to provide our services for.

They oftentimes, we find in investigations when we do identify an intrusion that the adversary has a better network map and mapping of assets, than the organization did just because of the size and enormity of them.

That's interesting. Yeah. Interesting and sad coming from a network engineer background because we're always complaining about not having good network documentation, and we're always trying to figure out where traffic patterns are or where traffic is going to. So that is a very interesting point that you make.

So you're collecting a tremendous amount of data. Right? You have you're ingesting, you know, who knows what logs, you're collecting flow information packets, all this stuff. Right?

There's gotta be a data science workflow on the back end that you're able to figure this out. Otherwise, you're just you're literally just trying to find signal and a noise and it's especially if you're trying to investigate a real time security threat, that's gotta be really difficult, especially if you're talking about multiple customers, right, and doing this as a service and not just for your own small network and wherever you're, you know, whatever city you happen to be in, localize.

Yeah. Absolutely. And historically, we used to keep everything on prem, and it quickly became, an issue of scale, in the enormity of the information that we were ingesting. And, you know, we're upwards of hundreds of petabytes a month now, and we're collecting, and pulling for for analysis.

So we, yeah, we've moved over to to, cloud solution, and that's where most of it's stored and we're able to search, retroactively, for, you know, many, many months in in in in the past, to look for things, because oftentimes, that's a problem with the security incident as you may not notice it immediately.

There's very easy ways to get in through, like, a compromised credential. Right? And that looks like a legitimate login because that's a legitimate user. And so you're able to get in that way.

It's not till three, four, five months later that we're like, hey, you know, that login that happened there is actually a bad actor. That person doesn't even work here anymore. Or that person was on vacation when they logged in. And, you know, next thing we're observing is like malicious activity on the actual network.

So That's one of the storage issues we've run into, and it's a industry problem. It's having enough data set. Having enough data to look back retroactively once you realize that's happened. Right?

So the ways that we do that is cloud storage. We're able to search it really efficiently.

And then for my team in particular, we have what's called the threat intelligence platform. So all of this data, we have hundreds of threat feeds flowing into it. We're able to ingest, internal data from member reports in our collections into that platform. And it really tees it up for the for the individual analyst to look at.

So they're able to kind of build out actor profiles. They're able to look at specific, indicators like this IP has been observed in this traffic and this IP is tied to you know, these five other incidents that have happened over the course of the last two months, and you can start building a threat picture of what we we think is going on here. So that's really CTI specific, but more organizationally, you know, we have in operations. We're bringing in, a new one now, but we have an existing SIM, where there are soc analysts live and they're able to identify alerts coming through other network and kind of identify where this is obscure or this is probably normal activity and we'll send out alerts to the member.

But I would honestly, Phil, I would say by and large, we the way that we collect information and the relationship that we have with our membership is is most key. So we observe something bad. Right? We'll escalate that to the member.

But the most important interaction in that is continuance of discussion with the member to identify and investigate on their end. So that's usually where like one server modifier or one obscurity in network traffic leads to, hey, we think something's going on here. Can you please look for these things or look for these areas. Right?

And that's where CTI would come in and say, we've seen that pattern before. And usually, after we've observed that, it's one of these five things that we see next. Have you seen one of those five things? Okay.

You've seen one of those five things. This looks like it's gonna be a full blown incident. Let's bring an incident response and then we start helping the customer troubleshoot.

We call the members help the members troubleshoot through the incident. Try to identify exactly what the extent is. And like I mentioned earlier, you know, usually the cases, the actor either makes a mistake. They get a little too noisy it's identified that way. And then we realized they had access into the network for, you know, several months up to two years or more.

For the more sophisticated actors. But the storage aspects, you've definitely been something, and the SIM in the threat intel platform help with the analytics side. And then we we do have data analysts at the organization.

So some of them specialize, in just like warehousing how to, you know, store the data so that it's easily searchable.

We have people who use our studio and, you know, write their own code to use statistical models to look at that stuff. And we've recently started using power BI and things like that to create visuals and to be able to see a picture. Right? It's one thing to have all these ones and zeros and, you know, this flag and that flag and, you know, these indicators from for source and destination IP.

It's it's another thing entirely when you're able to visualize that information and to start, say, oh, wow. Look, we have clustering over here. You know, and then it's reaching out over to here, and that's not normal. It shouldn't be reaching out in that capacity.

So that really blends a lot of insight for us. So we're really big into the visualization CIDR, not just for identifying things, but also for communicating effectively up to leadership and out to the to the membership that, hey, here's what we observe, here what we think it's doing. Here's what you need to do to, to, to first kind of close things off and then begin to remediate and hopefully get back up on on your operational feet as it were.

Yeah. That's that's so interesting because You know, we, at at my company, use so many of the same workflows and tools are similar. I'm gonna say similar.

But for somewhat different purposes. But, yeah, how do you how do you ingest a tremendous amount of data? Because if you start to add up all the different types it's a lot. It's a very diverse data that we that we can collect from the way we do networking today, the way that we deliver our services over the public internet and all that.

So there's a lot So just volume. But also the the variety. I mean, we're talking about very, very different formats. So one of the things that, we have to solve is how do you plug these things into mathematical algorithms, whether using machine learning or or more basic statistical analysis, and then compare values when one value is millions of packets per second and over here, you have a value that's a percentage.

Right? And over here, you have a value that's just a security tag. Right? It's a random tag.

It's just an identifier. It doesn't even represent an actual value. How do you know? So that's where you get into the really interesting stuff, like, machine learning pre processing, normalization scaling, all that kind of stuff in order to then take all that plug it into whatever models you're using, and then identify hopefully, right, strong correlation and causal relationships.

Now one of the struggles that I have seen in the industry, not so much on the security side because I'm not as plugged in, which is why I wanted to talk to you today. Is the, the rate of false positives. So, for example, on the network visibility CIDR, and now network observability side, having this, you know, this this correlation pop up and then the, you know, the system says that these two things are related, and they're really not. And all of a sudden you have false positive and you're wasting your network operation cycles trying to figure that out.

And being able to then also add the subjective component of the engineer because sometimes it is a strong correlation, but it's not that important. So for example, I had this weird DNS thing happen over here and now my hundred gig link that's typically one meg is now chugging out along at at ten megs.

Who cares? A ten meg, you know, uptick on a a hundred gig link doesn't affect anything. Nobody cares. Maybe I will of if it keeps trending. So that's been really hard too is adding the subjective component, which I have to assume is very difficult for you, or or at least your organization. Right? Does that make sense?

Yeah. Absolutely. It it does. That's a that's certainly a problem we deal with as well. It's one of the reasons why I highlighted earlier in our our discussion. How important the interaction is with our membership and being able to say, you know, for your organization, we're seeing this Do you even have that process, or do you even have that application in your network, or is this just the false positive that we're getting?

So I would say by and large probably eighty five percent of the things that are coming in are ruled closer to the false positive side of things, and that's why we still have some tier one analysis that's done after the initial after the initial sweep.

Right? And then we're trying to only send out high confidence alerts to members because it's everybody experiences it in many industries, but alert fatigue is huge in security. Right? You're just constantly inundated with this fire over here, you know, this not, you know, weird thing happening on this system. Is it something that's can be easily fixed? Is this something that's legitimate?

So we really try to to provide just things that are high confidence out to members.

So how do you defeat alert fatigue, especially in the con the context of cybersecurity? Is it is it a manual process of just having more bodies going through and and looking at the alerts and seeing if they're legitimate or not, or are you able to do that in some kind of a programmatic manner?

Yeah. So that's that's really where the SIM comes in. So security information event manager. So that's like a platform.

It's a UI even that a that the analyst can live in. And that does a lot of machine learning and baselining for us. So it helps us kinda automate some of that. So it doesn't have to be a manual review on every single alert.

And then the other big component is understanding just a threat landscape.

Oftentimes we'll see old signatures or old activities still designated in open sources as being a bad. And so you'll still get a false positive because something will be matching the signature. But we'll we're able to say based on more extensive research that, hey, you know, that particular threat actor group is not using that infrastructure anymore. So even though it was bad in the past, it's no longer bad. So you can white list that signature.

I I'll hammer again relationship with the member and being able to just outright ask them, hey, we're getting a ton of alerts for this specific thing. Can you investigate further? And oftentimes, they'll say, you know, that's a, you know, that's traffic going to our our cast register. You know, in the lunch line or something like that.

And it should it's not even internet connected, and it's just a local, you know, traversal And it's a truly a false positive. You just shut that off. Right? And then we reduce the amount of alert fatigue that's coming in.

So those are probably would be the big biggest ones And then I would say the more proactive, we can be as an organization to get indicators that we know are active and malicious out to them so that they can block them proactively will reduce the amount of alerts that we're getting because it's not gonna traverse the sensor if they're just blocking it right at the perimeter before they're able to even get in.

Yeah. So this is this is a data science problem. I mean, ultimately, what you're doing is just ingesting a tremendous amount of information and trying to mine through it. I'm assuming you have your members of your customers.

Right? That's synonymous. Correct? Actually, that's a that's a question I want to ask you is what is the kind of the mission of your organization and how are you structuring this?

Cause it's a you mentioned members. So is it different than just having customers. You're also a nonprofit. What how does that work?

Yeah. So the center for internet security is a non for profit. It's the Organization that's focused on like the CIS controls. Many people know them as the SAN's top twenty historically, but they're now the CIS controls, and there's eighteen of them.

So CIS focuses on basically industry wide best practices, hardened images, benchmarks to gauge where you are at with security.

And the mission of that organization is confidence in the connected world, essentially.

Where I work and where we're more operational dealing with the threats on a day to day basis is in what we call the ISacks. So information sharing and analysis centers. There's two of them under the CIS umbrella. One of them is called Multi State or MSISAC, and the other one is elections infrastructure or EI ISAC. And basically, those are funded through the Department of Homeland Security, specifically CSA, the cybersecurity and infrastructure security agency.

To provide cyber security, incident response services, threat intelligence, support out to state local tribal territorial and US election offices. And I know that SLTT term can be a little confusing. So I think the easiest way to think about what is our membership base is any taxpayer funded organization below the federal level. So that's everything from a local library schools all the way up to some tribal casinos, you know, major US government infrastructure in the SLTT space pretty much covers every critical infrastructure sector you could think of. Right? Water and waste management, transportation infrastructure, energy infrastructure, healthcare, you know, you name it telecommunications that all falls under the SLTT umbrella in the US. And our membership is open to all SLTTs or election offices as long as your taxpayer funded below the federal level.

And you're working with these organizations not only to monitor but also to, to work through some sort of, maybe audits, if they're, regulated industry. But also for doing the forensics analysis in a post mortem or in real time trying to to stop and attack. Is that right?

Yep. Yep. So we do On the ISAC side, we do everything from, you know, initial monitoring, sending the alert out to if we do observe bad thing happened. We'll do a full, you know, incident response and forensic workup. And then we also have the proactive side of things where, you know, we're looking at one event that maybe, let's say, happened in Texas. Right?

What happened in Texas is that unique to Texas? Is that a threat, they're specifically interested in one organization, or is this indicative of TTPs that are more TTP, tactics, techniques, and procedures that are more broad across the larger industry. So we're often able to proactively identify incident in one state and get that information out to the rest of our membership, which is all US states territories, saying, hey, we observe this here. We believe that this is something that may also impact you down the road. Here's the things to proactively defend yourself. So we do both the reactive and the proactive side of things in addition to network and host level monitoring.

So then, we talked about how you you have to and you do ingest this tremendous amount of telemetry from network and resources and hosts and and all of that stuff.

Is there a difference though when you're doing some sort of proactive investigation or remediation against a security threat. Is it then still just flows in logs, or are you looking at some other kind of data, some other kind of telemetry.

It's gonna be a collection of all the things that we we talked about previously. And then I would say, The the big thing with the proactive component is going to be understanding the motives and more of the human side of some of these threat actors.

So, you know, threat actors take breaks too. Right? We talked about that at the you mentioned that and passing at the beginning is the ebbs and flows of data.

We also observe threat actors take holidays off. They're interested in anniversaries.

Right? So right now is, you know, near the anniversary of the invasion into Ukraine with Russia. And we're on heightened alert because we realize that these anniversary are important to some of these actor groups. So we're at a heightened posture monitoring for things that may occur, and we're able to proactively get that information out the member saying, hey, this state's coming up or, hey, this thing's happening and we always see some type of action there. It's also understanding kind of broader US policy.

And how other foreign governments and criminal groups respond to that. So, like, Iran is a great example. They're very tit for tat. If we do something they're gonna respond.

A lot of times that's in a cyber capacity. So we could monitor like US's sanctioning them or we're having diplomacy talks that go awry, we then expect Iran to lash out. Right? So it's kind of the human element in the proactive space.

And that's really what my team specializes in, is the proactive component is trying to understand the threat actor everything from the criminal. Organization all the way over towards, you know, your state affiliate or your state sponsored organization, and what drives them, what's their motive What are they after? You know, what are the historical trends and patterns that they're doing? And then we couple that with the technical collections and what members are feeding to us and marry those two things together.

And then we're able to kind of give them a little bit more of what we call tory analysis. So it's not, you know, bad thing already happened. Right? It's left of boom as we like to say.

So before boom happens, we're able to tell members, hey, we think this is going to occur. Here's what you do to protect yourself. And hopefully, if they implement the guidance and we have our assessment, you know, correct, they're able to, you know, prevent an incident from happening at their organization.

So where is the investment, today? And where is the focus today to improve the cybersecurity landscape in methods and and in your practices?

Yeah. So we're there there's a lot of things happening in the industry. And I think most of the focus now is on partnerships.

So building relationships in the community between, you know, state local, tribal, territorial, US governments, and federal resources.

So there's things like the state and local cybersecurity grant program, which, gives federal resources to state and local cyber programs to help them, you know, expand their capabilities.

Some instances, the designation of infrastructure as critical infrastructure. So actually having that federal designation, gives the federal government the ability fund and provide resources to some of these under resourced communities, and it's usually an issue in the SLTT space. Is that they're heavily underfunded. And any funding they do have is most likely not being, directed towards cybersecurity related.

You know, endeavors. It's it's designed to, you know, make sure the infrastructure is available and people are able to connect and security is unfortunately an afterthought. Most cases because security is very expensive.

So that's a huge component too. And then I would say probably The biggest thing, on this level is growth of, public and private sector collaboration.

So basically partnering between, you know, federal government entities, state government entities and the private sector.

We've seen things even in the recent National Defense Authorization Act, which is more of a defense and military oriented, budgetary document, that has included language, like allowing United States cyber command to partner with private sector organizations for more of like you know, response or hack back or offensive measures against organizations criminal enterprises or foreign governments that are attacking, US infrastructure.

So partnerships is huge. And then if I was to talk about like technology, To be honest with you, I'm I'm a little jaded in the in the technology space. I I have seen so much and I have observed the adversary in so many different ways. And I'm near convinced that if there's enough resources and determination that there's always a way into a network, that a compromise is almost impossible to avoid.

And I think it really comes down to what technologies, what methods of detection can we come up with to stay ahead of the curve, But really to address what I would call the in is an industry kind of thing is called the pyramid of pain. So addressing more of the behaviors that tactics, techniques, and procedures of what threat actors are doing instead of just addressing like trivial things like hash values or domain names, IP addresses that threat actors can very easily change.

And I think we're still making that shift. In the industry right now. Moving away from just blasting out IP addresses domains and hash values and having people block those things We're getting into the world now where CIDR, you know, more advanced network monitoring stuff is looking for, you know, patterns of behavior that are known to be bad things.

Some of the things we talked about earlier.

Identifying those things and being able to proactively block once that behavior is is captured and not just, hey, we observe this bad IP address. Let's block connection.

Yeah. So there's no silver bullet from a technology perspective that will solve all our problems. It sounds much more process and best practice oriented.

Yes. Yeah. Unfortunately, unfortunately, there's there's not. It's a it's a whole layered approach, reducing the likelihood that you're a low hanging fruit and increasing the amount of pain as it were that it would take the adversary to attack your organization, you know, every we tend to think of criminal organizations and foreign adversaries as being like having unlimited resources.

They're just as resource constrained as we are at local organizations and private companies. Right? We only have so much money where there's only so much we can do. So if we can increase the cost of them being able to carry out attacks, that's gonna reduce the amount of attacks that we see.

And I think one interesting area I've really been, trying to push towards is having a more efficient and cheaper way of backing up data.

Data storage in and of itself is enormously expensive as as we discuss.

Analyzing that data and all the different types is hard and can be expensive.

But backups are pretty much by and far, especially with ransomware being out there, especially with having your whole organization brought to a grinding halt. Because everything's encrypted.

The single best solution is having a proper backup policy in your organization. Are you actually able to back up all of your data? Are you able to restore from that backup if something happens?

I think is key. And one of the biggest bars that afflict every organization is that backups are enormously expensive to back up all of your infrastructure and all of your data you know, is is not only complicated. It's expensive.

You have to test it regularly to make sure it actually works.

But finding a solution, finding some technology to make that more efficient and cheaper, I think would go, you know, would put us way ahead, in some respects on on being able to to go through some of the the challenges we see in the security space.

Yeah. Handful of snap snapshots and a couple of cold spares, like, cold spare switches on the shelf is not sufficient.

So what are the punitive measures that that we can take or that, I don't know, you take or the governments, that you interact with take when you catch the bad guys.

Yeah. So this is a this is a federal law enforcement thing, and I would say in some spaces, a US military So there's there's unfortunately not much that we can do, from an private company and a, you know, our our membership based SLTT based, you know, sector to levy punitive actions on actors attacking us. But what often happens is the FBI gets involved, other federal law enforcement agencies get involved, and they're able to trace back what these attacks are who may have levied them and find out the, people behind the scenes responsible.

So we we see things all the time like warrants being posted by the FBI, sanctions being posted on on on certain businesses and banning travel by certain individuals.

And, you know, sometimes we see arrests where you know, people are caught up in vacation and the FBI is able to swoop in or another federal law enforcement agency is able to swoop in and address them because we have a relationship with that foreign government to do that. Right? We can arrest an extradite out of the country.

But by and large, I would say a lot of the threats that we see, they are traced back. Eventually, we find out who's responsible. But they live in a country that there's no extradition, on the books. So we can't do anything really outside of post their face all over the internet that there was responsible for this thing and ban them from traveling to any countries, or putting sanctions on their assets if they have foreign assets.

So that's kind of the law enforcement side. And then I would say more like if you think of cyber command, US military, NSA, etcetera, you know, they're they have, kind of offensive defense, if that makes sense. Right? So taking more of an offensive approach, to defense.

So before the adversary attacks us, we're able to dismantle their network. We're able to shut things down before they're able to to to attack.

We saw this a lot with the elections.

Over the last several years, we've seen this particularly with some very established cyber criminal groups. One of them in particular is Emotet.

Emotet was a very prolific modular banking trojan that eventually morphed into a downloader and propagator of other malware, particularly ransomware.

And they were a very elaborate organization similar to what we talked about earlier and and, cyber command and and the federal government were able to take down some of their infrastructure and they'll lead up to some of the elections that were happening. Because there was an indication they were they were looking to attack so there's there's that aspect of the punitive side. But, unfortunately, most of these actions are being taken by people outside the country. Even though they're using US infrastructure. So it looks like it's US IP attacking another US, you know, destination, but You know, it's all by proxy. They're operating by proxy to do stuff like that.

And then so with the I mean, there's there's a few different stories out there about the threats to our public utility grid. Right? And to and and you hear about this stuff going on. Like, I'm thinking about Russia and Ukraine right now, for example, Is that one of those things that keep you up at night?

No. It's honestly, Phil, there's there's nothing really keeps me up at night in the threat landscape. There are certain things that give me, you know, reflux when I think about them.

Some of those things are are you know, power grid. There's been an enormous amount of interest from criminal groups and, state affiliated groups in that sector.

Because one, they the financially motivated actors realize, hey, if we bring down this pipeline or we bring down the grid, like, there's no better way to have pressure on the organization to pay us than people calling them en masse that You know, it's the middle of the winter and the power's out and I'm freezing and and, you know, there's enormous pressure if you were able to attack something like that to get money for it. The problem with that is that that's a surefire way to gain federal and attention. Right? So if if criminal group was it to attack electric infrastructure or gas infrastructure, just to power grid more generally, that's gonna elicit a pretty strong response.

For some of the punitive measures that we've talked about previously.

The other ones are just data aggregation at certain, companies. So healthcare, there's a lot of information collected on people's healthcare that are segregated to a very small amount of large health or organizations.

Same thing with marketing. There's a handful of very large marketing organizations out there. That have most of the information on the US population. So being able to target one of those organizations, you kinda have treasure trove of information on on US persons, which then you could use for social engineering. You could use it for follow on tax and impersonation and just the ability to kinda conduct identity theft and things like that. It's really endless possibilities with having that much on on somebody.

And then the last one, which I am gonna say last, but it's probably the paramount focus of of my my job over the last couple of years and truly what disturbs me most is the espionage and strategic influence operations coming out of the PRC, China.

So they have a lot of policies that are outright. You can go look them up.

That are specifically designed to exert their influence across the world and to gain a massive competitive advantage against the US.

Everything from stealing intellectual property, you know, gaining economic advantages and usurping our industries So companies like Earsville, visibility, other companies that are working on proprietary technology, doing things better in the technology space. China's interested in all of that, and they're gonna replicate it and try to do it better once they steal it. So that's a huge thing that that that concerns me. And I'll just name a couple things maybe for the audience if you really wanna go down the rabbit hole.

On some of their policies. You could look up like the thousand talents plan. So that plan is basically designed for them to send out Chinese citizens abroad, get them trained up in foreign universities, even get jobs in key industries and sectors. And then hire them back into the country and leverage all of the stuff that they've learned to kinda advance China and some of those key sectors.

So space, technology, healthcare, even agriculture are some of the ones that that are wrapped up in that. And then you have the Belt and Road initiative is the second big one So basically, they're fielding out technology to countries in Africa and South America.

And they're building infrastructure.

They're building what they call a belt and road to increase economic commerce.

And to, you know, expand and try to bring some of these countries up economically. At least that's what they say. But all of the infrastructure is Chinese infrastructure. And by and large, it's back door. They're able to monitor everything going on in those initiatives, and they're they're exerting enormous pressure on these organ these these countries when they partner on this initiative to have a very close buddy buddy relationship with China.

Made in China twenty twenty five is the whole third one. Another rabbit hole there.

You could go look into to that and basically it's moving away from China being viewed as the country that makes all the trinkets. Right? You go to the store and made in China. Everything seems to be made in China. They wanna move away from that notion over towards being a innovative technology leader in some very key spaces.

And the way they're going about doing that is through massive collection and stealing and gathering of intellectual property primarily US companies, through hacking it and stealing it or through coming to your organization and saying, hey, you're a startup. I really love what you're doing. How about half a million dollars, you know, we'll fund you if if you'll share with us and work with us. Right? So they're they're spending enormous amounts of money to gain inroads to American technology companies to try to get access to information that they wouldn't normally have. And the end result and the end purpose really for them is to replicate that technology in China and and continue to to gain again at a competitive advantage. And then the last one is, debt traps This is a big one we see too kind of coupled with the belt and road initiative, but this is basically a way for them to go to an underdeveloped country, say, hey, We really think it would be great if you had a port here.

So we're going to fund it. We're gonna build it and we'll finance it. And it's gonna get you this much, you know, economic billions, trillions of dollars a year. You'll have an economic, you know, transactions because you now have a port, and you can just pay us back for paying for the port.

What ends up happening is that it's a debt trap. Right? They end up the country that got into the deal, can't pay it. China then says, well, now we own your port or now we own your infrastructure.

And, you know, they're basically preying on on victims in in that capacity. So all of these things kind of go into the larger picture of, you know, the the power, great power competition is shifting. We're seeing it in the cyber world. We're seeing it with China and Taiwan, and there's a, you know, very heavy emphasis on on, trying to dethrone, the US in, on the world stage, and that's gonna have massive technological economic and strategic ramifications for us down the line.

Yes. TJ, this was a really interesting discussion for sure. I wasn't expecting the direction we were gonna go in there toward the end.

But certainly a reminder of just how complex the problem of cyber security really is. From a technological standpoint, geopolitical standpoint, just people standpoint, defense in-depth actually isn't a term that I've heard in a while. You mentioned it today. And based on the distributed nature of how we deliver services today, it makes more sense to me now more than it ever has. So really great topic. So, TJ, we're gonna end here.

If anyone in the audience would like to reach out with a question comment, to learn more. How can they, do that?

So It's kind of funny. I work in security. I don't have any, social media presence. I'm I try to stay pretty private. So I guess the easiest way would be reaching out through through you and the podcast, and I'd be happy to to chat with anybody more fully if they're interested in any of these topics.

Great. Thanks. And you can find me on Twitter at network underscore fill still active there and you can search for me on LinkedIn as well. Now if you'd like to be a guest on telemetry now or if you have an idea for an episode that you'd like to share, please feel free to reach out to us at telemetry now at kentech dot com. You can also follow us on Twitter and LinkedIn as well. Thanks for listening and until next time. Bye bye.

About Telemetry Now

Do you dread forgetting to use the “add” command on a trunk port? Do you grit your teeth when the coffee maker isn't working, and everyone says, “It’s the network’s fault?” Do you like to blame DNS for everything because you know deep down, in the bottom of your heart, it probably is DNS? Well, you're in the right place! Telemetry Now is the podcast for you! Tune in and let the packets wash over you as host Phil Gervasi and his expert guests talk networking, network engineering and related careers, emerging technologies, and more.
We use cookies to deliver our services.
By using our website, you agree to the use of cookies as described in our Privacy Policy.