Q&A with Tanium’s Ryan Kazanciyan & Andre McGregor
Two familiar Tanium faces will take the stage during the 2016 RSA Conference next week: Director of Security Andre McGregor will speak on “The Shadowy Cyber Attack — State Sponsors of Terror and Cyber Terrorists” on Wednesday, March 3 and Chief Security Architect Ryan Kazanciyan will present “IOCs are Dead — Long Live IOCs!” on Friday, March 4.
We sat down with Andre and Ryan recently to discuss their respective presentations.
Andre, your years in the FBI exposed you to a wide array of cybercrime. How does cyberterrorism differ from other kinds of threats?
Andre McGregor: Ultimately, a terrorist cyber-attack is still just another cyber-attack regardless of the motivation. Whether we’re looking at an insider, a nation-state, or someone with the motivation of creating fear and chaos through terrorism, all of those actors are still going to utilize the same methodologies to gain access. I’ll be diving into particular threat actors and their unique motivations and capabilities, but the actual detection and response to cyberterrorist threats comes down to the basic cyber hygiene principles — just like any other attack.
My presentation reviews eight different cyberterrorism examples, and what they could have done to prevent or remediate it. Each attack was not overly sophisticated but it was the after effect that hugely impacted society’s perception of Internet security and safety. The common thread that binds them together is that all of these attacks were preventable and all of them came back to the basic cyber hygiene problem of not knowing what is in your environment, the inability to limit who has access to that environment, and the difficulty of finding known vulnerabilities.
Tell us, Ryan, are IOCs dead or here to stay?
Ryan Kazanciyan: A little of both! Expectations need to be reset. Over the last five years, there has been an explosion of threat data sources, IOC standards, and detection technologies. Yet we have not seen a commensurate improvement in organizations’ abilities to prevent or respond to attacks, both opportunistic and targeted. In fact, I started to see the erosion in the effectiveness of IOCs years ago, while still working as a consultant and investigator. And I’m worried that our industry is forgetting its own history. A lot of the claims and promises made by burgeoning threat intelligence providers sound incredibly similar to those made by antivirus vendors a decade ago.
At Tanium, I’m motivated to build solutions that help organizations fend for themselves — even when relying on imperfect threat data. These challenges led me to examine the technical factors that have limited the effectiveness of IOCs, and how to bolster those shortcomings.
Would better threat intel have helped in the cyberterrorism examples Andre will be covering, like Saudi Aramco or Sony?
Ryan: Not on its own — not enough. The attackers used a mix of previously unseen malware, variants of other tools already in the wild, and new C2 infrastructure. That’s unfortunately distinct enough such that most sources of IOCs (free or for-pay) would have been too brittle to detect or scope the compromises.
What about the techniques employed by the attackers to gain access and expand their foothold in victim environments? Largely the same used in nearly every targeted hack of a corporate network, irrespective of the perpetrators’ ultimate objectives. Part of my presentation focuses exactly on this point — that the lowest common denominators of intrusions produce readily-observed outliers. You don’t need IOCs to find those. You need visibility and the ability to gather your own intelligence about your own systems.
Iran DDoSes banks and hacks a water dam; North Korea destroys every Sony computer; ISIS hijacks social media pages and defaces websites: what is the line between cyberterrorism and cyberwarfare?
Andre: We’ll be going into that in my session — enemies, abilities, why they only go so far. Sony is a hybrid case where the attack came from a nation-state but the rhetoric used incited terroristic concerns that resulted in closed movie theaters. I will discuss how US, Russia, and China cyber warfare attacks differ from cyber terrorist attacks from Iran, Syria, and North Korea.
ISIS, on the other hand, is an interesting example of cyber terrorism-in-training. Currently ISIS does not have consistent, reliable access to the Internet to be able to cause much damage. They have, however, created one of the best social media recruiting campaigns in the history of terrorism and as such have access to individuals living in places with high-speed Internet who can do their bidding for them. So while hacking from Syria might be hard, recruiting a sympathetic hacker in the US is not. Luckily in my history of tracking cyber terrorists, there’s only been one true terrorist hacker and he was killed through a drone strike a few months ago.
Businesses are facing significant pressure, often from both the public and at the board-level, to invest more in cybersecurity. Where should threat intelligence fit among competing security priorities?
Ryan: I’ve seen a lot of organizations spend a lot of money on threat intelligence while maintaining far too weak of a security posture. Most will come to find that the ROI just isn’t there. And if they did any quantitative or qualitative analysis of what they were paying for, they might be somewhat horrified. I highlight a few real-world examples of poor indicator quality in my presentation.
The truth is that even the most well-crafted and timely IOCs are ineffective if you’re only searching a fraction of the available data in your environment, or if doing so is a laborious, slow process. And if your systems are riddled with unpatched vulnerabilities, insecure credentials, and configuration weaknesses, searching for threat data doesn’t actually reduce your attack surface at all.
Andre: Threat intelligence is only as good as the source. As an FBI Agent, when I would walk into a company with an IOC in hand, I had a high level of confidence that the IOC would be found in their environment because I collected that IOC directly from the adversary. Of course not everyone will have US Government grade IOCs, but businesses can inquire about the specifics on exactly how their threat intelligence companies are collecting IOCs.
Over the years, I have watched as malware changed from being generic in nature to company specific with hard-coded IP addresses, domain names, and file attributes associated only with the intended target. This means that it is no longer useful for Bank A to share MD5 hashes with Banks B, C and D because it is almost guaranteed that the shared MD5 hash will not be found in their environments. For me and my responsibility of protecting Tanium’s corporate network, I have started looking at behavior analysis. Regardless of the type of attacker, the adversary has to gain entry, laterally move through my environment, and escalate privileges to steal valuable information or cause damage. So as a system administrator or a SOC team member, you should ask yourself the question: “How am I sweeping for adversary behavior in addition to IOCs?”
Ryan: To be clear, IOCs and threat data can play an important role in automating incident detection and contextualizing attacks. But they don’t close the “gap” of undetected threats on their own. Preventative controls and security hygiene are incredibly important; so too is leveraging internal sources of intelligence. My presentation talks about ways organizations can get more value out of their existing investments, as well as the need to derive intelligence from what’s “normal” in their own environments. I hope to share a number of quick-win techniques that security teams can employ.
You can meet Ryan and Andre at Tanium’s “RSA After Hours” cocktail event on Monday, February 29th from 7:00–11:00 PM at 111 Minna Gallery. Space is limited, so please <a href=”http://offers.tanium.com/RSA_VIP_After-Hours_Reception.html”>RSVP to reserve your spot</a>.
Like what you see? Click here and sign up to receive the latest Tanium news and learn about our upcoming events.