Tom Hagy of HB Litigation Conferences interviews ICRMC Bermuda speaker Charles Carmakal of Mandiant/FireEye
For anyone plotting the evolution of cyber risks, the last phase of cyber-attacks was dominated by breaches that resulted in lost or stolen personal or financial data that could then be monetized.
The current phase is different.
“We have observed a significant increase in the number of disruptive breaches that our clients are dealing with,” says Charles Carmakal, Vice President at Mandiant/FireEye. “These involve destruction, extortion, or public shaming.”
How are organizations dealing with this shift?
“It’s catching many organizations off guard. Most don’t have a playbook for dealing with extortion,” Carmakal says. “While they may have thought about a ransomware situation, that’s different from the more common type of extortion we are seeing these days, where a threat actor threatens C-level executives or corporate board members with the release of sensitive information.”
“Many organizations assume the default is they wouldn’t give into the demands, but when in the middle of a crisis too often the decision is made to pay the threat actors,” he says. “So it’s important to consider what your organization will do in this situation. For example, who will be involved in the decision-making process? Organizations should play out an extortion scenario so they have a plan when faced with real demands.”
How can organizations better test the efficacy of their security capabilities?
Many organizations conduct penetration testing or red-teaming exercises, but they often undermine their own efforts.
“A problem arises when an organization contracts a third-party to test their capabilities, but puts a lot of restrictions on those who are doing the testing,” Carmakal says. “For example, they will tell the testing team or red team to identify vulnerabilities, but not to exploit them, or they can exploit a vulnerability but stop there and not dig any further. The penetration testers might be allowed to test only during a certain day of the week or certain time of day. Or they might be allowed to sample only a fraction of the organization’s IP addresses and ignore everything else.”
“What happens is the penetration testers are not permitted access to the crown jewels,” Carmakal warns. “They can’t demonstrate business impact to the organization. This creates a false sense of security because the organization can say they had a team of qualified people try and fail to break into the network, but in reality they were unable to break through because of all the unrealistic restrictions imposed on that team.”
This false sense of security travels to the top. “Testing results are shared with the board and the board believes that because a really good third-party was not able to get to the crown jewels that they have a much safer environment than they really do. That’s a very common theme we see across the industry,” Carmakal says.
How do penetration testers deal with unrealistic testing parameters?
“It’s part of the education process,” he says. “When a company wants us to do a very limited test, and we believe our reports will be shared with the leadership team or the board, then we just won’t take the engagement. We try to make it clear that this is not an exercise to make anyone look bad, but a way to leverage the lessons from all the bad guys who are breaking into organizations so you can strengthen your security.”
In the end, he says, “It’s better we identify the vulnerabilities than have the bad guys do it.”
What are the geopolitical trends you are seeing?
Iran – “They used to be unorganized. They even clumsily posted social media profiles of themselves,” Carmakal says. “But they have become much more organized, more structured, more technologically adept, and have affiliated with government entities.”
“In 2017 we saw more intrusions from Iran than we had ever seen before. There was a noticeable spike in offensive intrusions coming from them. For some reason, in 2018 we really haven’t seen Iran targeting organizations in the United States. They’ve scaled back significantly in the US, but are still active in other parts of the world.”
“What makes security professionals nervous about Iran,” Carmakal says, “is that they are a wildcard. You don’t know what they are going to do. You don’t understand the rationale behind their activity. But what we do see is a capability and a willingness to be incredibly destructive – taking down businesses and publicly shaming organizations. The fact that they’ve slowed down their attacks on U.S. organizations is interesting, but we expect that to change.”
Russia – “Russia is not hacking the U.S. midterm elections like they were with the presidential election in 2016, but they are conducting some significant offensive operations around the world. They are very capable. They are also very good at disinformation and throwing false flags, so when you investigate them it’s difficult to tell who they really are. Russia is one of the few countries that demonstrates the willingness and capabilities to cause kinetic consequences through cyber-attacks, such as when they turned off the lights in Ukraine.”
In March 2018 The New York Times wrote, “The Trump administration accused Russia … of engineering a series of cyber-attacks that targeted American and European nuclear power plants and water and electric systems, and could have sabotaged or shut power plants off at will.”
When asked about this and the reporting that surrounded it, Carmakal said the story was a bit “sensationalized” and not 100% accurate. “While the intrusion was serious, we didn’t see the Russian actors getting anywhere near being able to shut off the lights,” he said, adding that they “certainly have the capability” in other parts of the world.
China – There has been a “notable decrease” in cyber intrusions from China since the 2015 bi-lateral cyber agreement was reached between President Obama and China’s President Xi, Carmakal says. While narrow in scope, addressing economic espionage — China’s state-sponsored theft of private U.S. intellectual property and then turning it over to state-owned and private companies in China — the agreement does appear have helped, reports suggest. “They are still hacking organizations and are following a defined playbook. We’re keeping a close eye on them to see how their offensive operations evolve,” Carmakal says.
North Korea – Except for the highly publicized attack against a major U.S.-based entertainment company, “North Korea rarely goes after Western organizations.” Given the country’s need for cash, “their focus has been more on robbing digital currency exchanges and stealing from banks digitally,” Carmakal says, adding that they, like Iran, are a bit of a “wild card.” North Korea actors have stolen more than $100 million from victims, Carmakal says.
You will be able to hear insights like these, and updates on anything that occurs between now and December in Bermuda when Carmakal and his fellow panelists discuss important trends in global cyber risks.