Amrit Williams, BigFix CTO, discusses advanced persistent threats and subversive multi-vector threats with Will Gragido and John Pirc of Cassandra Security.

Subscribe in iTunes:

Subscribe with XML:

FULL TRANSCRIPT

Amrit Williams: Welcome, this is Amrit Williams, your host on Beyond the Perimeter, and today I’m joined by Will Gragido and John Pirc. Guys, thank you for joining me today. Before I turn over, I just want to give a brief introduction.

Will Gragido is the President of Cassandra Security. John Pirc is the Director of McAfee for the Network Security Business Unit and cofounder and security researcher at Cassandra as well.

Will, why don’t you tell us—tell the audience a little bit about yourself and we can then move on to John and what he’s been about and what he’s been up to, and then we’ll talk a little bit about Cassandra and a little bit about some of the threats firsthand.

Will Gragido: Excellent, yeah. Thank you very much Amrit. My name is Will Gragido. I’m the President of Cassandra Security. I’m an information security researcher, analyst, consultant and writer. I’ve got about 15 years experience in the industry working on both public and private sectors, DOD intelligence information security communities where I cut my 00:48 and then spent many years with consultancy such as Dr. Anderson in the International Network Services. In addition to working with 00:55 such as internet security systems, McAfee for a brief period of time of research and then finally started off with Cassandra. Thank you for your time. I’m glad to be here.

Amrit Williams: Thanks for joining. How about you John?

John Pirc: Thanks Amrit. I do appreciate you having both of us on here. So yeah, for me it all started when I worked for the CIA. I worked at the CIA in the cyber security doing information assurance for quite a few years then went on to be a CTO of a small company that served the government. Then I moved off to Cisco. That’s kind of when I transitioned away from more of the consultative stuff I was doing and more to the product side of the house from the vender perspective. So I worked for Cisco in their security business unit on their Intrusion Prevention Systems then moved over to ISF after it was acquired by IBM. And then just most recently, I just came over to McAfee as Director running with their network—their next generation firewall.

I’m really excited about what we’re doing with Cassandra. We started Cassandra about a year ago. Several of us kind of came together that really have a passion and love for security. And furthermore, we really wanted to make a change based upon our worldwide experiences in security and pass the information on. But again, we’re really excited to be here.

Amrit Williams: Well, we really appreciate you guys joining us today, definitely some great backgrounds. What gap do you feel that Cassandra is filling right now?  There are certainly a lot of folks out there doing consulting. You guys have great experience. You’ve clearly been able to leverage that on both the commercial and private sector side, but what is it that Cassandra is providing to the industry that you feel is not being provided?

John Pirc: When we look at some of the gaps that are out there, one of the biggest things from our efforts that are our focus is really critical infrastructure security. Obviously, if you look at the news out there today, you’ll read all sorts of stuff on Aurora. You’ll read about Exxon Mobil. You’ll read about all these different critical infrastructures that are getting attacked. And one thing that we saw that was kind of missing was really going after these heightened attacks from a critical infrastructure perspective because when we look at I guess the whole field of information security, it’s absolutely wide and deep but when you really start looking at protecting critical infrastructure at the highest level, that kind of bubbles down.

And what we really want to do is bring out more awareness and then more awareness with respect to this notion of events, persistent threats, and all that we’ll talk a little bit about how we’re categorizing that under a different name. But our goal is to, you know, more from an educational perspective and get this information out, and then furthermore understanding what are some of the mitigated technologies out there that can actually help stop and forts some of these attacks A, and B, at least to identify that this sort of activity is going on your network. And then also clearly pointing out that the advanced persistent threats are going to crossover on to mainstream and we saw a great example of that with Aurora. Will, do you want to add to that?

Will Gragido: Sure. I feel that the gap that we address is a rather deep one, largely because as John has alluded to earlier, the primary areas that are focused on research are really somewhat esoteric and not that well known in the commercial space. We were fortunate in the sense that we grew up out of the DOD community and out of the intelligence community as many of our other researches did. And we were exposed at very early stages of those types of threats, our travels or our traversal step in the industry.

We spend a great deal of time focusing on the intricate ties between the cyber criminal world and how they relate to state and non-state cause of attacks and activities from a commoditization in terms of different perspectives in addition to following the trends that lead into the commercialization and the enterprise initiative that we see going on and then globally. So the events of hacking at a service, the cyber mercenarism, cyber workers certainly, cyber espionage, and we wanted to address those things in a very real manner that does not invoke an inordinate sense of fear and uncertainty and doubts, but speaks to the truth that are out there while also bringing some hope and also introducing some technological, as well as risk management based principles that can aid in addressing these things ideally in tearing the risk factors of the environment that we spend—that John mentioned earlier, critical infrastructures and various and some denomination that we see being exploited actively today historically and in the future.

(00:05:41)

Amrit Williams: Well, we talked about these APTs. The level of sophistication has definitely increased. The level of stealth along with that sophistication has increased over the years, but we’re not really talking about anything new. Why don’t you provide for the audience your definition of what we’re talking about here, some of the ways you guys look at it, and then let’s get some thoughts on some of the things folks can be doing to better protect themselves.

Will Gragido: Sure. We—I think it is somewhat of a nebulous term and it’s becoming a little bit more nebulous in the sense that it means a lot of different things to a lot of different people.

Our view of the world and the things that we deal with on a day to day basis from a threat perspective is somewhat different than I would imagine the generalized interpretation of what those threats are today.

John talked about Aurora for example. Aurora is an extension of 06:31. 06:31 has a long and well documented history for example. It certainly wasn’t the first national system threat if you will, if you categorize it in terms of evolving crisis. It really initially actively identified 2002, 2003, 2004 out of the labs of DOE laboratory environments. But there were certainly precursor to that particular event. Things like Moonlight Maze, Solar Sunrise for example, a whole host of other things. It will include in 07:01 which more traditionally you refer to as GhostNet. So we took our research, we took our expertise, and we equate that to the problem. And then we said APT as the industry looks at them today really focuses on the technological element, so the technological threats.

However, technology is only one aspect of exploitations. We spend a lot of time based on our backgrounds and our research focusing on a larger picture. So we take a more comprehensive view of the world and that led to the development of what we call the Subversive Multi-Vector Threat. What that means in a nutshell is really the body of activity that surrounds the birth of activity in the industry, as well as the public and private, which takes traditional technological threats and point those exploitation, and miracles of non-traditional. So things such as human intelligence gathering, exploitation, open systems, intelligence gathering, a whole host of other things and merge those together to look at a more comprehensive picture, and really to put together more of a mosaic view of the world.

In our opinion, the APT from a technological perspective is maybe a part of an SMT. SMT doesn’t have to be an APT. It can be exploited and it can be leveraged from more of an interpersonal perspective. The act of exploitation of personnel for example for intelligence gatherings wherein a technological mechanism could be introduced such as GhostNet or it can happen 08:34 present. But our view is a little different of the man in the greater industry, and really that’s where we focus.

Amrit Williams: And that’s fair. There are a lot of folks who listens to podcasts who are in IT operations and not necessarily focused just on security, so they may need just a little bit of help with some of the things you just said. So to break it down, if you had to give a one-paragraph sentence on what you represent as APT versus SMT, just in a—this is what it means and this is how it’s different from what you’re seeing today.

Will Gragido: I think a good example would be in GhostNet for example. GhostNet was a nice example of a traditional technology, one that certainly wasn’t advanced, the ghost threat that was actively leveraged by—in this case, the Chinese National Government to the exploitation of the Dalai Lama and his office in Tibet and India. So what occurred there was a very sophisticated attack leveraging antiquated technology, certainly not being high speed and 09:33 to accomplish the mission. A very, very successful mission in that it exploited somewhere around 1300 to 1400 posts globally and by virtue of that exploitation, people will extract a great deal of information. So that’s the technological APT.

However, when we start looking at the expense of more kind of alluded attacks from the ecosystem perspective, SMTs take into consideration not only the introduction of a technical threat but takes into consideration traditional intelligence, I guess you would say vantage points and threat vectors, so compromising human intelligence.

(00:10:08)

We look at things like for example, historical examples like are there aims. We look at things like Clayton Launtry who is a former United States Marine embassy guard who is exploited by the former KGB before the Cold War, that’s why they followed the wall and the Cold War ended it for the express troops of gathering intelligence and information about embassies, about Europe.

And we tend to believe that we’re dealing with a much more advanced adversary. As a result of that, the technological idiom may only be a portion of the actual full attack, and it doesn’t have to be the full embodying of the attack. It could only be a tool if you will a stepping stone to actually getting to the actual heart of the target and that’s where I think the differences are. I think that’s somewhat of a condensed version of what an APT is.

Amrit Williams: So it has taken into account not only traditional methods of exploiting humans, social engineering targeting specific folks for exploitation, but also leveraging common attack factors, as well as unknown or possibly targeted malware to basically infiltrate and do certain things after they’ve reached around and grabbed through maybe basic misconfigurations and whatnot.

Will Gragido: Absolutely.

Amrit Williams: So if you think about that, right now the majority of organizations—and I think all of us can agree to this—regardless of private or public sector, it can barely do the basics. I bet almost any organization you’re worked at, if you ask them how many assets are actively connected to your network right now and what are they doing, I’d bet almost nobody in any of those organizations can answer that with a definitive statement.

So knowing that we can barely do the basics, how is an organization supposed to start dealing with some of these more exotic threats?

John Pirc: That’s a good question and that’s something—in traveling around the world, you hear that a lot. When you talk to some of the C-level audiences, they’ll come to you and say, “You know, I don’t even know what I have on my network” and they feel bad because of this, but we know that that’s common.

So when we start looking at—well, what do you need to protect yourself?  And obviously, you have your core infrastructure security devices, so you have your end point you have your network security devices. We think all those are good, right?  And they are a must-haves. But when you really start looking beyond the envelope and understanding really what’s going on in your network, a lot of it has to do with what’s profiling on your network. So when we look at things that are typically from an IT perspective or nice to haves like NBA for example, Network Behavioral Analysis, things like these are really great, the who, when, where, what, why of the what’s going on in your network.

But what me and Will have kind of take a look at, and this is no plug, but it’s just understanding what’s going in the network is getting products adopted like, NetWitness for example, being able to have the capabilities of really understanding your data flows and how they’re going through your network. When you start looking at these advanced attacks, you have this whole notion of 80-20, 80% that are generalists, 20% that are highly technical. I think between us here, we fall on that 20% but I think to your point, how do we reach that 80% crowd and how do we enable them?

I think the first thing is understanding there is a big problem out there and be it an APT or SMT Subversive Multi Threat factor, understanding what they are, how they can infiltrate your network, and what are the proper tools that you need to mitigate them. And I think from the different venders community out there, I think a lot of them are trying to answer that question because when you look at some of these attacks, they’re using cryptography to encrypt the payloads to try to get through AV, to get through the network did an IT as a firewall, etcetera.

But when you’re really looking for these APTs, you know, me and Will were having a discussion, it’s basically stealing in broad daylight, right? I mean these things are very silent, they’re very slow, and it’s just a matter of how you get around these certain mitigative controls. But I think the biggest thing—and when you talk about the whole notion of people process and technology, it’s not so much a technology problem because there are technologies out there that can at least identify this. Now, there’s no silver bullet. But from our perspective, it’s getting it to the people and letting them understand what is this, how do you identify it, and how do you stop it. And no one is immune to it now because as Will mentioned before, these types of attacks were completely targeted toward the Intel, DOD, global financials research organizations, defense, industrial base, etcetera. Now, with those skill sets, those have now traversed over into the commercial sector which is going to make a big headache for all of us as what we saw what happened with Aurora.

(00:15:09)

So I think it’s really understanding what it is and getting that message out, and then having ways to mitigate them. And that’s what me and Will are working on and the team on delivering this set of papers on critical infrastructure. So it’s kind of identifying what are some of the problems out there but then coming back around how do you mitigate these more effectively.

Will Gragido: I was just going to say that I think from a technological solution set basis and in terms of talking about bringing technologies to our own research, we spend a great deal of time addressing a lot of the areas which are either—I don’t want to say ignored but I will say misunderstood by the greater industry at large, things like cryptoviral extortion, subliminal channel introduction, things that were typically introduced and utilized, which are not new, again, technologically but introduced and utilized within the realms of as John mentioned earlier, DOD, industrial based, Intel community that are seen a higher utilization with a non-DOD or non-public sector environments. So those are problems that are real and they’re present.

Now, cryptographic solutions from a payload perspective, cryptography—a whole other things which are more esoteric, a little bit more alchemic but definitely real.

Amrit Williams: I completely agree with you, so let me post two challenges here. One is that I think that most in the security industry, especially those that have been doing this for quite some time, would completely agree that the level of sophistication of threats out there has definitively had a new plateau. The exploitation mechanisms that are being used and the multi-faceted nature of them are becoming extremely sophisticated. Most commercial entities and I would, you know, based on my experience in dealing with the federal agencies, both on DOD and Intel is that most organizations have trouble just dealing with the stuff that’s being thrown at them like a massive tsunami on a daily basis that it’s very difficult for them to wrap themselves around the exotic.

And I think one of the things we have to get very good at in the security industry is helping people to recognize how they can find balance in dealing with the advanced exotic-type threats that we see, as well as the day to day threats and the day to day activity that most organizations simply are terrible at in the first place. And they can’t even stop the basic blocking and tackling on their daily basis, let alone stop these advanced threats. And we do need to find that balance because what we see happen a lot in the commercial world is people start reframing the risk to an organization based on level of sophistication because of the talks that we all do in the security industry and they let their guard down on some very basic stuff. They build very nice high perimeters and they leave a window open or their back door open and they don’t see some of these basic stuffs. But I do think you guys are doing an excellent job on that.

The second challenge I want to pose at you when we come back, and we’ll come back on the second podcast here, is one of my issues with network monitoring. I had a brief conversation with Richard 18:18 about this who is obviously a big proponent of monitoring ingress and egress traffic flows into all critical infrastructure within a corporate organization, is that the answers that we usually provide to solve problems that we see or we see coming are always hindered and handicapped by the evolution of the network environments themselves.

So I’ll give you an example. You simply can’t monitor the ingress and egress of traffic flows from a computing device that isn’t on your network that’s accessing corporate resources that’s being maintained by a third part in the cloud.

Will Gragido: Amen! Absolutely.

Amrit Williams: So what I actually want to do is as we come back, I want to focus on that because cloud computing, infrastructure as a service, platform as a service, software as a service, these things are being adopted. We know Vivek Chandra for example has a big initiative to drive cloud through the US government. Almost every large commercial entity is looking at these things, and the traditional methods that we would have applied five years ago to help stop these problems are becoming handicapped by the new evolution and the new adoption.

So we’ll be back real soon with our next podcast. I want to thank Will and John for joining me and we’ll talk to you real soon.

Announcer: You have just listened to Beyond the Perimeter, sponsored by BigFix.Inc. Views expressed on this podcast are the personal opinions of podcast participants and do not reflect official positions of their employers or BigFix.

Thanks for listening!