You're listening to the Cyberwire Network, powered by N2K. When it comes to ensuring your company has top-notch security practices, things can get complicated fast. Vanta automates compliance for SOC 2, ISO 27001, HIPAA, and more, saving you time and money. In Vanta, you can streamline security reviews by automating questionnaires and demonstrating your security posture with a customer-facing trust center. Over 7,000 global companies like Atlassian, Flow Health, and Quora use Vanta to manage risk and prove security in real time. Our listeners can claim a special offer of $1,000 off Vanta at vanta.com/cyber. We get it, this interruption isn't what you actually want to be listening to right now. But at Credit Karma, we've learned that a little disruption can be a good thing, especially when it comes to the slow, outdated, and totally complicated financial system. We started shaking things up by offering free access to your credit scores, then we expanded into more areas of personal finance. And now we've added new tools and personalized features to make it easier to optimize your money and grow it faster. Download Intuit Credit Karma today and get everything you need to outsmart the system. Hey everybody, Rick here. So far this season, we've done a gut check on the current state of XDR, extended detection and response, IAM, Identity and Access Management, and the MITRE ATTACK framework. Since we did ATTACK last week, I thought it was only appropriate that for this week, we take a look at CTI, Cyber Threat Intelligence. If you're following along with our first principles book, you know that CTI is a key and essential tactic to the intrusion kill chain prevention strategy. And in order to deploy and maintain prevention controls for known adversary campaigns across the kill chain, your CTI team will likely be using the MITRE ATTACK wiki for a good portion of its inbound intelligence. See what I did there? You see how everything is connected? We don't do random stuff here. We got a plan. So hold on to your butts. Hold on to your butts. We're going to take a deep dive in the world of Cyber Threat Intelligence. My name is Rick Howard, and I'm broadcasting from IntuK Cyber's Secret Sanctum Sanctorum Studios located underwater somewhere along the Batapsco River near Baltimore Harbor, Maryland in the Good Old U.S. of A, and you're listening to CSO Perspectives. My podcast about the ideas, strategies and technologies that senior security executives wrestle with on a daily basis. John Holtquist is the chief analyst at Mandiant, XDR, training and incident response company, now part of the Google Cloud Organization after the acquisition in 2022. But he's been doing intelligence work for going on two decades now, first with the U.S. government, then with a commercial cyber intelligence company called Isight Partners, and then with Mandiant, where he has been working for over seven years. So, John and I are both cyber intel guys from way back, and when I ran into him at the NY's conference in D.C. last October, he and I got to talking about the old days and how far CTI has come. So we have a history, right, John? Yeah. Because I ran a cyber intelligence shop many years ago called Idefense. That's right. Founded by John Waters. That's right. That was owned by Veracine. Yeah. And when he left the company, he started another commercial intelligence company called Isight. Isight. Right. Stole half my time. Love the eye. Love the eye. Yeah. And then you joined them. That's right. Yeah. So explain what happened after that. So I joined out of, I guess I was working at DIA at the time. I didn't state, mostly spent most of my time at State Department and the North Army way back in the day. And they were like, they were focused on cyber crime at the time. And it was like, can we find anything besides cyber crime out there in the ether? And at first, we could not. For a long time, we could not. And then, you know, slowly, we figured out how to track certain actors, you know, certain espionage actors. It took us a while. And I mean, it was a very, you know, slow process. But over time, we built out the ability to hunt for cyber espionage outside of the government, which is something, frankly, if you told me it was possible when I was in the government, I would say that's ridiculous. Yeah. It's exactly right. Yeah. So you've been involved in all the changes of hands of the eyesight stuff right now. Yeah. It went from where to where to where. So we were at eyesight and then we got acquired by FireEye, which had previously acquired a man yet and then FireEye sort of became a man yet. So. Which nobody could figure out. Yeah. It was a strange sort of thing. And then, and then we became a man yet intelligence within maintenance and then man yet was acquired by Google Cloud. And that's where we are now. So I've been through the all of it. And you've seen all, you know, we're all the skeleton. Yeah. Yeah. But we're talking today because we're at the M.Y.'s conference here in Washington, DC, right? I don't know, what would you say the theme of the conferences this year overall? What were you trying to get across? You know, I've spent a lot of time with customers and that's honestly, it's in super enlightening because I have my thoughts on what I think matters and then you go into the room and they're like, this is what actually matters to me and it's always great to sort of find where those two parts kind of connect and you know, I think obviously the situation with the casinos and Las Vegas is like the talk of the town or whatever you want to call it right now. Which is crazy, right? Yeah. Okay, it's a big deal for them. Yeah. But why is that more important than, I don't know, it's okay. I mean, I think those actors are sort of challenging a lot of the, you know, the ways that we do security, right? And I will tell you. What John and I are talking about are the ransomware attacks against two Las Vegas hotel chains in September of 2023 just prior to this conversation by the hacking group Wicked Spider, the group compromised Caesars and the MGM resorts, including the Bellagio and the Cosmopolitan and sent them back to the Stone Age. MGM had to stop using their computers for 10 days entirely and instead checked in hotel guests manually and provided customers with cash payouts from the casino. Customers reportedly paid Wicked Spider at $15,000,000 ransom and MGM estimated that the total recovery cost for them was about $100,000,000. According to Josephine Wolf at Slate Magazine, casinos have a reputation for excellent security, but it seems that security may be more focused on physical vulnerabilities than online ones. And I will tell you that casinos, I've worked, spent a lot of time working with casinos for the years and they are mature players, right? Yeah. They are. I know what they're doing. I know what they're doing. That's what they're doing. That's what they're doing. That's what they're doing. That's what they're doing. That's what they're doing. That's what they're doing. That's what they're doing. That's what they're doing. That's what they're doing. That's what they're doing. That's what they're doing. That's what they're doing. That's what they're doing. That's what they're doing. That's what they're doing. That's what they're doing. That's what they're doing. That's what they're doing. That's what they're doing. That's what they're doing. It's what they're doing. That's what they're doing. That's what they're doing. That's what they're doing. of before, but there's been a sort of refreshed a lot of these problems and it's good because we're going to start attacking some of these problems. So the biggest one is their ability to social engineer its exceptional, your English speakers. I keep talking about it's not just that their English speakers are native English speakers, they're able to sort of develop a real familiarity with the people that they talk to and sort of a moat in the language. There are differences between how people in Western Europe discuss things. They're a moat on the phone and these guys are locked in and able to really convince somebody to help them. What that means is that your help desk will not only sort of allow them to get through these gateways that we've set up, but I'll almost pull them through because I think they like them. They want to help them. So we've gone back to more social engineering as a skill set. It's a huge skill set and I think that it exposes the vulnerability in just the way that we set up these help desks and probably how we incentivize them. They're incentivized to be helpful. That's not the review. I'm sure telling somebody to know may not actually be in their interest economically if you work on the floor and we've got to make sure that's not the case. I heard a story about Midnick talking about help desk. The Midnick I'm referring to here is the late great Kevin Midnick, the infamous world class social engineer, author of two wildly popular books on the subject, The Art of Deception and Ghost in the Wires, and who you could reasonably say put the skill set of social engineering on the cybersecurity roadmap when he went to prison for five years back in the mid 1990s for "various computer and communications related crimes." When he got out of prison, he went straight, set up a consulting business and became a beloved character in the Infoset community. Sadly, in 2023, when he was just 59, we lost him to pancreatic cancer. He was saying that the way he would social engineer a target was that he would call in and help the help desk solve a problem, like a contractor, like you'd fake to be a contractor. Oh, wow. He'd solve the problem and then a week later, you would call the help desk and say, "Hey, I need you to fill out this paper." You remember me fill out this paper, right? Oh, wow. Yeah. And it's like, yeah, so maybe we're coming back to those kinds of things. The long play, by the way, is something we actually sing from the other players, more than like the text, you know, like an email message situation, like the Iranians in the South Koreans. You'll see them social, but somebody for like a month now, before they ever bothered us in that link or that, you know, that attachment. But they're pulling people through. They're hitting these business process outsorcers that are like third parties, that manage a lot of our data and sort of going after third parties to get into their targets. And the other thing that's really important that they're doing is there's a focus on telecoms and SMS and particularly the ability to overcome second like two factor, right? Or the ability to get somebody to send a reset code or something directly to a phone that they control. And it really proves that we have to really rethink, you know, how much we rely on phone numbers as a reliable way to sort of authenticate somebody. Because we're still trying to get people to use two factor on phones, right? We're still on this journey. And I will say that I still, you know, I still think it's a speed bump, right? But it's just not an enterprise like it's a speed bump is not like a doorway, right? Like it's not enough for an enterprise, maybe for certain, for certain things, it's enough. But if you know, if you are trying to protect an enterprise, it's probably not going to, it's, it probably won't do it. So you're on this panel at the invoice conference, okay? It's called cyber intelligence in a rapidly changing world and some big time luminaries on that panel. I'm not saying you are, but other people, right? This kind of stuff come up on the panel or what was the, what were you talking about in all of that? Well, you know, we had some really interesting people on the panel who had spent a lot of time looking at crime from various, various aspects. Jackie from Chainalysis, I thought had a really interesting sort of view into the problems. She looks at the blockchain and she watches a lot of this, this movement. Or those of you not familiar with the company Chainalysis, it figures prominently in the Cyber Security Canon Hall of Fame book Tracers in the Dark by a wire journalist Andy Greenberg. In my opinion, the best cyber crime book in the last decade. If you had any lingering doubts about whether Bitcoin's blockchain technology would protect your identity, Greenberg completely blows that out of the water. And Chainalysis along with a feisty IRS agent and a university grad student are the ones that figured out how to do it. The Jackie that John just mentioned is Jacqueline Coben, the head of cyber threat intelligence at Chainalysis. And one of the things she said is she's seen sort of a drop off in some of the many criminal actors. And she attributed this to maybe some success. And you know, we're seeing zero days in the crime space now. And there's a thought that maybe some of that there is actually an increasing barrier to entry. So some of our defenses may actually be working. That's what we're talking about innovations here, right? And that's our show. Well, part of it, there's actually a whole lot more. And I have to say, it's pretty great. So here's the deal. We need your help so we can keep producing the insights that make you smarter and keep you a step ahead in the rapidly changing world of cybersecurity. If you want the full show, head on over to the cyberwire.com/pro and sign up for an account. That's the cyberwireall1word.com/pro. For less than a dollar a day, you can help us keep the lights and the mics on and the insights flowing. Plus, you get a whole bunch of other great stuff like ad-free podcasts, exclusive content, newsletters, and personal level up resources like practice tests. With Intu-K Pro, you get to help me and our team put food on the table for our families, and you also get to be smarter and more informed than any of your friends. I'd say that's a win-win. So head on over to the cyberwire.com/pro and sign up today for less than a dollar a day. Now, if that's more than you can muster, that's totally fine. Shoot an email to pro@intu-k.com and we'll figure something out. I'd love to see you over here at Intu-K Pro. One last thing, here at Intu-K we have a wonderful team of talented people doing insanely great things to make me and the show sound good. And I think it's only appropriate you know who they are. I'm Liz Stokes. I'm Intu-K's cyberwire associate producer. I'm Trey Hester, audio editor and sound engineer. I'm Elliot Peltzman, executive director of Sound Confision. I'm Jennifer Ivan, executive producer. I'm Brandon Karpf, executive editor. I'm Simone Petrela, the president of Intu-K. I'm Peter Kilpe, the CEO and publisher at Intu-K. And I'm Rick Howard, thanks for your support everybody. And thanks for listening. This September 18th and 19th in Denver, a tight community of leading experts is gathering to tackle the toughest cybersecurity challenges we face. It's happening at MYs, the unique conference built by practitioners for practitioners. Brought to you by Mandiant, now part of Google Cloud, MYs features one-to-one access with industry experts and fresh insights into the topics that matter most right now to frontline practitioners. Register early and save at MYs.io/cyberwire. That's MYs.io/cyberwire. (gentle music)
