The Cipher Brief talked with Mandia recently about his new cyber concerns in a COVID environment and how he sees the future of business. Some of our questions were posed by Cipher Brief Experts. The conversation has been slightly edited for length and clarity.
Kevin Mandia, CEO & Board Director, FireEye
Mandia has served as FireEye Chief Executive Officer since June 2016 and was appointed to the company’s Board of Directors in February 2016. Mandia joined FireEye as Senior Vice President and Chief Operating Officer in December 2013, when FireEye acquired Mandiant, the company he founded in 2004. Mandia is a USAF veteran and served as a computer security officer in the 7th Communications Group at the Pentagon, and as a special agent in the Air Force Office of Special Investigations (AFOSI).
The Cipher Brief: How did COVID impact the business of cyber this year?
Mandia: Everybody was working from home. The first issue with that was productivity, not security. There are a lot of disciplines and domains where the metrics to measure productivity aren’t as easy as consultants with billing hours, or salespeople, who sell things. We had to poll our employees, and ask “How productive are you right now in your work from home environment?”
Then we got to security. Everybody went to the cloud really fast where we had a provision for a work from home environment. There were five things I knew right away regarding this changed landscape. I knew we would need visibility and a good end point, because now we have to protect a distributed workforce. We need to know what’s going on in the cloud. We need to know who’s logging into what, which makes authentication and ID management important. Lastly, we need to make sure that remote access is secured, so we can route everybody from their homes into a backend business operation.
After that initial push, something I didn’t anticipate was the remarkable number of breaches we had to respond to. As we’re having this conversation, we’re responding to more than 100 breaches. We have more than 400 folks deployed trying to figure out what happened and what to do about it. The attacks aren’t necessarily changing, but our volume of responses is swelling right now.
I think that can be attributed to there being a lot of enterprises that had co-located security functions and co-located workers, where our capability and efficiency came down a notch as everyone triaged events, alerts from their home, and remotely working. You can’t just turn to a coworker with the right skillset and ask, “Hey, what’s this?” Security operations efficacy came down a notch in a distributed work from home environment, so many of the incidents that could have been stopped before they got to a certain scale were not stopped in time and we’re now responding to them.
The Cipher Brief:What kind of threat actors are taking advantage of this opportunity?
Mandia: Last year, out of 858 investigations, we only categorized 216 as targeted. This surprised me, as there are only three ways to get into a network: spear phishing, network vulnerabilities, and credential-related issues. This year, with 542 investigations so far, attribution into the targeted category is much higher.
I have some conclusions. As I peruse the 542 cases, the first word that came to my mind was hectic. It’s a hectic year. The phone is ringing every two to three days with someone asking us to figure out what happened and what they should do about it.
After that, it’s the year of ransomware.
Ransomware is far more complex than it was when we first started responding to it back in 2016. For the first time ever, we’re seeing a separation of duty with different groups conducting these attacks. One group will break into a company and another will come in and extort with ransomware. They’ll encrypt a company’s drive and interrupt business so they can’t function.
This business interruption usually happens after the threat actors break in and steal data that matters and use the stolen data as leverage to make money twice. They’ll extort you to pay for the decrypts on the ransomware saying, “We’ll release the private information that we stole, unless you pay it as well.” This has gone from a nuisance to a business risk and will eventually graduate into a national security risk.
These guys are professional- we responded to one guy named MAZE who has made over $100 million this year. The two things I’m seeing rise are the amount of payment on the extortion and the percentage of people paying it with different anonymous currencies.
We also measure a thing called dwell. I went through our 542 cases this year and in 12 of those cases, the time from the moment someone is compromised to the moment they know they’ve been compromised was 56 days. In ransomware cases, the number of days goes up to 73. This means whoever is conducting the extortion and executing the ransomware attack is in longer because they want to steal information that’s of value to the victim companies and then extort them twice.
We’re in several sprints to try to close every access point to the network to protect our customers, but the bottom line is it’s the year of ransomware.
The Cipher Brief: Other experts we’ve talked to have said companies are paying ransoms even though they have backups in place, because it takes time for them to restore their systems and they’re losing too much money on a day to day basis. What do you think about that?
Mandia: Most organizations we’ve worked with don’t want to pay the extortion. The challenge might be the industry you’re in or the broader business problem in recovery.
When we show up to investigate, we start with how they broke in, because it’s not explicitly knit into the ransomware. The way they accessed your network can tell a lot. It really depends on industry, business impact, and confidence for whether people will pay the ransom. In our response, we have found how to reverse and optimize the decrypts in order to get business up and running faster- something we are doing all the time. It’s certainly easier with decryption enabled by the attacker than it is doing it any other way (if it’s even feasible). Overall, payment percent is going up.
The Cipher Brief: What are you seeing in terms of influence and disruption activities now as we approach the U.S. presidential elections, by Russia, China, or any other significant actors?
Mandia: We know what happened in 2016, so there’s going to be some changes going into 2020. One is going to be visibility. There will be eyes on the network at all times. We’re involved in a lot of the election process, so I’m keeping my ear to the ground to see what is going on there. As of right now, we’ve seen spear phishing attempts, but we haven’t seen anything successful. I’m worried, at this point, about one or both parties suffering a compromise, as they certainly suffer attacks from either a nation or folks just trying to hit the domains of the national committees.
I’m more worried about the influence operations. We’re having a far harder time rooting those out and trying to figure out who is influencing the hearts and minds of America through various media including Twitter and Facebook accounts. They’re trying to pull the right further right and the left further left. I’m confident on the election process and the candidates because cyber security awareness is high. There is, at least, a will to make sure there is visibility and no vender wars in this election. I think everyone is trying to make sure that we do our best to have an election that is reliable.
The Cipher Brief: We've seen cyber enabled disinformation around the pandemic, and of course political matters. How do you think we can do a better job of stopping cyber propelled disinformation?
Mandia: There isn’t an easy answer. If there was a bright line between truth and lies all the time, we could probably find it.
We have a group of folks who are always looking for information operations coming from an intrusion, we’re responding to folks who monitor social media, we have a pretty big apparatus that looks for this. We have not found the magical AI that can distinguish truth from lies. We do think it’s a basic human tenant that nobody likes to be manipulated without knowing it. No one likes to be lied to. Finding these disinformation campaigns is human intuition by someone who has practiced intelligence. There are some digital ties, but it’s mostly human intuition. Once you find them, you have threads to pull to find more.
I think it’s going to be trust but verify. I think we’re going to see a lot less anonymity on the internet over time- we’re already seeing that- whether government regulates it or not. There will be portions of the internet that are more anonymous which favors disinformation campaigns, but you’ll also have proven identity. Even with that, however, you’ll still have some disinformation.
I am certain Facebook and other social media sites are constantly working on ways to discern truth from lies and find proven and non-proven identities. I think over the next few years we’re going to see the definition of identity change in the digital world.
The Cipher Brief:Has the onset of disinformation in its various forms changed the way you look at your own information sources when you’re not in the office?
Mandia: Absolutely. I think everyone wonders what you can believe- especially for the younger generation. I like to read magazines, but younger generations probably get news from Twitter and Facebook. I don’t use social media to get my news and I think everyone should be a bit skeptical about what you find there. I like to look to think tanks as sources who don’t have an obvious agenda for my news. You have to have multiple sources that you know and trust.
The Cipher Brief: How do you measure progress in cyber security outcomes?
Mandia: The only unvarnished truth is live fire drills. I believe every CISO believes they’re telling the truth when they show their four-dimensional pie charts, but any time I see anything in the green in compliance, I doubt it. When I see something in the red, I wonder how we are in the red. If I see something yellow, I don’t know how to feel. What works for me, is can a group hack in and get to our financial systems or our CFO’s email? That’s what matters. Shoot bullets and watch how your security apparatus responds to it. That’s an unvarnished answer.
I believe in red teaming as well. We use red teams at FireEye against ourselves. When they’re not successful, which is rare, you learn your IT remediation drill and start reprioritizing your security. You have to have compliance, but with live fire drills, you get the unvarnished truth. Did the attack work- yes or no? That’s what mature security programs do. If you’re not mature and you’re still working on compliance, you won’t fair too well on live fire drills. You’ll have one and then a year of work to do, but that’s the only way to get it right.
The Cipher Brief:Have you seen a change at all in the past couple years on how boards and CEOs are talking about cyber issues and how they’re preparing to defend their companies?
Mandia: It’s hard to figure out what framework works for a board. What does work is considering the five intolerable business risks. If you test to see if you can make them happen, that’s it. You have to talk about the business line to owners. The risk for the operation is owned by the CEO and operational management. They have to agree with the board on what the risk profile is. I go in knowing the five to seven things we will always test.
The Cipher Brief:What is the role of cyber militias? Is there still a desire to handle this themselves or has that changed?
Mandia: When you have a breach, I do believe in getting attribution. There’s no better deterrent than to figure out who did it and either name and shame them or go grab the person. That’s the only real deterrent. Until that happens, the attacks will continue. We’re never going to have geopolitical conditions where all attacks cease. There will always be espionage and criminals who want to make money, so we’re always going to have cyber-attacks. Right now, attackers aren’t operating with risks or repercussions, which is a big issue.
The Cipher Brief:What do you see for the next six, 12, or 18 months on the cyber threat?
Mandia: I sometimes talk about the Balkanization of the internet based on privacy rules and geopolitical conditions. Based on economic alignments, you have to do business with companies that are located in countries where you trust the government. We’re going to have more Balkanization.
Identity is changing right in front of our eyes. It’s all contextual now based on the phone you have with you, physical readouts, and geolocation. Apple, Facebook, and Google all have ways to identify us. When does the government decide that is what they will use to identify you and decide the internet is how you will get services? I think that will happen. These changes are real and they’re starting.
The Cipher Brief:Closing thoughts?
Mandia: We’re going to respond to more cyber breaches than ever this year. On the upside, when we look at the battle space and what we’re doing in cyber, I’ve always been very hopeful. We’ve gotten good enough to predict a lot of the actions of the adversaries. From a cyber perspective, tech, people, and awareness is getting better. We’ll always have incidents and geopolitical and economic tensions, but the bottom line is, we’re getting better at cyber security inside the private sector. Where there’s a will to secure it, people do a pretty good job.
Read more expert-driven insight, perspective and analysis in The Cipher Brief
