5 Questions with Levi Gundert, VP of Intelligence & Strategy, Recorded Future

5 questions with Levi Gundert, VP of Intelligence & Strategy, Recorded Future

1) This month marks the 16th anniversary of the 9/11 terrorist attack. How did the events of that day influence your career to fight cybercrime?

Waking up in Manhattan on September 11^th, 2001 forever altered my world. Evil became personal and tangible, no longer just some literary device. The horror inflicted on people and families I knew left me in a different place. I previously had never considered a career in law enforcement or intelligence, but 9/11 fundamentally changed what I hoped to achieve.

I eventually ended up working cybercrime cases as a Special Agent for the U.S. Secret Service in the Los Angeles Electronic Crimes Task Force (ECTF). While not focused on terrorism, the global evolutions in cybercrime were fascinating to follow.

2)  Which type of hacker (nation-state, script kiddie, etc.) inflicts the most harm to enterprises today -- and why?

The adversary with time and intent is the most harmful, regardless of ideology. The security industry reveres nation-state cyber campaigns, because they tend to be better funded and resourced making defensive detection more difficult, but all adversaries are capable of severe disruptions to confidentiality, integrity, and/or availability of information. It's fun to discuss zero-day exploits and post-exploit persistence methodologies, but the real problems that continue to need attention are the basics like vulnerability management.

3) Phishing continues to provide a main entry point into a network for today's attackers. How do you see that threat evolving over the next 3-5 years?

Phishing success relies on abuse opportunities in core internet mechanisms like the domain name system (DNS) and simple mail transfer protocol (SMTP). Protocols are more secure today due to the hard work of volunteers in organizations like the Messaging, Malware and Mobile Anti-Abuse Working Group (M3AAWG), yet opportunities remain. The expansion of generic top-level domains (TLDs) continues: for example, you can now register domains that contain emojis, and this expansion helps facilitate social engineering. Unfortunately, phishing is going to be with us for the foreseeable future, because it works, and we can't change human behavior.

4) What are the essential tools for an in-house threat intelligence program? 

Security data is essential for success. There are six broad security data buckets: open source (social media, paste sites, code repositories, etc.), passive collection (honey/dark nets), telemetry (network/host logs), active collection (internet scanning services like Shodan), malware meta-data (the result of processing/detonating malicious code), and close source/human relationships (criminal forums and direct actor engagement). Operational defenders need quality data preferably from all six categories to proactively hunt and reactively respond to security events more effectively. Passive DNS (pDNS) for example, is a type of telemetry, and pDNS historical records are particularly useful when investigating malicious infrastructure and adversary patterns.

5) You have successfully headed threat intelligence teams at Cisco, Team Cymru and now Recorded Future. Name top 3 lessons learned in tracking and responding to cyberattacks.

1. Creating and perpetuating an atmosphere of trust and respect is paramount to any successful long-term effort. Teams of people who are creative, curious, and persistent builds sustained momentum to achieve larger goals. In my career, I have been fortunate to work with enormously talented people, who also agreed with the Timothy Geithner philosophy – "no jerks, no peacocks, no whiners".  
   
   
2. Everyone makes a mistake eventually. Even the most sophisticated actors with air tight operational security (OPSEC) are not immune to a mistake. Thoroughness in picking up the proverbial bread crumbs almost always leads to improved insight about an attack and/or the adversary behind the attack.
   
   
3. Identifying actors and their respective tactics, techniques, and procedures (TTPs) before feeling their impact is a superior strategy to watching and waiting.