How are nefarious actors using our own data (and metadata) against us? And given that, in what way have we lost our way protecting data that needs to be course corrected?
Check out this post for the discussions that are the basis of our conversation on this week’s episode co-hosted by me, David Spark (@dspark), the producer of CISO Series, and Geoff Belknap (@geoffbelknap), CISO, LinkedIn. Our sponsored guest is John Ayers (@cyberjohn1747), vp of advanced detection and response office of the CTO, Optiv.
Got feedback? Join the conversation on LinkedIn.
Huge thanks to our podcast sponsor, Optiv
[David Spark] How are nefarious actors using our own data and metadata against us? And given that, in what way have we lost our way protecting data that needs to be course corrected?
[Voiceover] You’re listening to Defense in Depth.
[David Spark] Welcome to Defense in Depth. My name is David Spark. I am the producer of the CISO Series. And joining me for this very episode is Geoff Belknap. You also know him as the CISO of LinkedIn. Geoff, how does your voice sound?
[Geoff Belknap] David, this is how my voice sounds when I’m on the best podcast available today.
[David Spark] That was the correct answer. Hope you have more correct answers later in the show.
[Geoff Belknap] I’ll see what I can do.
[David Spark] Our sponsor for today’s episode is Optiv. We are thrilled to have Optiv on as a brand new sponsor with the CISO Series. And they are responsible for bringing our guest as well, who I will introduce in just a moment. But first I want to introduce our topic. So, a few years ago, Geoff, I interviewed a hacker who had won some really big bug bounties. And I asked him, “What was the biggest change in hacking between now and ten years previously?” And he said, “I know so much more information about you.” And similarly I ask many security professionals, “Can you be hacked?” And almost all them said yes, mostly because they said they could get to them through someone they already trust like a family member. So, our interconnectedness is both a blessing and a curse. Do you agree?
[Geoff Belknap] I agree definitely that the interconnectedness of life today is definitely as much a risk as it is a benefit. I’m also really encouraged…and I can’t wait to get into this with our guest…by the thought that we’re getting better at security. So much so that we’re forcing hackers to come at us with a social engineering approach more than a technical approach, and I feel like that’s the path I’d rather us be on.
[David Spark] That’s a good point. And let me bring in our guest. Our sponsored guest – he is the VP of advanced detection and response, also the CTO for Optiv. It is John Ayers. John, thank you so much for joining us.
[John Ayers] Hey. Well, thank you for having me. I really appreciate it.
What are they looking for?
[David Spark] Dan Walsh, who’s the CISO over at VillageMD said, “Bad actors are mining for personal data and then using that information to attack people at the places where those people work. Companies should consider to what degree they need to ensure the personal privacy of their employees and executives, especially the high value targets, on the web because they’re being targeted specifically with their personal data in their professional roles.” And Merry M. of G2 said, “Data subject access requests or DSAR attacks – basically someone impersonating another person and convincing a company to hand over personally identifiable information as required by various data protection privacy laws. In theory, companies should have ways to properly authenticate requesters, but…” So, that right there, the handing over personal data and not having the proper authentication, we hear this story a lot, Geoff, don’t we?
[Geoff Belknap] We sure do. And it feels like we… Geez, not too long ago we had a very talented con artist on the show.
[David Spark] Brian Brushwood.
[Geoff Belknap] That’s right, Brian. And it feels like more and more, hackers are finding all of this data, whether it be gotten through a misbegotten data subject access request or whether you’re just finding it in some other old breach or whatever, it feels like more and more hackers are leaning towards a social engineering approach to get to that initial access avenue than anything else. That’s what’s terrifying, because we haven’t spent much time on that as an industry. And really I think rewarding, like I said at the very top of the show, because it is like maybe some of the controls are working well. I’m really curious to hear what our guest has to say about this.
[John Ayers] Hey, Geoff. I agree with you except for one thing. I think today the bad guys are looking for data as a way for research and development. They’re using us as a way to test methods around how to then now basically attack an organization. Look, let’s be clear for a minute – bad guys are no different than businesses. We develop products. We develop widgets. We develop services. What do we do? We MPV that information. We put it out there in the wild. We’re doing the same thing. We recon our markets. They’re reconning their markets by using this information. So, if we’re going to combat this, it’s important that we understand how do we classify the data, how do we tag that data. And companies aren’t doing that because they don’t think their data is worth anything, so the bad guys are finding other ways to come around and circumvent the process because the people, like us, we’re on social media. We’re doing things. We’re sharing things. The amount of information that can be found by simply typing in their .com on a simple website like DNSdumpster as an example, it would shock you how much information is actually publicly about an organization and about people.
[David Spark] So, do you feel that there’s far too much sensitive data in essentially open source intelligence? I don’t think much of that can be roped back in, can it, John?
[John Ayers] Look, I do think there’s so much sensitive data right now in social intelligence, but yes, it can be roped back in. I’ll tell you why I think it can be roped in. You can connect the dots or connect enough dots to make a play. Look, it’s no different than a military organization out in reconnaissance at the bad nation state. You find enough dots to connect to make a hypothesis. Once you make that hypothesis, you determine what’s the risk on taking that chance, how far can you go. And that’s where we have to start thinking about these guys are using the same methodologies and approach to determine the hypothesis, to determine whether I’m going to go. So, let me give you an example. I’m former law enforcement, and I had a guy ask me the other day, “Does an ADT sign deter someone from breaking into a home?” What do you think?
[John Ayers] The answer is it does because they want the easier target, so they’re going to look for a home that doesn’t have a sign first and try there, recon that, and determine what I’m going to do. Same goes with the bad guys in the Cloud. Geoff, I know you’re smiling there. They are reconning, and they’re looking for the amount of intelligence that we’re all sharing socially and saying, “Hey, wow, you’re just sharing. I’m going to sit back and watch. I’m going to collect. I’m going to recon. I’m going to look for information, and then I’m going to use it against you.”
[Geoff Belknap] I got to go get some ADT signs for my Cloud environment.
[John Ayers] That’s right.
[John Ayers] Actually all you need is Optiv Cloud signs.
[Geoff Belknap] Oh, is that right?
[Geoff Belknap] What a coincidence.
Where are we falling short?
[David Spark] Matt Stamper, CISO of EVOTEK, said, “Clearly the most obvious way threat actors use our own data is via social engineering, taking advantage of all the digital detritus each of us scatters given that our personal and professional lives are so notably mixed.” And Zack Ganot of Pandora Security said, “Personal is the not so new frontier in enterprise security. That used to be clear to us and seems to have gotten lost somewhere along the way with buzzwords like passwordless and zero trust. Unfortunately there’s still an attitude in some places of why do I protect peoples’ personal lives. That just doesn’t impact my enterprise. When in practice a group of 16-year-old teenagers doing just that have successfully pulled off significant hacks on the world’s largest enterprises.” So, this talk of the personal being so important to the enterprise… And as I’ve talked to other security professionals and like that hacker told me, people can create a believable story or pretext as social engineers call it that we can be fooled. John?
[John Ayers] We can. We still are being fooled. Day in and day out the riskiest piece today is the human element, and they’re using that against because, why, a few things. We’re moving fast. We’re in an environment right now where we don’t use checks and balances around data that we receive or information we receive to make an informed decision. Look, right or wrong, it’s just because we’re people. We do that. We make mistakes. The question is is how much assumable risk are we willing to make. The second is we were thrusted into this new environment where remember, Geoff, what, two or three years ago we were telling all of our employees, “Never use hotel Wi-Fi. Never use coffee shop Wi-Fi.” And now it’s okay, because… Why? Have we just ignored it? Or is that because we’ve assumed the amount of risk that the people who are using that and the data they’re accessing we can get better visibility and control of it. I think we’re at a very big pivotal point around the data and the protection of that data that’s rooted in my personal opinion in the ability to detect and respond to the use or the exfiltration of that data.
[Geoff Belknap] Yeah, I think that’s a great point. I certainly was guilty and was one of those people maybe five, ten years ago that was saying, “Hey, don’t use the hotel Wi-Fi. Don’t use the coffee shop Wi-Fi.” But sort of my thesis here… And I think this is the point you’re making, John, is that technology has evolved. Now almost every site you go to is using TSL, or SSL, or encryption of some kind that would nullify most of the risk that came from the fears that we had around sort of rogue Wi-Fi. All of the apps, and browsers, and things we use now all by and large are baked in with warnings that are like, “You’re on an unsecure network. Somebody is trying to shove us through to get your way.”
And really it comes down to that core message, I think, which is we’ve done a pretty good job by and large on the technical controls where we haven’t significantly evolved yet is around the humans, and we’re still taking this clumsy sort of insider threat approach as if we can use technology to detect if David has ill intent. But what I think…to Zack’s point here is that teenagers have 100% figured out how to call somebody like me, or a CEO, or an engineer and sound very convincing that they’re part of the help desk, or they’re part of tech support and that they need to reset your two FA, or your password, or they need you to click on a link. This is really the next frontier that we all as security leaders need to get good at is how do we defend against that. I think zero trust certainly helps if you interpret it in the purest sense of least privilege, verify all access, etc. But we’re really going to have to do some innovation here.
[John Ayers] I’m going to pull that a little bit. You’re right, phishing has gotten crazy. These younger up and comers we’ll call them, they have been able to significantly pull this off because why? Practice makes perfect. They’ve been practicing and practicing. That goes back to my earlier point around these guys are using this as an ability to continue to do that. but I’m going to also just call on the record here – coffee shop Wi-Fi, hotel Wi-Fi is like buying sushi at a gas station or in this case buying sushi as an airport from what I’ve heard. It’s a risk. Even though you make think it’s unsecure, how many… It goes back to your point, people. People are going to take risks that some of us would not take risk. That is the opportunity.
[David Spark] Do you feel now…? And I’ll ask this question of both of you. This goes to sort of the question in the first segment Merry M. said is we have to properly authenticate requesters. Given that we know that we can be heavily socially engineered, do you believe that you’re creating new authentication methods that can sidestep even the savviest social engineer effort, or is this purely going to just be endless education? Geoff?
[Geoff Belknap] I think it’s going to have to be both. I think education is a big part of it, but like we’ve talked about in other episodes, you can’t educate your way out of a specific threat vector. The other part of it is we’re going to have to lean on technology that makes it harder for social engineering to access the entirety of all the data that an organization might be protecting. And we’re going to have to get better at exfiltration detection. This is… We talk about the basics like patching and making sure lateral movement is tough, but we forget that your customer support people tend to have a lot of access. And we have to be very thoughtful about what happens if that gets exploited, what happens if that customer support person through no fault of their own gets compromised. Not technically but socially and start implementing controls accordingly.
[David Spark] John, quick answer here. Your thoughts?
[John Ayers] I have to agree. It’s a little bit of both, but I think there’s a third element there which is I think…Geoff was touching on it at the end is still having that visibility. You talked about people process, but then there’s that technology, ability to detect, to have that threat informed capability because data engineering, detection engineering analysis is a necessity even though you adopt a zero trust model. How do you know if someone is shaking the doorknob? How do you know if someone is trying to pole vault over the mote? You need to have someone watching glass.
How do we determine what’s most important?
[David Spark] Abhishek Singh of Araali Network said, “It’s the lack of access controls. It’s too easy for them to explore, dig, and collect intel. Come and do reconnaissance and harvest credentials. The only thing that is between them and our data is credentials.” Interesting point. And Darren B. of Ohio University said, “Think like the threat actors. For example let’s assume you were trying to target a CISO at a large organization. You don’t go for the CISO directly. You build a profile on them. Who are their friends, do they have children. These are questions cyber threat actors deliberate about on a daily basis. They slowly build that profile out over time.” So, you’re kind of nodding your head back and forth, Geoff. You don’t believe that what’s between them and our data is credentials, or do you?
[Geoff Belknap] I think in the worst possible scenario that is true. I think a better way to think about that is if the only thing between the internal data that you have is credentials, you have a problem, and that’s a great place to start.
[David Spark] That’s a good point.
[Geoff Belknap] But I don’t think that that is generally true. I think what is definitely true here is people do a lot of reconnaissance. People harvest a lot of credentials. People are now harvesting session tokens and things that people generally don’t think about as credentials that are very difficult to deal with. But I think… And John has been making this point very correctly through and through, which is it’s time to take a look at all the controls that you have and start implementing them through the lens of what happens if somebody gets access to one of these portals where people have free access to all the data. How are you going to manage that? how are you going to detect if something is wrong there? Because detecting if something is wrong there is not finding malware or finding Russian IOCs or something like that. It’s much more about understanding your business and understanding what’s unusual for your business.
[David Spark] I can see by the way why Abhishek made that comment about what’s between them and our data is credentials. Because we have seen in the Verizon data breach investigation report year over year that well over 60% of breaches are because of someone got some authenticated access. And so one can extrapolate there. But we hear this again and again that if that’s the case then why is there such free east, west traffic. John, your take?
[John Ayers] Yeah, I disagree with that. If the credentials are the last line of defense, we’re in trouble. [Laughs]
[Geoff Belknap] Yeah, exactly.
[John Ayers] I have to agree with Geoff on that. That’s a tough one. But I do… This goes back to something I said earlier. The ability to recon people today is so easy. But here’s where the problem lies. Geoff has already touched on it is the controls – the ability to detect how many clients today have tools in place today that would be able to detect whether their company’s database or user credentials are actually for sale on the dark net. They don’t. They don’t think about that until someone tells them that, “Hey, you know what? A through Z was being sold with your passwords as well as unencrypted passwords.” They don’t have that visibility. That goes back to this rooted principle that sometimes more tools equals more security. It’s not. It’s about more tools that solve for that. That is a fundamental problem we have today. It’s called this technology sprawl, which is actually creating a new threat vector because we have so many things doing very point solutions. We can’t monitor it all. We can’t see it. We’re seeing this hybrid environment that’s causing us to have less and less visibility to our environment. And as a former CISO myself, visibility is a necessity. It’s a necessity for our ability to see what assets are on our network or what assets are trying to access our network. So, that’s my take on it.
We’ve seen this one before.
[David Spark] Matan Or-El of Panorays said, “While the use of personal employee data and shift it to gain access data of the workplace continue to be highly used, we also see actors that look at data related to the third parties in order to get easier data access from the supply chain or partners.” And Stu Hirst, the CISO over at Trustpilot, said, “Scraper and bad bot traffic has become much more of a problem these last five to six years using publicly available data but harvesting it as scale to monetize somewhere else.” So, this kind of teases what you were saying, John, in the last segment, saying, “Are you clued in on what’s being sold online?” And also Matan here says, “Hey, it’s not just our problem. It’s the third party problem, and we could just be vulnerable to that as well.” We’ve talked about that and how difficult it is to defend against that.
[John Ayers] Look, I read an interesting article over the weekend about bot nets, and DDoS, and things of that nature and how bot nets are starting to reclaim itself as a way to capture data. I think what happened was we got comfortable that, “Hey, we got DDoS controls in place to be able to catch this, and scrub this, and look for DNS traffic proxies,” things of that nature. And what we forgot is still going back to something Geoff said and I say is the human. You can’t solve for the human element. And we think technology is there to solve for everything. It’s not. It is people process. While it’s a combination of not just overtraining someone or overeducating someone, I think there’s something that we…and I’m going to say we as Geoff and I…have not touched on, it’s ability to exercise, test. The problem I see a lot of companies doing is they’re not doing tabletop exercises. They’re not educating people, getting them to understand what’s happening and what happens if this, if that, “Now what do I do?” I firmly believe that we do a great job in the cyber security space of telling people what’s wrong. We do a very bad job of not telling them how to solve for it. Because we start just throwing things at it of trying to solve what the problem is versus holistically, “What’s my north star? What am I trying to do based on my industry?”
[Geoff Belknap] Yeah, I think I really want to key in on that because I have found more and more that a tabletop exercise…not a technical exercise but a tabletop especially that includes executives and other stakeholders that don’t consider themselves security executives or security stakeholders is really impactful. Because generally and especially if you have been running tabletops, your leadership teams will believe that security is going to do all of this work. If ransomware happens, if there’s a breach. Security has just got this. And I think it’s really eye opening for people to realize that it takes a village. Everybody has got to pitch in and contribute to this. I think also I’ll say, John, you touched on this, but buying threat intelligence or buying a feed of what people are saying about you, or what credentials you might have sold or are available on the dark web definitely was maybe… Maybe a couple of years that was exotic. Like high maturity, expensive security team type stuff. And what I tell people today is that’s close to the point of table stakes today. Because today there are organizations I’ll say like SpyCloud and Flashpoint Intel and others that make it really easy and really accessible to find are your employees’ credentials for sell or exposed on the internet, are they existing, can they be compromised, have they been reset yet.
[David Spark] I want you to know that one of those companies actually was the first one to alert me to that very fact, too.
[Geoff Belknap] See? And so that turns out to be a really useful thing.
[John Ayers] Look, you can buy it, too. You can actually get it free from like Experian and others to see if your data yourself personally is out there on the darknet.
[Geoff Belknap] Yeah, exactly. I think that is a great first step now if you’re just dipping your toe into this water of like, “How do we protect the people?” Like, well, great. Start with just being aware of whether their personal or professional credentials have been compromised already on the internet. You would be shocked… I know at a previous company we onboarded to SpyCloud. And as part of that, your employees can enter their own personal email addresses or whatever, and it will alert them when those credentials are compromised. And having their accounts be safe and protected is the first step to making sure that bad guys are not leveraging that knowledge to attack you as an organization. And also it has the benefit of helping your employees’ data be even more safe. Safe employees lead to safer organizations that they represent. And again, just all of that stuff seems very exotic, and sexy, and James Bondish. But you know what? It’s not.
[John Ayers] No, it’s not. I think it’s table stakes. I think it’s table stakes.
[Geoff Belknap] Exactly.
[John Ayers] I had an opportunity to sit down with the FBI agent that took down Anonymous and the Silk Road. You guys are familiar with that.
[David Spark] By the way, a book called “American Kingpin” by Nick Bilton tells that whole story of Silk Road. It’s a phenomenal book. Highly recommend it. John?
[John Ayers] I talked to the agent. The one thing I walked away from that conversation between him and I… Because he’s now retired. He’s no longer with the FBI. Was lessons learned. I feel like we don’t do a very good job of taking lessons learned from these attacks because these will help us plan, adopt, strategize, and then how to execute because it’s exactly what these guys are doing. The best way of combating the bad guys is to plan for that based on the industry. I think MITRE is a great opportunity, but the problem is is they think of TTPs and things, but now how do I defend against it. How do I defend against lateral movement? How do I defend a compromised account? People tell me all the time, and I just had a conversation this morning – identity. That’s key. I love identity. You’re right. But if someone has a Mimikatz attack taking place, if someone is using BloodHound or something of that nature, how do you know? You got to have somebody looking for that detect. You have [Inaudible 00:23:35] looking for that. Have you built that? Or maybe not.
[David Spark] That brings us to the end of this episode. Thank you very much, John. Thank you very much, Geoff. Now I want to ask both of you, what was your favorite quote, and why? John, I’ll start with you.
[John Ayers] I think the one that really resonates with me and should resonate with a lot of people, “Because bad actors are mining our personal data, and then they’re using the information to attack people and places where those people work.” I think that is a phenomenal quote. It’s something we all need to walk away with and resonate with because that is a very true statement. That was Dan Walsh.
[David Spark] Good point. I like that. And Geoff, your favorite quote?
[Geoff Belknap] I’m going to have to say my favorite quote from the show was Wi-Fi is like sushi at a gas station.
[David Spark] Oh, from our guest.
[Geoff Belknap] Yeah, from our guest. But I think in terms of our contributors I’d say Matt Stamper from EVOTEK. “Clearly the most obvious way the threat actors use our own data is via social engineering, taking advantage of all the digital detritus each of us scatters given that our personal and professional lives are so notably mixed.” I think that’s a great point. There’s a lot of information out there. It makes it really easy to target people with a social engineering attack.
[David Spark] Excellent. Excellent point. And that wraps up our show. Thank you very much, Geoff. Thank you very much, John. John, I let you have the very last word. So, please feel free to plug anything that you’re doing over at Optiv and if you’re hiring as well. We always like to hear that. Geoff… I always do the plug for Geoff, but I also want Geoff to add in. Geoff is always hiring. Why one would not want to work with Geoff is still a grand mystery that none of us have figured out. But there are people that don’t work with you, Geoff. There’s a whole universe of people who don’t work with you. Again, we’re trying to figure out why those people…
[Geoff Belknap] They should reconsider that.
[David Spark] They should seriously reconsider. Geoff, anything else more you want to say?
[Geoff Belknap] No. I think this is a great example… I’m really happy to have this conversation. But a great example of where we need to go next in defense.
[David Spark] Good point. All right, John, now your last thoughts on this, any offer you want to throw to our audience for Optiv, and are you hiring.
[John Ayers] Thank you for the opportunity to be on here. First of all, Optiv is always hiring, and we’re looking for talent day in and day out. It’s always hard to find talent, but we actually have a great program now for those people who are looking to get into the cyber security industry. I would encourage anybody that’s listening to this to say, “Hey, how do I learn more? How do I become an analyst? Or how do I get into threat hunting, and detection, and things of that nature?” We’ve got a great program. I’d encourage anybody out there. The other thing I’d like for everyone to understand is that, look, when something that Optiv is actually talking about and hear constantly is called advanced detection response…it’s really focused on this methodology that the clients and their information journey is a roadmap and is a change. I think what we’re seeing right now is this change in the industry that we’re all rooted in this that more tools equal more security, but we really need to be rooted in the principle of data engineering and detection engineering analysis because that outcome really helps us reduce that security and complexity. Really we talked a lot about this, is that operational overhead. Because it’s so hard. The great resignation is here, and how do we help solve for that. So, thank you for the opportunity.
[David Spark] You’re very, very welcome. If people want to get in touch with you, what’s the best way to reach out?
[John Ayers] You can reach out through optiv.com. We’ve got connections there. I’m on LinkedIn if you guys want to reach out. But I scan everything. [Laughs]
[David Spark] All right, excellent. We’ll be linking to John on the blog post for this very episode. Thank you very much, Geoff. Thank you very much, John. Thank you very much to Optiv for sponsoring this very episode and bringing John to us. You are awesome. Thank you so much. And as always, I say to our audience, we greatly appreciate your contributions and for listening to Defense in Depth.
[Voiceover] We’ve reached the end of Defense in Depth. Make sure to subscribe so you don’t miss yet another hot topic in cyber security. This show thrives on your contributions. Please write a review, leave a comment on LinkedIn or on our site, CISOseries.com, where you’ll also see plenty of ways to participate including recording a question or a comment for the show. If you’re interested in sponsoring the podcast, contact David Spark directly at david@CISOseries.com. Thank you for listening to Defense in Depth.