By: Andrew Eversden
Fifth Domain posed this question to cybersecurity experts at Black Hat, a cybersecurity conference in Las Vegas, Nevada, that ran from Aug. 3-8. With the cyber domain rapidly evolving, we wanted to know how conversations within the cyber community are changing.
Some pointed to a new focus on utility systems and web-connected devices that sit on critical infrastructure.
“It’s only a matter of time until there’s another major disruption in an electric utility somewhere in the world, probably not in the U.S., but elsewhere,” Sergio Caltagirone, threat intelligence director at Dragos, said at the conference Aug. 5. “But oil and gas has the higher likelihood of a major destructive and loss-of-life event. And I think most people did not realize how close to that we actually were.”
Caltagirone was referring to the TRISIS event, malware that struck industrial control systems at a Saudi Arabian petrochemical plant and could’ve caused physical harm. He said that in the aftermath of that attack, threat researchers diving into the details realized just how bad it could’ve been.
“We started finding a lot of stuff which hadn’t been found before,” Caltagirone said. “Which made us realize very quickly how close that space is to a major event.”
Dave Weinstein, chief security officer at Claroty, pointed to an “explosion” of devices connected to the internet of things..
“It’s really a product of this general consensus among industrial organizations that the benefits exceed the costs in terms of embracing this type of digital transformation," Weinstein said Aug. 8, adding that organizations must be “mindful” of these devices and have a plan to mitigate their potential vulnerabilities.
Brian Costello, a senior vice president at Flashpoint, told Fifth Domain on Aug. 8 that he is more often than before focusing on targeted cyberattacks from bad actors. That’s a shift away from “campaign-based” attacks that tracked.
There’s “more planning out, more scoping out of targets and taking long-term planning to go after [a] particular target with a specific asset in mind,” Costello said.
Along that same vein, Julian Zottl, a senior cyber architect at Raytheon, said he’s noticing more inclusion of all-source intelligence in threat analysis.
“We’re looking at … all the sources and trying to figure out indicators,” Zottl said Aug. 7. “[We’re] even trying to do predictive analytics now, where it’s like, ‘Oh, we see this threat might be coming.’ I think that’s something that we’re starting to talk about more and more.”
Several cybersecurity professionals interviewed by Fifth Domain said the U.S. government is moving away from the classic cyber kill chain and over to the MITRE ATT&CK framework, which dives deeper into potential threats to information security.
“They used to think the hackers would just come in to steal secrets, conduct espionage and then leave,” said Tom Kellermann, chief cybersecurity officer at Carbon Black and a former commissioner on the Commission on Cyber Security for then-President Barack Obama.
“In fact, they’re maintaining persistence in these systems. They’re manipulating the integrity of data and then they’re using federal government agencies themselves and personnel’s devices themselves to target anyone who implicitly trusts that person, that agency, that department.” he told Fifth Domain on Aug. 6.
Chris Kennedy, chief information security officer at AttackIQ and a former official with the Treasury Department and the Marine Corps, said these new frameworks in use along with federal continuous monitoring programs allow for more attacker emulation, essentially simulating the attack agencies could face.
“Agencies are starting to realize the value of attacker emulation as a way to measure and benchmark the effectiveness of their security controls,” Kennedy said on Aug. 7.
And with government agencies in different stages of cloud migration, agencies will need to learn how that fits into their cybersecurity posture. Marten Mickos, CEO of white hat hacking company HackerOne, said this a new discussion. He also said the conversation surrounding the use of ethical hackers in government environments has evolved: The word “hacker” is becoming more accepted.
“I do think it signals a shift in mindset," Michos said. There’s a realization that "those people who portray themselves as hackers are actually those who will rescue us, not those who will destroy us.”
Despite all the changing technology and evolving threats, one aspect of cybersecurity remains set in stone, said M. K. Palmore, a field chief security officer for the Americas at Palo Alto Networks and a recently retired FBI cyber agent.
“It’s about adhering to cybersecurity fundamentals,” Palmore said. “That message hasn’t changed regardless of my position or where I’m located.”