Davis Hake is the Director of Cybersecurity Strategy for Palo Alto Networks and a former official at the Department of Homeland Security. Hake spoke with The Cipher Brief about the importance of information sharing and creating a coordinated response to the changing cyber-threat.
The Cipher Brief: It seems like cyber-attacks are becoming more and more common, especially the state-sponsored breaches, like the Sony and OPM hacks. Is this perception true and, if so, what explains the increase in these types of incidents?
Davis Hake: One of the trends that we’ve seen is that business technology is getting a lot more complicated as users look to take advantage of new innovations. So you’ve got this really non-traditional IT architecture, and it presents this huge attack surface, and security hasn’t really caught up yet.
The economics for the attackers are really in their favor. With the cost of computing power going down, these attackers are able to use automated tools in this complex environment in a very cost-efficient way, making it very profitable for the attacker. So there’s a huge incentive there.
TCB: In terms of the state sponsors, which countries are the most active in targeting American businesses?
DH: We take a global look at cyber-attacks. Based on the fact that people can mask IP addresses and attacks, we look at broader campaigns of activity against our customer base, rather than focus on any one particular actor. We have a threat intelligence team called Unit42, and they look through our data and collaborate with others using one of our products called Auto-Focus—it’s a threat research platform that they can use to HAG (High Assurance Guard) back to campaigns.
We have two campaigns that just came out recently. One was Operation Lotus Blossom, which was based on a likely sophisticated nation-state actor targeting Southeast Asian militaries and governments. A little bit of the campaign around this tells you that if you are a company doing business with governments in Southeast Asia, you should be aware of and on the lookout for this threat. This means that you should check for these indicators and watch for these acts upon your network. That kind of intelligence is incredibly operational, and for us, and a lot of our customers, it is a lot more relevant than just saying, “Country X’s military or Country X’s intelligence service is going after you.” What can you really do with that data? What does that mean? You need that campaign context behind it.
We’ve realized that we have tremendous visibility across our own customer base, but this is a global issue. So we’ve partnered with three of our competitors to work on something called the Cyber Threat Alliance. It’s an information-sharing group that we’re testing out. We’ve also been speaking to the U.S. government as they’re developing their Information Sharing and Analysis Organization (ISAO) in an effort to share some of our best practices. But our whole effort is focused around sharing joint research between Symantec, Intel, Fortinet, and ourselves—all on cyber-threat campaigns.
We just did our first test run of this, where we released all campaign adversary information on a threat called CyptoWall 3. Cryptowall was the largest ransomware campaign out there, but we were able to identify—as four companies working together—over $315 million in stolen bitcoins, as well as the entire architecture for CrytpoWall. We were able to come through, put the protections in place for our customers, and then release that information back online to the public to make it actionable. This is the type of activity that we want to do.
There are literally billions of different security artifacts that you can take action on or use to create prevention rules. If you’re looking at billions of artifacts, the other option is to look at campaigns. If you look at campaigns, there are maybe a couple thousand artifacts. And if it’s only in the range of a couple thousand, that’s something that we can track easily as a community, and we can all work together at stopping it.
TCB: How do you see the broader cyber-threat evolving, and what kind of advice would you give to companies who are trying to stay ahead of the threat?
DH: One of the main changes is in what the attacker sees as being valuable. Traditionally, companies only had to worry about theft of credit card information. It has evolved into intellectual property over the years, as well as what would be the old school Internet of Things – industrial control systems. Now, we are seeing attackers also shift to larger personal records, like healthcare data, and things online that could help with either targeted spear-phishing or, as in the case of U.S. government breaches, other potential counterintelligence concerns.
You really see that the data that you have to protect now isn’t just something where you can say, “Oh, we don’t carry that kind of data, so we don’t need to worry about it.” If your data is critical to a business, then it’s valuable to an attacker. Security is no longer something that only a few financial or government firms have to worry about. It’s something that everybody has to be thinking about. That’s trend one.
Trend two is that we have to use quick technologies that allow you to scale very quickly and cheaply. These new architectures that I talked about in the beginning expose a broader attack service for an attacker to exploit. Companies have to look at their security solutions and wrap in these new technologies without locking them out or prohibiting their use. And we can’t put this back in the box, nor should we. We want to be able to embrace the Internet and all of the innovation that comes with it. You need your security solution to fit in seamlessly to those new technologies.
TCB: Are there certain types of industries or sectors that bad actors are targeting more than others? Who is most vulnerable?
DH: Risk is a mix of threat, vulnerability, and consequence. You have threats where you see different shifts in attack trends or what attackers are interested in. The healthcare industry would say that it is starting to become aware of new threats. But rather than attackers shifting from one type of data or one type of sector to another, I think they are just adding to their list what they think is valuable. I don’t think that any spike in a trend in one area means that there is a decrease in another or lack of interest in another.
On the vulnerability side, one of the things that we and Homeland Security focus on is looking at industry to establish what is critical and what sectors are critical. There are definitely a lot of sectors, a lot of areas that are both critical and vulnerable. We look at and see the industrial control systems realm as something where just recently there has been a lot of work to shift from a safety and operations mindset to a security and trust mindset. This is something that we’re deeply involved with our SCADA customers. We look at how we could help secure their control systems and environments by letting them know what type of applications should be running, and what type of users should have access to trusted areas that actually touch physical machines with devastating consequences if they were damaged or destroyed. Security is getting more complex in terms of both the architecture and the types of data that are being stolen.
TCB: What are the most important things that a company needs to do or think about once its systems have been breached? Are there some common mistakes that companies tend to make after they’ve been hacked?
DH: At Homeland Security, I had a chance to see a range of different folks responding after they had been hacked. The ones that were most successful were the ones that had a strong plan ahead of time. This may sound counterintuitive if you are looking at how to respond to a cyber-attack, but the best way to be secure is to focus on planning how to prevent it in the first place. There is a fatalistic approach that says, “We’re going to get hacked. There is nothing we can do, therefore there is nothing we should do.” That is unfortunately pretty prevalent in the security industry today. Even if advanced attackers or adversaries were to achieve success, we should all be focusing on making sure that that success is rare and non-repeatable. One of the things that we look at when we talk to our customers is helping them design their architecture with the idea of trying to prevent a successful attack against their most important data.
We’ve also established a system among our customers where, if one piece of the attack is successful along the line, either we know about it from sharing activities or we see it on a customer’s network – protection against it is automatically put in place for the rest of our customers so that it can’t be successful a second time. This type of mindset is focusing on prevention. It’s something that’s unique in the security industry today and something that we really need to shift our strategy towards before actually getting our hands around the cybersecurity problem. The traditional way of doing things – responding to whack-a-mole attacks and then trying to do manual response – has clearly shown that it is not just ineffective but also incredibly expensive in terms of productivity and cost.
TCB: What’s your take on the role of the board in the cybersecurity strategy piece and the decision making piece on how to respond and recover? What next steps should be taken?
DH: We just did a survey with Georgia Tech and the Financial Services Roundtable that found that since 2012, boardroom attention to cybersecurity issues has doubled, but companies are still primarily looking externally to get their hands around the cyber risk management issues. What this says to us is that there is a lot more understanding of why cybersecurity is important, especially after some of the breaches in the retail sector. It’s important not just to the cost for remediation, but also the damage to their brand that can linger long after. The whole retail sector now is working at making consumers safer, with the rollouts of new technology like chip and signature or biometric global payment. They are starting to really feel pain from past cybersecurity events, and they are beginning to move forward.
TCB: What are your thoughts on CISA legislation and the broader debate over information sharing and privacy?
DH: One of the things that we had really been working on in the government for a long time, was how to get specific threat information quickly into the hands of the private sector so they could use that information to protect themselves. When you say, “what is critical?” that definition of what we need to protect is shifting and growing. When you look at where we can be most effective as the government and private sector together, it’s mostly in the hands of individual companies and the security companies that protect them. The government’s role in getting that information out is probably their most important effort in cybersecurity beyond securing their own systems.
One of the things that we have really focused on with the information-sharing bill is ensuring that there are strong privacy protections. This has been a priority for the administration as well. We wanted the bill to be focused on the sharing of technical indicators that are directly operational for stopping cyber-attacks. We’ve been engaged in sharing some of the lessons learned with the government and the people working on the bill. We’ve also been part of the new effort to standup ISAOs. That’s an effort by the government to evolve the IPAC model into something that’s more flexible so different companies with different backgrounds can get together and build a framework for sharing information among themselves.
