VP of Intelligence & Strategy
VP of Intelligence & Strategy
1) This month marks the 16th anniversary of the 9/11 terrorist attack. How did the events of that day influence your career to fight cybercrime?
Waking up in Manhattan on September 11th, 2001 forever altered my world. Evil became personal and tangible, no longer just some literary device. The horror inflicted on people and families I knew left me in a different place. I previously had never considered a career in law enforcement or intelligence, but 9/11 fundamentally changed what I hoped to achieve.
I eventually ended up working cybercrime cases as a Special Agent for the U.S. Secret Service in the Los Angeles Electronic Crimes Task Force (ECTF). While not focused on terrorism, the global evolutions in cybercrime were fascinating to follow.
2) Which type of hacker (nation-state, script kiddie, etc.) inflicts the most harm to enterprises today -- and why?
The adversary with time and intent is the most harmful, regardless of ideology. The security industry reveres nation-state cyber campaigns, because they tend to be better funded and resourced making defensive detection more difficult, but all adversaries are capable of severe disruptions to confidentiality, integrity, and/or availability of information. It's fun to discuss zero-day exploits and post-exploit persistence methodologies, but the real problems that continue to need attention are the basics like vulnerability management.
3) Phishing continues to provide a main entry point into a network for today's attackers. How do you see that threat evolving over the next 3-5 years?
Phishing success relies on abuse opportunities in core internet mechanisms like the domain name system (DNS) and simple mail transfer protocol (SMTP). Protocols are more secure today due to the hard work of volunteers in organizations like the Messaging, Malware and Mobile Anti-Abuse Working Group (M3AAWG), yet opportunities remain. The expansion of generic top-level domains (TLDs) continues: for example, you can now register domains that contain emojis, and this expansion helps facilitate social engineering. Unfortunately, phishing is going to be with us for the foreseeable future, because it works, and we can't change human behavior.
4) What are the essential tools for an in-house threat intelligence program?
Security data is essential for success. There are six broad security data buckets: open source (social media, paste sites, code repositories, etc.), passive collection (honey/dark nets), telemetry (network/host logs), active collection (internet scanning services like Shodan), malware meta-data (the result of processing/detonating malicious code), and close source/human relationships (criminal forums and direct actor engagement). Operational defenders need quality data preferably from all six categories to proactively hunt and reactively respond to security events more effectively. Passive DNS (pDNS) for example, is a type of telemetry, and pDNS historical records are particularly useful when investigating malicious infrastructure and adversary patterns.
5) You have successfully headed threat intelligence teams at Cisco, Team Cymru and now Recorded Future. Name top 3 lessons learned in tracking and responding to cyberattacks.