Facebook Live Transcript
July 14th, 2017
All right, hello everybody and welcome to our Facebook Live session at Infoblox. My name is Prakash Nagpal. I am responsible for product marketing at Infoblox. And I want to introduce the guest of honor today, Sean Tierney, who is the Director of Cyber Intelligence at Infoblox. What that means is Sean leads the efforts to develop and find print data, deliver it to customers as machine readable, actionable, threat intelligent. His team collaborates with industry peers, Fortune 500 companies and government agencies to identify emerging cybersecurity threats. He has more than 30 years of operational and intelligence experience and came to Infoblox from Morgan Stanley where he was Executive Director of Global Computer Emergency Response and Cyber Intelligence. He has also served in the technical cybersecurity and leadership roles at UBS AG, JP Morgan Chase, and Intel Corporation. Sean holds a Master’s in Computer Science from the University of Washington, a patent in cyber intelligence fusion and multiple security certifications.
Sean, thank you for being on this call. Given your pedigree and your experience, no better person could have on this Facebook Live session to talk about the threats that the industry is facing. I can’t open up my browser or read the news without reading a new cyber threat, a new malware campaign or ransomware campaign that’s been launched. One day it’s Petya, one day it’s not Petya. And the industry even struggles with identifying what these campaigns are, telling the difference between them.
Give us your sense of your examining, you’re looking at this every day, Sean. What do you think of the landscape? How do you think it’s going to evolve, if you’re looking out three, six months or looking back on where it came from? Give us your perspective.
Thank you, Prakash. That’s a pretty broad subject. If we try to narrow it down to the relevant landscape and what we see in day-to-day activity. Look, cybercrime, crime in general, it’s always been there, it’s always going to be there. What we have now is a new medium that exposes us all. So not so new anymore, that exposes us to additional aspects of crime. And with the introduction on online e-commerce decades ago, and then online banking, we’ve just expanded that landscape for exposure to threats that have been there in one form or another for as long as man’s been around.
So, we narrow that down to what we see going on and where we see that trend. Yes, bad stuff’s happening, it’s going to continue to happen. We see an evolution and perhaps some cycling of different types of threats. For a long time, there was attacks against the various applications. As those got hardened, there was attacks against the operating systems and networks. As those got hardened, we saw cycling back to the applications. And so now what we’re seeing is the cycle back to the operating system or the platforms that are running. And that’s what we see a lot with ransomware. But we also see multiple attacks a day. So, anybody that spends any time, whether you’re on the vendor side or the enterprise security side, you’re going to see multiple attacks every day. Some of those are targeted and some of those are just attacks of opportunity. So, if you have some exposure or weakness or you just happen to be in the general vicinity, you’re going to see that come across your network or potentially impact your customers.
And not all that is straight up cybercrime. Some of that might be some sort of espionage, whether it’s corporate or state sanctioned or something along that lines. Being able to start to distinguish one from another takes time, takes analysis, take tooling, takes skillsets and smart people that are talented and experienced.
What we saw in the last couple of months were a number of coincidental attacks. When you think about what happened with WannaCry, that was a piece of malware that had existed in one shape or another in a very latent or somewhat immature state that was then imbued with new capabilities based off of some data leakage. So, some tools and some techniques were leaked, exposed to the internet and the developers of that malware took advantage of that and imbued their malware with those capabilities. So, you then had a ransomware attack that was able to spread like a worm.
At the same time, there was other ransomware attacks going on and experience leads to bias, to some extent. And when we saw Jaff and WannaCry both at the same time, there was perhaps some misperception. I think most people fell into the trap of thinking that WannaCry probably initiated by email, initially. I think that a number of us had enough breadth in our view to be able to say, you know what? It seems like that but I can’t find that smoking gun, but I do see these other attacks. So probably there’s a couple things going on. We can talk about what we know and we’ll learn more as we go. And that’s what we did, that’s what most of the threat intelligence and the cyber security community did. We tell you about what we know, we’ll make some educated speculation and continue our investigation update as we go.
And then fast forward a little bit to a couple weeks ago what we saw with Petya, what we saw initially looked very much like Petya, behaved like Petya. That’s because the attackers crafted it to look that way. But then when you look at the campaign as a total, now it propagated, well it had many characteristics of an advanced threat actor, the way that it propagated the types of capabilities that it was imbued with. And it looks like it was designed intentionally to damage people doing business in a particular region of the world, when you start to look at it as a whole. So you have the cybercrime that’s opportunistic, maybe targeting one particular customer set or one particular vendor, because that’s what’s going to garner the money, right, that’s where people are going to be able to make a profit. And at the same time, nations have their national interests that began since the beginning of nations, that’s been the case. Cyber is just one more venue for that to take place.
Thank you Sean. You talked us through the ability to tell the difference. This is a two-part question for you. Walk us through how would you go about telling the difference between these different campaigns. And what process do you follow? Are there some best practices that you follow? And second, what type of people or what skillsets do you think make somebody suitable to be the threat analysts, to be a cybersecurity intelligence expert? I know these skillsets are hard to find. So, what do you look for?
There’s a number of different trade craft and approach to it. So, I’ll just talk at a high level about how we do business. For my cyber intelligence team, we try to look at as many artifacts and as much data, get as many threat vectors into our visibility. So, when I say threat vector or attack vector, I’m talking about if we understand our particular malware, or attack type, how would that manifest? How would it be delivered? How would it propagate and what are opportunities to tap into those streams to see that? So, if we understand generally how a particular business works, like online banking, for instance, or other e-commerce. And we understand that attackers might deliver attacks through a internet property, like a URL or email in a document or URL in a document. If we understand how those things propagate, or are delivered, then we try to tap into those things. We collect and monitor a bunch of email streams. We scrape a bunch of websites. We crawl a bunch of the internet.
And then we use our particular technique, which we call Pivot-Farm-Mine, as the day-to-day tactical technique on top of structured analytic techniques in a manner to identify indicators. Either through the organic creation or the farming of indicators, mining of the available data that we have to identify indicators. And as we do those two, we then apply pivot technique to expand those indicators and identify additional threats, additional infrastructure, these sort of things.
So, by applying that multi-layered approach of collect, process, analyze and disseminate, we’re able to get a pretty good view on a lot of threat states. By no means is it exhaustive. There are large teams that have perhaps better view or different view, and other folks have different trade craft.
But that’s one of the things I think that makes cyber so interesting, is that there is such an opportunity for taking a different approach. Taking the things that we’ve learned from other folks and applying them in a new ways or trying new techniques, developing new approaches, that sort of thing.
And so that kind of leads us to what kind of people we look for and what makes a good either threat analyst or intelligence analyst. And a lot of that is just being the right attitude and the right aptitude, being curious of mind, being interested in identifying new things to look at, being tenacious. So that when perhaps you’re struggling on something that is a little more complex, a little bit more challenging than you’re used to, that you’re going to dig in and dig further, kind of try to crack that nut. But also perhaps not being afraid to reach out to your professional network and ask for help. Those are the kinds of people, talented in terms of just their innate abilities, perhaps educated or experienced in their ability to apply analysis, do some sort of reasoning, deduction, inference, draw conclusions, make estimations, those sorts of things that either may be innate to their personality or learned abilities through education and experience.
Also, when we look for people, hopefully they do have some sort of either formal or ad hoc training that they know how to use a computer system to get around these various spaces, that they understand various tooling or hopefully they can write their own. So maybe they can do some programming or some scripting. They understand how network services work, how the internet works and how it doesn’t work. It’s very, very important to understand how DNS works when you’re trying to analyze threats. It’s also very important when you’re dealing, especially with ransomware these day, to understand how TOR works because a lot of ransomware uses TOR for command and control as well as delivery and communication for the payment sites and decryption keys, that sort of thing.
You talked about DNS. Before we get there, I’ll try to recap some of the things you said. Skillsets, comfort with large volumes of data, basic understanding of networking, curiosity, aptitude for doing this analysis, and an interest in just learning more and being open to find out more, that seem to be some of the key trades.
You mentioned a couple of things. You talked about DNS. Explain this to us. You and I live in this industry, so I, at least, often make the assumption that everybody understands the world of DNS. Talk us through, why DNS? Why is DNS critical? Why do you think DNS is that important?
Sure, without getting too deep into how DNS works and that sort of thing, just at the surface, we all should probably understand that computers rely on the domain name services to be able to identify the endpoints that they’re going to communicate and perhaps the service that can be reached there, being able to understand that a mail server from some other part of the infrastructure. So, we’re using that domain name service to help structure our communications and order the way that we construct an enterprise and the services that are delivered from there, to some extent. Not to say that DNS is a directory service that helps you discover other services but certainly you need to know which service is providing your mail, for instance, and that’s provided as an MX record from your DNS server.
So that DNS helps you have that communication in a much more friendly, human-readable fashion. So, when you try to go to an online retailer, you’re probably not typing in the IP address for that online retailer. You’re probably typing their domain name and then they use DNS and some other routing tricks to get you to the right place so that you can get what you want. That’s critical to the way that the network operates. Back in the old days, we used things called host files and a few other tricks to help each computer know how to talk to other computers.
But because it’s such a critical internet-wide service, that means that it’s also a control plane for making those communications. And then it also gives us visibility into that traffic. So, at a macro level, at a large scale, if we can kind of understand what’s going on in terms of the DNS traffic, their requests that are transiting our network or emanating from our network or coming to our network. It helps us gauge what kinds of threats or exposure we have.
So, for instance, if our company is going to be attacked, oftentimes one of the first steps an attacker will take is to perform reconnaissance and while they may make their effort to be soft touch and non-evasive, they may use internet search engines and other things. They may also look at our DNS structure, to again, start to identify hosts. How do we name those hosts? Well, web servers are often named web servers. Name servers are often named name servers or NS, and that gives a potential attacker information. So if we can understand what queries are being made about our space or what queries are being made from our space, then we can start to gauge the type of traffic and the type of exposure.
Likewise, DNS is such a critical service that most companies will have what we call a firewall plug. But it’ll be an open port that allows DNS services to go in and out of their firewall, in and out of their DMZ, because they need to have that happen. Which means that sometimes that’s not necessarily filtered and monitored as much as we security professionals would like. And then the second aspect of it is because that communication and the way that recursive DNS resolution happens, those inside servers are going to forward some of those requests. So they’re going to echo that request, even if they are filtered through DNS recursion. Those requests may get made beyond where the company’s perimeter are. And these are mechanisms for additional information leakage, additional exposure and that sort of thing for the communication app. So this thing called DNS tunneling, that happens because either the ports are open and the traffic’s allowed to go out to wherever the destination is, that sort of thing. So that’s one more reason why DNS and DNS security are so important.
Another aspect, and remember I talked about how we rely upon DNS to help us understand what that destination service is. So attackers will use things like fast flux or domain generation algorithms to give the opportunity to have a large volume or a lot of movement of those sites for their command and control or their distribution of malware. And that volume makes it hard for security professionals to track down and remediate those attacks sites, or those command and control sites. It adds a lot more volume to our overall processing of security information, which again, makes it a little bit more difficult for us to defend our enterprise.
Thank you Sean. In the most simplistic terms, I like to call DNS as the phone book of the internet. So you talked about obviously getting into best practices, so we talked about the scenario of malware and it spreading. One of the key areas you highlighted was let’s focus on DNS. Obviously the second part is threat intelligence. What other advice do you have for enterprise? How do you make this real? How do you protect your infrastructure? How do you protect your data? 70% of applications, their lead-off attacks are targeted on DNS. So obviously, about half of all data exploitation happens from DNS. So you talked about DNS, but what else do you recommend that enterprises do?
Let’s start with the notion of actionable threat intelligence. And this is an industry buzz word and often I’ll talk to folks that use actionable intelligence in a way that perhaps we find comical, that don’t really explain what it is. So we have to differentiate between intelligence and data. So data doesn’t become intelligence or intelligence isn’t just data until you do some analysis, you do some transformation, you work on it, you process it. It requires some level of inference, deduction, conclusion, estimation. So some things that we as humans do to it to actually convert it into intelligence. It’s not just the artifact or an indicator, that sort of thing.
And then to make it actionable, well, either the user of it or the supplier of it needs to be able to actually enumerate what those actions are. So if I tell you these domains or these IP addresses are a exploit kit gate. So these are the gates or the processes, the steps that a computer will be led through to be measured, assessed for vulnerabilities and then ultimately exploited. Then I’m telling you not just these IPs. I’m telling you what they are, I’m providing you intelligence because we measured them, we drew some conclusions about what they were. And I can tell you that if you have an enterprise, use these in your web proxy, your security web gateway, to block access to those destinations. Now I’ve just made them actionable. I told you what they are, what they do, why you should care and how you can prevent exposure to that threat. That’s an illustration of what truly actionable threat intelligence is.
So what can enterprises do about it? They can use the right type of threat data, those IP addresses, in an actionable way. One of the things that we provide here at Infoblox are RPZs to be used in DNS firewalls. So if those are response policy zones, we provide files that you can use in your DNS server to block action. So your customers, your users would not be able to resolve those threat destinations, those domain names, those host names, that are hosting those exploit kids or that other malware. Your systems would not even know what the IP address is of them and so would not be able to reach out to that.
Likewise, we can apply other techniques, either in the blocking mode, or we can do live analytics through our Threat Insights type of a product to actually measure for fast flux or measure for domain generation algorithms. And make a inline, real-time assessment of, is that characterized as a threat? Do we analyze that and assess that as being a threat destination? And then give you a opportunity to decide what your action, what your policy should be. Should we block that or should we alert on it? Let the traffic happen but alert on it so somebody could make some decision or perhaps some correlation on what other threats might be at that destination.
Thank you, Sean. So to recap, if I was to summarize what you said in terms of best practices, focus on DNS, get the most updated and impactful threat intelligence, make sure you leverage the intelligence across your infrastructure. Don’t just isolate it to one piece, because it impacts the integrity of the infrastructure, it impacts your data, it impacts your users, and it impacts how quickly you can respond to threats. And you talked about people and having the right people to help in the process. You talked about the skillsets. So you addressed the people, the technology and the process aspects of it. Final thoughts or … Obviously you and I both work for Infoblox, the role that Infoblox plays in this. And we can close with that, Sean.
So you want to talk about the role Infoblox plays in the technology and the processes?
Okay, so I alluded to a couple things. I talked about correlating across your system, what you’re going to do with the data and the actions. And I also talked about a couple of the technologies that we at Infoblox provide. One of the core components of everything we do on the security space is around threat data. Now there’s some intelligence that’s used to process and to characterize that threat data so that our customers can use it and apply it in the proper context in the proper space.
Well, one of the most powerful things about that is since it is categorized classified and there’s intelligence to back up the value of that threat data, it could be used across the enterprise. So if a subscriber of our data feeds or our data availability, they can use that in their SIM, they can use that in their firewall, they can use it in their next gen firewall. Or they can also use it in their DNS firewall, use it as RPZs.
So that brings us to some of the other technologies. In terms of protection, there’s a couple of very clear things that we can do to aid in the security of an enterprise or a customer as well as help them maintain a better security hygiene, identify other activities that may not be threat but might be undesirable things for the enterprise. And we see those things in terms of the DNS firewall, whether it’s an on-prem solution through the NIOS platform or whether it’s the Active Trust Cloud provide a DNS firewall. And then with those comes things like Threat Insights, which gives us some algorithms for looking, again, for inline DGA detection, domain generation algorithms. The ability to look for fast flux behavior or DNS tunneling. It’s those sort of technologies that we can provide to an enterprise, again, on-prem or in cloud, that help them protect their enterprise. Or if they don’t want to block, they can use alerting and their own internal security monitoring to help them understand perhaps where they’re exposed or infected, and take the necessary actions according to their processes and procedures.
There’s one question that came up in the time before we close. What types of tool sets do you think are useful for a threat analyst to get exposure to? Somebody that’s interested in this arena?
I think that being able to programming and scripting, I think, is essential. Whether that’s Python or something else. Python is probably the most popular programming and scripting language for security professionals. Understand how the internet works, again, that may not be a tool so much as just general basic knowledge that folks needs. Then if you start to dig down in the tool sets, what I would recommend is getting access to platforms that enable you to do behavior analysis so you can actually start to understand clean secure behavioral analysis of malware. So follow some of the online guidance from the experienced security professionals that help you build a proper, secure behavior analysis lab, whether you’re doing hardware lab or doing virtual. Because you don’t want to A, expose your own environment to infection, or B, become part of the problem.
But getting exposure and experience with behavior analysis techniques, I think is critical. Getting exposure and experience with network security monitoring, whether that’s Bro or Snort or Suricata. Those types of tools, I think, are essential for security professionals, threat analysts, SOC people, those sorts of things. And then one of the tools that I really like to recommend people take a look at when they’re getting started is something called Maltego and get access to those free versions or community versions of that. Because those are ways to do some federated searches and to get more involved in the community and start asking questions.
And as you start to ask those mental questions, then you can also look at the various forms and news groups that you can join to ask those questions of a larger community and that feedback and that involvement is what will lead to further learning.
But it does also come back to, remember what I said, the lifelong learning and the inquisitiveness. And just starting from that point, I think, will lead to the tool selection and the various approaches after that.
There’s another last question for you, Sean. There’s a question I wanted to ask about. Is this intelligence going to be useful to even find insider threats, whether they’re malicious or not?
Absolutely, the same types of techniques that we use to identify malicious external actors can be used to find internal actors. And my experience is that as a enterprise defender, we often try to separate the external generated attacks, the general security incidents from insider threat type problems. And a lot of it has to do with the way that we respect and treat our employees.
So if you’re investigating that sort of thing, you have to take a fair amount of caution, a fair amount of reproach, because what may look like an insider threat problem, what may look a intentional bad employee, may not be. It may be that that system’s infected and the malware or the attacker is savvy enough to make it look like it’s the user. That’s the way an advance threat actor would behave. They want to look like an insider.
So you would approach that with a little bit more caution, but by and large, whether it’s a accident or unintentional or misconfiguration, or a genuine insider threat. They’re still going to be using the same control channels. They’re still going to be using web and DNS, whatever you’re using for external data transfer, whether that’s STP or something else. All that same network communication, those same channels, that’s still going to be used. So being able to have the security tools to look into that and being able to apply the intelligence techniques to analyze the data that you’ve collected, that’s still going to be applicable.
Well, Sean, thank you for that very informative and useful session, appreciate it. Appreciate your time, and thank you everybody for listening.
Thank you, Prakash.