Ä¢¹½ÊÓƵ

Take the Fight to the Adversary

The objective of this session is to:

  • Anticipate the pacing threatÌý– Grayspace, what is it, and why is it important toÌýtake the fight to the adversaryÌýin there?Ìý
  • Understand the U.S. government’s approachÌý–ÌýHow will theÌýCyber Incident Reporting for Critical Infrastructure Act (CIRCIA)Ìýimpact criticalÌýinfrastructureÌý(CI)ÌýownersÌýand operators under the new guidelines and requirements? How can you dispel concerns over reporting incidents to CISA from a private sector CI perspective?ÌýÌý
  • Learn what industry leaders are implementing to impact threatsÌý– Why is interagency collaboration and coordination so important? How can you optimize threat hunting operations asÌýphysical and digital systems become increasingly interconnected? How should you think differently when addressing cyber threat intelligence and actionable data?

Host:

  • Stephen FogartyÌý–ÌýLieutenant General (retired), U.S. Army Cyber Command, and Senior Executive Advisor of National Cybersecurity at Ä¢¹½ÊÓƵ AllenÌý

Speakers:

  • Fred FreyÌý– Co-Founder & Chief Technology Officer,
  • Ken BagnallÌý– Founder & Chief Executive Officer,Ìý
  • Mike SaxtonÌý–ÌýDarkLabs®Ìý Detect Solution Lead, Ä¢¹½ÊÓƵ Allen
  • Ben LoaderÌý– DarkLabs Detectâ„¢ Federal Lead, Ä¢¹½ÊÓƵ AllenÌý
Click Expand + to view the video transcript

Okay, good afternoon. And thank you for joining. This is Alan sponsored webinar on threat hunting. I'm Steve Fogarty, a senior executive advisor for Ä¢¹½ÊÓƵ Allen Hamilton's National Cyber platform before I joined Ä¢¹½ÊÓƵ Allen. I was the commander of us army Cyber command where I was responsible for operating and defending army and joint networks and data, what I call the foundational weapons system in the information age. I learned firsthand that our nation's adversaries are aggressively waging war below the threshold of armed conflict in cyberspace. They're both persistent and capable and becoming more innovative and effective. And I spent many years watching many of these adversaries, uh, you know, a decade ago, we would not have given them frankly, uh a lot of compliments on their trade craft, their technical capabilities and the effect. But what we've seen over the last decade and certainly has accelerated over the last few years, a significant increase both in capability uh in persistence. And I think very importantly, their willingness to use these capabilities to impose costs on us, ensuring future cyber superiority requires us to see the cyber threat landscape. In the same way, our adversaries see it as one battle space. When adversaries devise strategies for digital conflict, they don't view the federal government, the defense and intelligence communities, public infrastructure or private industry as separate targets to our adversaries. This target rich environment is one connected battle space. Recent outing of Chinese actor volt typhoon and Russian actor Sand Worm for hacks into critical infrastructure here. And in Ukraine are recent examples of the seriousness of the threat and the prevalence of the threat, the capabilities of the threat to defend one battle space. The US requires a holistic and active approach to cybersecurity. No single entity can protect our nation and we can't impose adequate costs on adversaries if we passively huddle in blue space. That is why transforming national cyber capabilities requires a unified approach that fosters operational collaboration best in class solutions, synchronized capabilities, active defense and critically important, effective collaboration in one battle space. The public and private sectors are intertwined and the digital and physical faces are realms converge cyber attacks can compromise critical information, disrupt supply chains and even put lives in jeopardy or you and your organization prepared to meet this evolving threat. During this session, our panelists will share their thoughts about how to anticipate the pacing threat, how to think differently when addressing cyber threat, intelligence and actionable data. Understand the US government's approach. How will the cyber incident reporting for critical infrastructure act sir, CIA impact critical infrastructure owners and operators under the new guidelines and requirements dispelling concerns over reporting incidents to CISA from a private sector ci perspective, learn what industry leaders are implementing to impact these threats. But fortunately for you, you don't have to take my word for it because it is my pleasure today to be joined by a panel of subject matter experts who understand the transformation required to counter these race of threats, both for government and private sector organizations. What I'm gonna do now is I'm gonna turn it over to our panel to introduce themselves. And what I'm gonna ask them to do is not only what they're currently doing, uh a little bit of their, their background that really establishes uh what, what part of the uh the cyber defense picture that they're representing and they believe they have particular expertise in. So we'll start with uh Ben Loder uh from, from Ä¢¹½ÊÓƵ Allen Hamilton's dark laps. Hey, good morning, good afternoon. Wherever the time might find you, Ben Loder. I've been with Ä¢¹½ÊÓƵ Allen for a little over a year and a half. Uh work for Mike Saxon up in the dark labs detect uh solutions for Ä¢¹½ÊÓƵ Allen Hamilton's lead. Our, our federal market says the departments and agencies across the board for the US government. I came to Ä¢¹½ÊÓƵ Allen. The last about seven years I worked at CES as one of their mission coordinators aligned to uh regional based threat actors. So I was able to see first hand the successes and challenges that Mr Fogarty had highlighted as it pertains to CISA and on the interagency scale as well. So happy to be here. Hopefully, we, we share some critical insights and good information for everybody. Thanks Steve. Thanks Ben. And we're gonna go next to Mike Saxon or Sexton from Ä¢¹½ÊÓƵ Allen dark labs also. Yeah, thanks Steve. Good afternoon, everybody. Mike Saxton. I'm our technical director under Dark Labs, which is Ä¢¹½ÊÓƵ Allen's R and D arm and our national Cyber account. So I lead our detection engineering and threat hunting teams for Ä¢¹½ÊÓƵ Allen, both in um blue space, which we'll talk about a little bit later and in gray space which we'll talk about later. Um My background has been running really large national level security operation centers and programs for Department of Defense Services and federal agencies. So a unique approach of how to do this at the national level, um, where you span multiple enterprises and agencies that ultimately led us to this approach to getting after a proactive approach to threat hunting and cyber defense. Thanks Mike. Next. We'll get a Fred from, from Snap attack. Hey, everybody. Thanks for joining us today and hopefully you gain some good insights around threat hunting and how that can be operationalized for you. So, my name is Fred Fry. I'm the co founder and CTO here at Snap A tech. Um I have 25 years cybersecurity background 1st. 16 years was with um Ta Oh so very familiar with offensive cyber nation, state level um activities and operations. But I actually pivoted into doing counterintelligence against other THS of the world. Right. So Russian FSB Chinese third PL A and IRGC um Iranian, IRGC MOAs. So um started offense, shifted to counter intelligence and then in 2016, stepped away to help commercial at island to um lead um fortune 500 companies um standing up and, and platform, utilizing their threat intelligence, um, into threat hunting teams. How do you take the fight to the adversary, which is kind of what we're talking about today? How do you take the fight to the adversary? How do you be proactive around threat hunting? 2021 we spun out snap attack, which is a, a SAS based platform that really has three major goals tied to threat intelligence and, and threat hunting. You know, the first is we think IOC ETSS are really a thing of the past. We think that they are foundational e very important, but they're always looking in that rear view mirror. So how do we get customers up the pyramid of pain to where it really brings pain to the adversary, which is up at the TTP layer of the pyramid of pain. Second thing is we need to make threat intelligence more actionable. You know, I think we'll talk a lot more about this, but I was very blessed working at the, the dod and the intelligence communities. We had excellent threat intelligence and intelligence when used correctly is very, very, very important and actionable. Um So how do we make threat intelligence actionable at mass at scale. So at the government layer, at the civilian layer, at the at the commercial layer, um we need to do machine to machine communication. And then the third keep pillar that we strongly believe in is cross vendor. Um applicability, right? Doesn't do anybody good and you can't scale at scale enterprise wide. If you focus on one vendor versus another, you need to have actionable machine to machine intelligence shared nationally. Um It has to be cross platform. So that's what we're focusing on challenges that we're solving here. Thanks. Thanks, Fred. And lastly, I'd like to introduce Ken Bagnall from Silent Push. Hi, Steve. Thanks very much for having me. So, I'm Ken Bagnall. I'm CEO and co founder of Silent Push. And we map adversary infrastructure. Prior to this, I was the VP of all the detection products for Fireeye and Mandiant as they acquired the last email security company that we started. So the team has been together for a long time through many companies. The main thing that we're concerned with and trying to solve is to find that 95% of unknown adversary infrastructure before it's used and share that with our clients and stakeholders. Thanks Ken and so for uh for all of our panelists. Thank you for taking the time to join us today and share your, your insights and we're gonna go ahead and jump right into this. And the first question really sets the foundation for the rest of the discussion and for the audience, if you think of cyberspace kind of divide into three principal areas for the purpose of this discussion. Blue space, uh you know, where uh friendly forces are operating, whether your government or commercial uh red space, where adversaries have the opportunity to uh to plan and launch attacks or hacks. Uh and then gray space, that area that they have to uh to traverse. Uh But I think that's my explanation and what's more important is to listen to uh the subject matter experts, uh describe what, what threat hunting is and why it's a game changer and we'll start with Fred. Great. Yeah. So threat intelligence, um I'll kind of start with more of a formal definition. Um So threat hunting is really the act of proactive. It's the proactive approach for cybersecurity that is going to involve searching and finding potential threats, vulnerabilities that are missed by other vendors, right? So, unlike traditional vendor approaches, vendor approaches have to hard code signatures and those signatures can be known by our adversaries and easily circumvented and tested, you know, a priority. So the active threat hunting um relies on, you know, three equal parts, right? Art um science as well as intuition, um to help hunt through data to, you know, proactively, you know, shift proactively your detections, um, threat hunting can be enabled for a couple of different reasons, um, mainly on identifying unknown threats. Right. So, so very specifically, you know, looking for anomalous behavior, investigating anomalous behavior at scale, but it also can be used for enhancing your security posture, right? Um, it's typically something that more mature organizations grow into, you have to have all of your bases covered before you enter into this. But it can be a very, very positive thing if, if implemented correctly to reduce your mean time to detection for adversaries in your network. Thanks Fred. We'll jump over to Ben. Hey, much like what Fred was saying, like coming back, uh some of my background to the offensive defensive intelligence community side, like threat intelligence is a critical component that informs and shapes the way we do defensive cyber operations, particularly in the federal government. Inter agency. Um Threat hunting allows uh organizations and stakeholders to, to glean emerging and trending threats that like before they become a problem or an incident that needs to be reported before crisis mode, being able to have access to, to that quality relevant threat intelligence before it becomes an issue on anybody's network or, you know, environment is critical to ensure that they're protected and defended against, you know, volt typhoon Russia and ultimately protecting those, those critical assets that, you know, you hold near and dear to your heart as an organization. Thanks Ben Ken. Thanks, Steve. Yeah. So when, when we talk about threat hunting, we're, we're generally talking about external threat hunting and the same for TTP ETSS, tactics, techniques and procedures that Fred mentioned, our definition is slightly different because what we look at is how the adversary is managing their external infrastructure that is going to attack you in the future. So it's not about their behavior once they get in post breach, it's about there behavior when they're setting up and managing their infrastructure. So it's a slightly new art and science in terms of how we see things and therefore, you know, what we do is is very different. But the important part is that allows us to map out the adversary before the attack and we can share the information about what they're setting up so that you can put in place preemptive defensive mitigations in advance of them actually being in your environment. So we're trying to move things along way forward. Excellent Mike, thanks Steve. I'll follow up on Fred's comment about being proactive. I think one of the biggest advances that threat hunting provides that it's a proactive approach. Our, our security operations teams for years have spent a lot of time trying to stay ahead of the threat or up to date with the threat building signatures, building um detection capabilities that will highlight signature based detection. Often what we end up with is a gap in our detection coverage and a gap in what we have visibility in. And that's really where the role that threat hunting steps in and tries to find the gap in the seams from our detection coverage, whether you're using, uh, or if you're using a framework like the miter attack matrix to overlay your coverage metrics, there's probably gonna be gaps and how you're wanting to view how your network and the logs and have visibility over it. And then finally, I think one of the big things about it as Fred mentioned, as well as this is an advanced capability. Threat hunters have spent a lot of time in network or cybersecurity understanding, um how Attackers operate and their ttps. But they've, um, they've also spent a lot of time helping pull the picture together and some of the information that they are using to pull this picture together just come straight from tuition or intuition rather. Um And so, you know, it takes an advanced uh type of person to pull this information together, leveraging data science capabilities, um, hypothesis based threat detection and moving really beyond what the detections are showing you and your sim. Yeah, Mike, I, I think that that's a really good point which is, uh I think what you've all described is this idea that it is, there's just not a technical silver bullet that we can, we can use against these, these adversaries as sophisticated as they've, they've become. And in fact, uh, it really becomes this combination of the talent, you know, the people uh that are working this mission, the technology that they can use to enable them, you know, the trade craft that is uh frankly paramount to be successful in this space. And then, then actually the ability to evolve the tradecraft as the the adversary evolves. And, and I think the goal for all of us is to outpace the adversary, not, not chase the, the adversary and, and that's, that's one of the things I believe. Uh, it's a big difference in this approach which is much more active, uh, than uh kind of the traditional passive approach to uh defending against the threat. Um And that's a great segue into the next question which is, uh, you know, intelligence is the driver in all operational domain. So whether it's the maritime domain, their domain, the land, uh space. Uh And I would argue that certainly in the cyber domain, uh intelligence drives operations. Uh And I would like Mike and Ken to, to share their thoughts on the role that Intel plays a successful threat hunting. Yeah, I'll go for Steve. Thanks. I think one of you mentioned, uh ttps and actor profiling. One of the biggest things that, um, threat, intelligence plays and threat hunting is the ability for us to understand threat, actor profiling both from their, their ttps and their motivations and objectives. Um You know, we'll talk a little bit into how Ä¢¹½ÊÓƵ Allen got into the gray space, threat hunting side. But often, you know, our adversaries are very capable, highly capable, they are advanced, but they also reuse a lot of capabilities. A lot of tooling leave behind a lot of previously undetected signatures. And what we found that threat intelligence helps us do is understand the hypothesis that says I'm going to conduct a threat hunt. And I believe that this type of activity may have happened or this threat actor follows this type of activity. So I'm gonna go beyond the detection signatures as we mentioned earlier and really understand how they're operating. Fred mentioned things like moving up the pyramid of pain when you start to get into the tools section or the TTP sections. That's the real ownership of understanding the adversary when you can disrupt that, that is really imposing cost and threat intelligence helps us project that narrative and how we can get into that space. Yeah, if I can follow up with that. So, um if we take kind of a real world example and you know, imagine a hospital was attacked and ransomed, you know, prior in days of yore, like last year old intelligence would have been shared, which was post breach information, what the IOC is involved and that was shared. Um you know, in order for other people to defend themselves, but of course, that infrastructure is burnt and not necessarily of any use for defensive mitigation. Um So what we do now is we go out and we map the adversary infrastructure and see what the rest of it that's about to be used is. And then we share that, right. So in order to do that, we really have to have an intimate knowledge of how they manage that external infrastructure so that we can create new ways of mapping the infrastructure and seeing them as they set up new launch points that they're going to attack the other hospitals from, for example, right, so that you can share with the constituents that matter, the information that matters to allow them to proactively defend themselves. And that's, that's really the threat intelligence that you know, we now can provide on a on a daily basis that we've moved along. Can that's a great explanation. Can you share with the audience how dynamic that is which you just described uh you know, multiple adversaries across very large attacks space. Uh you know how dynamic uh you have to be as as you work uh work this uh this integration of intel uh into successful threat hunting. Yeah. So we have to have kind of many layers of innovation in that we have to be changing, you know, the data that we produce and the analytics layers that we produce all the time because you can never become complacent because eventually people work out how you're mapping them. So you have to constantly be generating new types of information that that haven't existed prior. So that you can map people as they change and catch their drift, which is, you know, how we term as they evolve their ttps and try and move away from you. Like so often their ttps have evolved in a way to avoid other detection mechanisms and on prem security products. And that leaves a fingerprint for us because of whatever their technique is. And then they realize, you know, that, that, that we're catching them or they're being unsuccessful with customers. So they try and wiggle away again. So we do have to like continually evolve what we're doing and make new types of data to work out the behavioral mechanisms of them managing their infrastructure. How do we see automation before this traffic? You know, there's a whole layer of new types of information that have had to be invented for this purpose. And so I would imagine that uh you know, some of us intel, some of this data turns into information to create the understanding. And if you think about where we want to, to go next is uh if you look at the players that are operating in this space, there's threat hunters, there's red team's blue teams. And so uh you know, their, their intel professionals that are doing some collection, there's a lot of uh information data coming from the heuristics of the network, there's government and commercial law enforcement, a bunch of players in this space. So, so how should uh all these entities, the threat hunters, the red team's, the blue team's specifically best collaborate to proactively thwart maligned cyber attacks and we're going to jump to a Fred and then back to Mike to answer this question. Yeah, absolutely, thanks. Um, so, yeah, so I used to run red teams, um, and as well as threat hunting teams. Um, and so there's quite a few different avenues of approach right here. So, first of all, um, some of my best threat hunters were former red teamers, right? Because it just makes sense when you have seen what the adversary is doing. When you have intimate knowledge about what the adversary is doing, it's easier for them to find, find that kind of activity or realize what that activity really means in a large data lake, right? How do, how do you find that needle? Um, the second thing is it doesn't require that only, right. I've also seen sys admins be very, very successful threat hunters, um, as well as some other other professions, right? Especially skilled blue teamers. Um, but so as far as red team, there's a couple of different ways we've interacted with red teams. Um, you know, there's, there is, um, typically red teams are around once a year, once a quarter, sometimes they're a checkbox that companies do we believe in proactive red teaming, right? So we call it purple, everybody calls it purple teaming, right? Red plus blue team's equals purple teams. And what that really kind of signifies is a collaboration. Um you know, you are working together to make each other better, right? Like steel sharpens steel. So when we're doing red teams, it can be announced or it can be unannounced, it can be, you know, assumed breach or, or work from the outside in however your methodology of red teaming, it has to be collaborative. Um So what I mean by collaborative, there's really two collaborations there, there can be uh intimate and continuous collaboration. Um where you know, it's one for one red team performs an action. Blue team. Did you observe it or it can be red team. This is more traditional 20 actions across 2 to 3 days. They've gained access, they've laterally moved and then there's a debrief period, right? There's a hey, I did 20 things. Blue team. How many of those 20? Okay, we saw 13 of them and then you focus in on those seven kind of un observed events. So that's very, very typical, very, very traditional um at snap attack. We're actually introducing uh a new phrase we've coined continuous purple teaming. And really what it means is instead of carving off once every six months, once every quarter, once every year. Um There should be this continuous concept of there's new threats that are coming out. How does a red team emulate them? How does the red team emulate them, save them off and then share that information with the blue team or in a near real time scenario. So, um this is something that we invented back at booz Allen and kind of really spun into what we have now snap attack. It's, it's continuous purple teaming. Um We call it memorial izing the threat. When you memorialize the threat, you make it super simple for a red team to emulate, adversary TTP ETSS in a lab, you capture the windows, event logs, the EDR logs, the full packet capture logs, right? Everything that a blue teamer has at their disposal to do either proactive or incident response against that threat. You then mash that up against all the detections and the detection capabilities that the customer has at their disposal. And what you find is you find the delta, right? And you find it in near real time. So now you're not waiting for once a quarter and a big exercise and only 20 actions, you, you can actually crowdsource this and this is something that we're gonna talk about as we think about national scale and bringing pain to the adversary. One of the biggest advantages that adversaries have is stealth and lack of communication and vendor lock in that we have today. So if you really talk about breaking down those barriers and um exposing adversary TTP ETSS to a massive amount of blue teamers, right? If a blue teamer only is exposed to 20 activities of red teamer every six months, um That's there's a huge gap right there. So that's what we're talking about is how do we do red teaming attack, capture and dissemination of that at scale. That's a great, great point. Fred, I think one of the things that I, I take a look at when I look at how these teams work together and I'm gonna talk about this from, you know, in federal agency perspective or service cyber or a service component of the dod. I think transparency and open communication is key. That's both in terms of sharing intelligence back and forth. We're all hopefully representing the threat the best that we can when we're conducting red team activities and we're profiling the threat to build our detection and our defensive measures against it. Um And then we're profiling the threat is we're doing our TTP ETSS and our hypothesis based threat hunting. So I think everybody being on the same page with intelligence is incredibly critical. Uh One of the things that you mentioned is every six months, you know, every year for a lot of compliance metrics for those organizations that are lucky enough to have an in house renting. One of the things that we found to be successful is to run parallel efforts. So as Fred mentioned, there's a very back and forth of I launched this attack. Did you see it in your detection coverage? So you may look at a service or a tool or a application within your infrastructure and the red team and blue team made purple team that segment. Meanwhile, the threat hunt team can actually sit back in the previous effort and try to conduct a threat hunt from the hypothesis based protection of saying, okay, all of these detections were discovered, where else might they fit. And it's this parallel effort of, you know, continuously looking and monitoring and profiling the threat to really understand the impact to the environment. And then the last one is feedback. I think feedback is incredibly important both to the red team is the blue team's that combined purple teams. But one of the things that we've really advocated for is the location of threat hunting is to actually sit within or a direct line to Cisco offices. And so we have security operation centers that have threat Intelligence and red team really associated with them that are providing the snapshot of where we are in time. And then you have a lot of, you have the ability to have validation from a threat hunt team that can report the real picture of, you know, where, where the real risk to an organization is. And so we see a lot of our reports resonate really, uh, well as it starts to hit up in the cso's office that gives them a validation of, of how their organization is running. So, so Fred Mike, thanks for that. And I think that that sets us up really well for the next question which, uh if you're gonna be successful, uh, you can't, you can't restrict yourself to just a portion of the, uh the operational domain. And in this case, blue space. And so the adversary is operating, uh you know, again, planning, launching from red space transiting through Grace Space. And if you're satisfied with just passively shields up, you know, arrows are gonna start to leak through actually pretty, pretty fast, particularly if, if in gray space, the adversary has built infrastructure, uh, they moved to a position of, of advantage to launch their attacks. Uh, you, you wear out the defenders, uh, fairly, fairly rapidly. Uh What I think would be actually very useful though is to establish a combination or a, a definition for, for gray space. Uh What it is, why it's important to defensive cyber operators and analysts across threat, hunting incident response and cyber threat intel uh experts. So what is it? And why should we be concerned about Grace Space and I'm gonna start with Ken and then we'll, uh, we'll lateral back down to the mic. Thanks Steve. Yeah, so great space really. We define it as not known, good, not known bad. So it's neutral territory that anybody could be operating from. Um, which means it's, you know, a large part of the entire internet, right? So it's problematic. Um, in order to see activity there, it means you really have to monitor everything that exists and everything that changes on a daily basis. So for that whole hypothesis that I was talking about earlier on where we're looking for the management techniques of adversaries managing their infrastructure. It means that we actually have to have marked all infrastructure that exists with those markers and continually monitor for changes all the time. So that when we want to do a search for a combination of those management techniques, we can search across the entirety of great space and find that infrastructure. So it's a very, very large problem to overcome and it takes an enormous mental resources, right? And obviously, there's a lot of new types of information that had to come into existence for us to have those markers as two different types of management behavior that we're associating with different pieces of prior to thought of as neutral infrastructure. Yeah, for us from the gray space side, and we borrowed the term from a dod joint publication 312 that says it's, it's not your safe space, it's not the Attackers launching space. It's everything in between. It's the place they find refuge. It's the place that's hard to find them because for various reasons across our client spaces. So we, we identified gray spaces that that space once an attack is launched, what it has to traverse through until it lands within a network. Um And, and we really started about, you know, really started over a year ago, exploring this aspect of gray space. What we found is that regardless of how advanced we want to get or as I'm sorry, as active as we want to get inside a network. When we talk about threat hunting today in a network, you're still assuming and waiting for a breach to happen as we start to look at how adversaries operate. We've noticed that they start to use the same signals and indicators, time and time again, but not a lot of people are watching them if they haven't hit your network. I think silent push has a really great metric that about 2% of adversary infrastructure overall is actually monitored and that leaves a lot of space for adversaries to actively pursue their endeavors. Everything that we've done in defense for years has been building tools to identify attacks faster. But for a lot of our clients, specifically in the federal and defense side, we can't wait until an attack happens and it comes through a threat intelligence report, our national security relies on having the ability to identify the attacks before they happen. So we can help inform organizations, agencies, bureaus, etcetera that something is about to happen and they can take the appropriate counter measures and actions to prevent against it. And so, you know, one of the advantages between, you know, uh industry government, uh there, there may be some restrictions about venturing out into gray space. Uh So the combination potentially of, of capabilities from both sides. Again, this idea, 11 cyber battle space. Uh not, not stovepiping the way we view it into really kind of particularly blue space only that uh there's there is operational depth to the, to the domain from red through gray and into the blue. If we don't have the ability uh or the authorities uh at different levels to uh to use uh the full operational domain, then that creates blind spots that adversaries can, can take advantage of. And I think that's actually a good segue into uh you know, what, what does a whole of government approach mean and look like? So how does the dod FBI and CISA differ in their areas of response? How can industry tie in to support this process across the sectors in an environment where threat, actors like volt typhoon or a real and present threat? And what happens to the incident, information and details once it's reported? Well, we the effective organizations receive feedback. Uh there's a lot of concern over how the implementation of cyber incident reporting for critical infrastructure at Garcia will impact organizations who fall under the ci umbrella. And so what I would like uh to do is uh throw this over to uh to Ben and uh and Fred on uh you know, what, what the impacts are of the new legislation and frankly, how do all the different players in this space actually uh you know, interact uh and uh take really a cross sector approach to uh to dealing with a sophisticated threat actor such as full typhoon who aren't just in government networks, they're not just in commercial networks. Uh they go to where their objective is and they are very happy to transit through one to get to the, the other. Yeah, thanks Steve. And that, that's a, that's a big broad, heavy question to answer. Right. And pulling on, you know, the seven years of experience that I had from while I was a fed at CISA, like running the mission, seeing the way that the inter agency operates, but also seeing the way that size of being a civilian branch of government relies on industry to, to Mike's point, Ken's point and Fred's point industry booz Allen snap attack, silent push. And everybody else has an opportunity to go into spaces where can't like they're limited in what they can go out and, and view and see and collect and pull back within what we are determined as gray space. Dudfb I the intelligence community, they've got some authorities there. Um That allows that, but, you know, to, to the statistic that Mike said like 2% is a astronomically scary percentage and a metric that we need to fill that gap on so that we can be ahead of the curve there of adversaries activity. Um So I get the pleasure of talking about policy and process at a national level, right? That's always fun. Um So we could, we could spend days weeks months talking about what is and isn't to include the most recently released national security memo 22 which kind of goes hand in hand with Garcia um having been around sizzle when this was an idea to when it was first drafted and and pushed out at its heart is designed in my opinion, to do what we've been talking about, right? To help encourage and foster a level of transparency between your your US government being Cisa and all of the ability and access and unique telemetry that these vendors have. Whether it's booz Allen Hamilton's snap attack silent push like it affords an opportunity and a mechanism for us as industry to feed the beast of being responsible for those 16 sectors. Ultimately. So if you dissect Garcia, like I had the pleasure of doing multiple times, uh There was a harmonization document that came out in September that highlighted some key gaps that need to be filled and I'm sure everybody that's reddit would agree. Um And then like Fred, well, we talked about this a little bit so hopefully we can plug in some of our machine solutions here. But when you read Garcia, um there's multiple definitions that carry what is an incident versus a breach versus an event and then they're standardized incident reporting that needs that needs to happen. Um Right. So what the needs to do is codify those definitions as a standard across sectors across the US government. And then they need to standardize to a degree, what what information, essential elements of information actually need to be reported up to CISA, to the inter agency that they can do their job. Now, once it gets to Caesar or Sector risk management agency or the sector specific agency, depending on what sector you're in the term whole of government. Many of you may be familiar with, but it's very much the the term that we use within government for the interagency coordination and collaboration, right? Those us government entities have to work together and we could use any example from volt typhoon wanna cry ransomware that hit, you know, the Europe first and then we had a little bit of a heads up in the US when, when that went down to get shields up. But even talking about, you know, geopolitical things like elections that are upcoming in 2020 for like these are all prime opportunities and targets for adversaries and you should rest assured that well in advance or as a result of these, the interagency comes together, they formalize and codify working groups and they like using solar winds or volt typhoon as an example. They will bring FBI says the Department of Defense Intelligence Community and even vendors sometimes to the table, establish a working group that could maintain for weeks or months until they feel that it's time that you know, they could, they could go about other business. Now when you do look at the inter agencies. It's important to know and understand those authorities that Steve was talking about that kind of dictate and govern what they can and can't do the proverbial separation of powers. The dod and the intelligence community are unable to basically take the fight into adversary space. Right? There are weapons, they go do the offensive cyber operations on behalf of the nation essentially for national security. FBI there, the police, right, they they pursue the adversaries, they work with international partners to execute things like sanctions or extradition to pull people back so we can prosecute them under the US legal system. And then naturally, for me, coming from CISA, the near and dear to my heart, I've always long compared to a firefighter or paramedic when an organization is in crisis mode, right, score isn't there to place blame attribute or do any of this. They want to ensure that an organization that has been hit, compromised or potentially compromised gets back to operational capacity is mitigated, remediated and can move forward smartly in the way that they need to. But they also have an obligation to pull that sanitized anonymized information and metadata back. So they could share with the other sectors who are likely prime targets as well. So leading into that right, the Intendant for Garcia in my mind is too deliver and support a mechanism that facilitates and encourages what Saxon said, transparent communication across the sectors and across the government you know, if it's happening in one sector, you can bet it's happening somewhere else. And I'm sure everybody would want to know and volt typhoon to Steve's point is perfect right there, not just in sector A there in sector A BC and D and it's pretty important for all of us to, to share that type of information. Um So lastly, right, that was a mouthful, we could dissect it but under those policies and strategies and guidelines that we know the US government operates in conjunction with industry, how do we pull all those policy and process together smartly and actually take action and activity on it. This is where we try to turn to those innovative solutions and technology that are snap attacks and sign that pushes and booz Allen Hamilton's are bringing it, Fred and I were just talking the other day about this, right with Garcia on the horizon, if they can standardize their definitions, their terms and their, their metrics, if you will, that's where we can leverage technology to automate this to a certain degree. So organizations that have angst and anxiety over, oh my God, I have to report all this stuff. If you can standardize it, you can automate it and then technology takes the burden off of the humans. Um So not only will that help in crisis mode and under incidents but also in day to day operations as well. So that's hey, hey, Ben, thanks. That was very comprehensive and you broke that down very well. Uh What I'd like to do now is jump to Ken and Fred. Uh, Ben's walked us through some of the complexity with, within the government. Um, can you share some thoughts on the challenges to sharing intel and operational information between the government and industry to better enable threat hunting and, and what in your opinion is needed to, to better integrate those efforts? Yeah. So sharing of threat intel is um something that sounds very simple like everybody should do it, but it's probably one of the most complex areas and really, really difficult. So the main three things that kind of, I always see our trust, timeliness and totality are all problematic areas. Trust obviously being one that covers everybody. Because if I am an organization that has had an incident, you know, what can I share? Do I want everybody to know that I've had an incident, like I want to share information to try and help protect other people, but I don't necessarily want everybody to know that we're in the middle of something. Um So that also leaves the question as to when do I share something? Uh And how quickly because if I share it too quickly, then I can be letting the adversary know that there, that we know they're there and that can be problematic in terms of managing the whole thing. Um So there's just, there's so many layers of the trust problem. Uh you know, particularly, let's say me as a vendor is sharing something uh doesn't leak out and the adversary now knows that I know about them or that I know or do they know how I'm tracking them? You know, there's, there's, there's many, many layers to the trust problem, the timing, this problem, I kind of mentioned it already but like what to share and when to share it is also problematic because you're not sure how watertight the information is early on and how useful it is to other people. So that will be a problem as well for like, you know, should people have to report in two stages and give you kind of a a loose script at the start and you know, move on with the with the incident that they're involved in because new requirements are kind of very fast in terms of how quickly you used to report information. But the worst one is the totality, right? Because one person's incident does not correspond with what the adversary has set up and what their intention is and the extent of the campaign. So someone else has to go and find the rest of that campaign to find who else is going to be going to launch that and that information has to be shared and that that is rarely dealt with, you know, people stop at the initial information, right? We're gonna share post breach information and people can share that infrastructure, even though it's burnt infrastructure and the adversary may not use it again. Right. Normally, you know, we can see about 5% of the campaign if you look across security vendors. So there's 95% sitting there ready to go, who's gonna, who's gonna get the other 95% and share that across all the security vendors so that, you know, you can have a neutral provider, sharing, defensible information in a timely manner before it's used. So I think there, you know, some of the problems about sharing. Okay. But I think that the totality problem is, you know, one that we've gotta, we've gotta launch ourselves into. Hey Ken. Thank. Thank you very much. That's actually a great framework, you know, this three Ts. So I've got that written down. That's something that I'm definitely going to start using before we, before we segue to our transition to Fred. Uh, what I would just ask the audience, we're getting ready to go into Q and A after Fred's response. Uh, if you have questions that you would like to pose to, uh, the, uh, the panelists, then please start putting those into the chat. Okay, Fred over to you. Thanks. Thanks Mr. So, yeah, so just a refresher. So, yeah, the question really posed is, um, you know, what challenges we have for threat intelligence, operational sharing, um, you know, across the government as well as industry and, and how can threat hunting like kind of lead into it. This is something that I'm super passionate about. Um if I could just summarize a couple of things. Um You know, first thing is, um you know, as Mr Fogarty mentioned in the leadoff statement, you know, stealth and anonymity are enabling hackers to push these boundaries of what was traditional military engagement faux pas, right? If Russia, you know, this is a, this is quite an example, but Russia runs into Ukraine, everybody can visibly see what is going on. Everybody can assess this is war and, and it's, it's obvious um Cyber hackers have been waging complete and totality warfare against the United States, critical infrastructure for many, many years. I mean, dating back till, I mean, in 2008, I was very aware of some classified stuff but um but it's not visible to the to the public. So I think that's very, very interesting. Um I think that anonymity thing really goes to back to what Ken is doing, right? Ken is exposing uh strongholds for these infrastructures and prepositioning of command and infrastructure around the globe and identifying who the not only that a bad thing is happening, but attribution to an actor that really enables us to, to get ahead of the threat before it crosses into blue space. But my specialty today is is around blue space. So when, when the adversary crosses into our blue space right into our networks, um you know, the endpoint is the best place to find this information, right? So when they cross in um understanding their TTP ETSS, delivering and understanding and writing detections at that TTP layer is absolutely critical, right? Good logging, endpoint visibility, not just network is absolutely critical, right? In 2021 there is a executive mandate to enable DDR ETSS across the entire dod and United States government. Unfortunately, the I was just on a call yesterday with a organization that is not up to standards right there. We need to get people to have better endpoint visibility. As a former hacker 16 years, the number one place you're gonna stop me is at the end point. Um and in memory, right? And we're woefully unprepared at that point. Um So some things that we can do and talk about his machine to machine three things, machine to machine collaboration around detections. The second one is cross vendor and the third thing is proper documentation of what steps um when this triggers you can do to um to remediate. So let's go back to the machine to machine. Machine. Machine means no human in the loop. If I know about vault typhoon, which we've used as an example today. If I know how to detect vault typhoon, I cannot play human telephone and call up a buddy. Write a 16 page PDF, transmit 250 companies and government agencies and expect them to read 19 pages, then write a Splunk query. That is absolutely absolutely. Bonkers. To me, we need to transmit the communication and the absolute like machine to machine detection code with the intelligence. The second thing, we can't expect everybody to translate it into Splunk elastic carbon black crowdstrike. You can't expect that. Right. So when we encapsulate this knowledge and do it machine the machine, we have to make it a receivable and transmittable um from a vendor agnostic ability. Right? And it has to be at that TTP level. Um And then lastly what happens when this detection fires? And I think we're pretty good at that. I think, I think, you know, the documentation is there to support that, but threat intelligence around that is absolute critical. So in short, I think we need to get from threat intelligence point of view, we need to get humans out of the loop. We need to have a narrative around it, but we need to have machine, machine cross vendor detections ready to go. So a person can read up a 19 page paper, click a button and immediately start hunting in their vendor of choice platform for what is described in the 19 pages. So, so Fred, I couldn't agree more. Uh If you think about the challenges with speed scale, uh many, many uh companies, uh you know, lots of much of the federal government, they're in a hybrid operating environment right now, partially in the cloud, partially not in the cloud, uh mobile uh you know, all of this uh creates real challenges, right, to be able to see yourself the attack surface has exponentially increased. Uh You're now uh having, you know, very sophisticated uh attack vectors, uh all, all simultaneously. So that this idea of defenders having to respond with necessary speed, you know, at the scale that, that I just described uh really uh really is critical to be able to respond uh as uh can talk about in a very, very timely manner. Uh the less humans and Luke probably will help uh increase trust and then uh you know, the totality of the problem, you know, multiple environments, you know, all simultaneously, uh it really becomes very, very important. Uh So, so, so thank both of you. Uh The good news is we do have a question from the audience on and this actually is back to Fred and Ken on what are the disruptive threats that you're most concerned about and what should we be doing now to preempt those threats? Yeah. So I think there's, there's kind of a couple of layers here really uh in terms of damage on many levels to the uh commercial sector. I think ransomware is um poisonous, you know, it affects not just the operation of commercial entities, but I think it affects their kind of confidence in being able to operate without interruption. I think, you know, on a leadership level in many organizations, I think they're feeling pretty insecure about how well they can handle inbound because of the success of the ransomware operators on a continuous basis. And then the drift of more threat actors into ransomware because it's, it's quite an easy market from their point of view to go into. So, you know, we've seen people who used to do, you know, the kind of minor stuff like credit card markets and stuff and then they became involved as ransom where affiliates, etcetera. So there's, there's, there's quite a drift of all sorts of characters into this equation now. And I think that that has to be handled pretty comprehensively. So that's, that's one thing that we've, we've got a large focus on that because it is so problematic for people. I think it's, it's, it's important to go after it. And obviously though on the nation state level, you're dealing with people with way more resources and they can be far less visible and they operate in a completely different manner. So already you are kind of dealing with the problem or the dichotomy of, you've got two very, very different things you have to go after and therefore you have to make different types of information in order to track them and try and pick up their activities. And that's, that's, that's quite a strain, right? Because they are completely different things, the, their behavior is so different because as well, the types of things that they're evading are different. So how they set up and manage everything is completely different and that leads to enormous difficulties and for us to have to continually invent new ways of probing neutral infrastructure to try and find people using it in different ways. So they're, they're, they're the 22 main, main problems as far as I see it. Yeah, I'll put you back on that. Um, so I think when, when I think about disruptive threats, um, I kind of think about future threats, like, like just over the horizon, threats. And the one thing that I'm actually pretty amazed as we didn't use the word ai too many times in this presentation. I think that really goes to the skill of, of the practicality of this, of this. Um But AI is something that we need to talk about and it's something that we're researching there. Are we heard about this for, for, you know, potential, the potential for this for years? But I have seen it in practice. So just kind of raising the flag there is artificial intelligence. Now agent based artificial intelligence that you can give it a prompt volt typhoon, it will then go and go to the Envy D database. Um Pull down references to get hub. It will then autonomously pull down those, get proof of concepts. Uh It'll ask where it should point its gun. Um It will then download it, compile, compilation, fails due to dependencies, download those dependencies. It's autonomously figuring out how to drive that Popocpov. It's pretty dumb and nascent. At this point, I've actually ran it on my computer, were exploring some of this, but we are now very close to the horizon where agents will be able to understand what ende looks like. Pull that down, weaponize it, leverage it and use it and autonomously do it now at snap attack, what we're looking to do is get ahead of that. Um, and sandbox those threats in mass and in bulk. But I just when we think about disruptive threats over the horizon, ai and the ability to have it autonomously identify threats, exploit threats in place of a human is pretty terrifying. Okay, first, thank you for your insight. Huh Now, uh fortunately for additional funds, but as I go back to where we started this with, uh I think uh you guys have done a phenomenal job about describing uh what, what is, how we need to think differently when uh when addressing the threat, uh the nuances to the US government's approach. But very importantly, uh the importance of of cooperation, collaboration between the government and the private sector. And then uh I think you've given us actually uh several good frameworks that can be used by the practitioners in the in the audience. So the good news for the audience if you joined us late, uh this has been uh to review gain credible. Did you continue this problem for organisms? And, and I just wanted to make uh channel for uh some, some great feedback today. So friends and uh and, and Mike, thank you very much uh for, for leaving this session. I hope everyone uh had a uh the opportunity uh and you can continue to post some questions in here and we'll get back with you. Uh as uh as they fill up the uh the chat window. Thank you very much. Have a great day. Great. Thanks everybody.Ìý