Day 2: Dispatch from RSA Conference

Photo: The Cipher brief/Levi Maxey

If you missed our previous dispatch, I am attending the annual RSA Conference in San Francisco, a global event where private and public sectors come together to hash out the most pressing concerns in cybersecurity today.

Prior discussions hit on technical approaches to privacy, the role of government in laying policy foundations for solutions to an ever evolving and complex cyber threat landscape, and the overlay of cyber incidents with geopolitical events.

This dispatch picks up right where the other left off—the fear of large-scale disruptive cyber attacks that could border on an act of war. I spoke with Eddie Habibi and Jason Haward-Grau of PAS, an industrial control systems security firm, who described the threat to the country’s infrastructure in cataclysmic terms, suggesting a major attack is “not a question of if, but when.” While critical infrastructure such as water treatment plants, dams, nuclear power plants, and the oil and gas sectors have endured hits—most notably the Stuxnet worm in 2010, Saudi Aramco in 2012, and two Ukrainian power stations in 2016—none have yet reached the point of direct violent consequences.

But while a potential attack on critical infrastructure continues to motivate incident preparation measures, nation-states, criminals, and even industry competitors already see critical infrastructure as a source of intelligence collection—either to “prepare the battlefield” for cyber warfare, to sabotage operations under the banner of a cause, to seek ransoms exploiting the dependence of entire communities, or even for corporate espionage in a cutthroat industry. And while industrial control systems differ from traditional information technology in that they directly translate digital actions into physical effects, the continuous monitoring of a company’s network, and the devices connected to it, remains central to mitigation strategies.

I then spoke with Ed Cabrera, the chief cybersecurity officer at Trend Micro and former chief information security officer for the U.S. Secret Service, about the growing ecosystem of cybercrime in Eastern Europe. Cabrera described a criminal startup community, or “crimicon valley,” where criminal groups increasingly act as if part of a social referral network. As the ecosystem becomes more connected, it becomes more successful and specilalized – with each criminal playing a specific role in the enterprise based on their own skills.

This market-based, competition-driven, cybercriminal economy thrives in former Soviet satellite states—and Russia itself—for two reasons, both lending impunity to criminal actors. The first is an ability to operate within virtual safe havens of anonymity, whereby matching online personas with real-life identities becomes exceptionally difficult due to encrypted browsers and digital currencies. Second, criminals intentionally operate in physical safe havens, or countries without extradition treaties with the West—such as Russia. This could be either at the tacit consent of the Russian state, wittingly on behalf of their intelligence services, or on behalf of corrupt officials in search of an extra income.

To finish the day off, I sat in on a presentation given by Mark Loman, the director of engineering at SOPHOS, who laid out the technical details of how nation-states and criminal syndicates use exploits to bypass network security protections such as filters and antivirus software. Loman differentiated between criminal exploits and nation-state-driven attacks based on a motive-based methodology. Criminals are largely profit-driven and engage in broad-based ransomware campaigns using exploit kits, or a packages of exploits available for purchase in the hidden corners of the dark web. Nation-states, on the other hand, seek to subtly gather intelligence, and therefore often resort to targeted spear-phishing campaigns and watering hole attacks.

Perhaps most interestingly, Loman noted that once an exploit becomes public, both criminals and nation-states incorporate them into their own capabilities. For example, a zero day, or previously unknown exploit, from the Italian surveillance company Hacking Team was coopted by Fancy Bear, one of the culprits behind the breach of the Democratic National Committee (DNC) last year. This should make you wonder who will incorporate the Cisco and Windows exploits—allegedly part of the NSA’s hacking arsenal— recently released by a group calling themselves the Shadow Brokers.

Tomorrow, I hope to dive into the state of cyber warfare beyond Stuxnet, the tradecraft of nation-state hackers from Russia, China, and Iran, and the role of international law enforcement cooperation in addressing the global phenomenon of cyber threats. You can also expect exclusive insight from more of the leading thinkers in cybersecurity today.

Levi Maxey is the cyber and technology producer at The Cipher Brief. For more coverage of the RSA conference, check out his dispatches from Day 3 and Day 4 of the conference.

You can follow Levi on Twitter @lemax13.