A (3:10)

First of all, it's a busy week, right? A lot of hot topics going on here at rsa. And China as a nation state threat actor is certainly one of those that I think is at the top of everyone's list. So we had the opportunity to cover various typhoon actors, what were seeing, and then really the broader spectrum of Chinese nation state cyber threat activity. So I think it's fair to say so I have been conducting investigations in this space specifically towards nation state actors for almost 25 years. It's been a minute, it's a while. And we have never seen before during that timeframe this scale of persistent threat activity that we're seeing today from Chinese nation state threat actors. So hands down, you know, bar none, that is the reality today. And I think that what makes it a little different than what we've seen before is their ability to operate and collect information and data at scale, whether it's from critical infrastructure entities, whether it's for corporate espionage purposes, whether it's simply data collections to be used for a later time. And so that's concerning and that's certainly at the top of everyone's mind. Some examples of that are like we see CVEs being exploited at scale to a degree that we have not seen before. We're looking at within hours, in some cases minutes, en masse vulnerabilities being identified and then systems being systems and applications and services being identified for future exploitation. So that's a concern whether you're a critical infrastructure operator or you're running a technology organization, that those continue to be extremely pervasive. I think another example of the scale we're seeing when you look at government espionage within the United States. We talk a lot about threats to the United States, but the reality is if you're an ally of the Chinese government, you are just as likely to be impacted by espionage as people who are not on the top of that ally list. So last year we released research about 23 different government organizations in Cambodia being compromised at nearly the same time. So we're looking at whole of government scale scale operations. And then specifically related to China and Taiwan. Right. We're seeing any business entities, government organizations that are operating within the South China Sea, Europe in particular has 40% of its trade moving through the South China Sea. So at any time that's a concern in terms of just the discussions that are at the forefront of everyone's mind related to trade negotiations and international trade policy. And how are countries going to be reacting to that, what all of it's super intertwined. So that's definitely at the top of the list in terms of concerns.

B (6:03)

Wendy, that sounds incredibly concerning. What are some of the implications of the outdated OT systems, those with remote access? How are those systems playing into some of the cases that you're looking into?

A (6:18)

Well, I think the biggest concern there is that in many cases, industrial control systems and OT environments were not designed with security in mind. They were designed with uptime and availability as their primary goal. And so that means security is oftentimes bolted on after the fact. So now you have legacy systems, which in many cases are end of life. They're not able to be patched, and they're critical to making sure manufacturing environments are running correctly as well as other types of environments that are leveraging that technology. So we see this not only in ICS environments, but we see it even in corporate IT environments where attackers are specifically going to devices at the edge that have the same types of endpoint protection in place in order to compromise those and leverage them as the way into the environment. So that continues to be really a major concern and an area that will likely continue to be for some time moving forward. You know, we talked about this on the panel I was on about the idea of rethinking air gapping and whether that's really an effective security strategy. Because unfortunately, we all know that people are at the heart of getting security done. And what you have is administrators who have already a tough job to do. They're pulled in a million different directions. And so what happens, they tend to reuse passwords both within the corporate IT environment as well as within the industrial control systems environment. And those oftentimes are a big target from these attackers. I think, though, that one of the bigger issues is just a need for a cultural mindset shift. So we're working with an organization that we're responding to a breach act, and IT has a number of OT environments as well as their corporate IT environment. And in the wake of the breach, those executives and the security teams realized, wow, okay, we really need to rethink the entire way that we approach security. The way we've been doing it isn't going to be effective moving forward in terms of being able to have insight and visibility at the edge within the OT environment. They realize the criticality of it, but unfortunately for them, they realize that after the fact and after a breach. We want more organizations to be thinking of this proactively and be looking at how they can implement really zero trust principles within those OT environments.

B (8:36)

Yeah, you reminded me of sitting across from my doctor a couple years ago and he was telling me it's time for some blood pressure medicine. And it was after the fact that I got the message and it would have been better had I started running, maybe cut down on the salt and the caffeine. I don't know when some of these lessons learned are going to show up for organizations that are moving fast and realizing that maybe uptime and security can be equal partners in what they're looking to achieve in the way that they're measuring things. Or we're going to have this massive scale of attacks that you're talking about with the Volts and maybe others.

A (9:16)

Well, I think there is like if there's a shred of good news, I think the reality is that AI is actually going to make changes in that because what you're doing talking about is just this bigger picture. Like software is oftentimes built and hardware systems are built and then security is tested for after the code is developed. And so now what you're seeing is AI has the ability to inject into that software development lifecycle and that entire process to where we can identify potential vulnerabilities in the code much earlier than we used to. We can identify where there's hard coded passwords, where there's potential CVEs that can be exploited. And that's all part of this continuous development lifecycle that's fixed prior to being shipped. So that is going to make some impact.

B (9:59)

Well, and that's really exciting because the cost of fixing it before it's deployed and as you said, you can't update it, it's end of life that changes the game significantly. Maybe there's some other wins that we can talk about and I'd want to focus on defenders, where they're finding some success. Can you talk about what's working? Well, maybe with threat detection and intel sharing?

A (10:23)

I do think intel sharing is happening more effectively than ever before and I'll provide two cases for that. Two use cases. So one in the panel I was on yesterday, we talked specifically about the intelligence sharing that goes on between the threat detection teams at Microsoft and our intelligence teams within unit 42 and larger Palo Alto networks. That's an ongoing dialogue. People are in Slack channels together, they're on the phone together on a daily basis sharing information in real time. So I think for threat intelligence sharing to be effective though is it needs to be contextualized and actionable and it can't be slow and gated and working through bureaucratic means in order to get the information shared. So the reality there is there is still a lot of person to person and organization to organization sharing that's going on. But I think that's actually happening at a much more effective level than previously.

B (11:20)

What's allowing it to be getting better? Like what are the cultural things? What are the shifts, the policy changes?

A (11:26)

Yeah, I think culturally my perspective is that the Russia Ukraine invasion really was a catalyst for a lot of that. And that's not to say that there wasn't green information sharing going on before, because there was. But when it actually came time to say, wow, okay, we need, there are people's lives we need to protect here, I think a lot of those barriers broke down between competitors in particular. So when you look at the intelligence dialogue that's going on between all of these organizations that traditionally compete to sell products, to sell services, I think that barrier has really decreased.

B (12:19)

So, Wendy, what's next? How can organizations better prepare through scenario planning?

A (12:26)

I think scenario planning and live action kind of testing and exercises is one of by far the best opportunities organizations have to prepare. But in order to do that successfully, there are some key pieces. One, it cannot be just security professionals who are involved in that. It really needs to be from the boardroom to the security operations center, and then better yet, extending to partners, vendors, external counsel, law enforcement, and even better yet, bring the regulators into this dialogue. All of those organizations, if working together, are really there to help protect organizations against these threats, to make sure that they are resilient when there is a breach. And so the most prepared organizations we see are having that level of dialogue and preparedness and making sure that those relationships are in place in advance of an attack and that they're not only looking at like what happens if our organization goes down, but they're looking at what if one of my most critical supply chain providers goes down. What do we do then? How do we communicate with them during this event? What kind of new infrastructure are we going to be setting up? And that's everything from the hardware that may be required to run the network to how are we going to like what email devices, for example, what email accounts are we going to communicate from? Right. All of those are things that should be included in that pre planning. Another example, though, kind of related to your last question with private and public partnerships, an example of a tabletop exercise that we at Unit 42 recently participated in Microsoft. It included many other organizations within jcdc and it was actually related to an AI attack. And so those are the type of really comprehensive planning Scenarios that we all want to be involved in and we encourage our clients to participate in. Because if one of your cloud providers, for example, goes down, that becomes now a critical infrastructure provider. We all need to be prepared to figure out how we're going to work through those scenarios.

B (14:38)

Wendy, when you're talking about that, I'm going back to a comment you made. In 25 years of watching APTS out of China, you've never seen the scale, the speed, you've never seen that type of volume of attack. Is it a new type of training that's required because of AI, because of the strategic level that these attacks are? These attacks that you're seeing? That's the new normal, that's the new baseline of what organizations should be thinking about and doing.

A (15:13)

Absolutely, I agree with that. I think that you're looking at a level of breadth across an organization and their entire ecosystem of providers and experts that they work with on a daily basis to come together to really ensure that the entire ecosystem is resilient. We, I think a great example of this is the work we did with the Olympics last year. So the Paris Olympics in the summer, we worked with critical infrastructure providers who are providing power to the Games. Transportation, rail lines, airways, buses, infrastructure providers like the actual physical security at these events, and then all of the financial processing systems. So not, not necessarily the Olympic Committee itself, which might be forefront on top of everyone's mind, but I think that shows just all of the providers that have to come together to make some sort of big event possible. What we did was in advance of the Olympics, we went through all kinds of scenario planning that involved everything from a train going down to the inability to process ticketing systems into a venue where there might be 50,000 people coming in, all of that to figure out, okay, how are we going to adapt quickly? How are we going to stand up new network infrastructure at a moment's notice to make sure that these events run securely? And that's the type of planning that we need organizations to be doing about running their business and having the level of resiliency needed for a cyber attack.

B (16:45)

Yeah, we often talk about the weakest link is the problem. And when you're talking about integrated systems and businesses, any of those could have a weakest link inside of them and it takes down the entire thing. I think about the idea of the Olympics and losing transportation or payment, and that's the game. Right? You're immediately in trouble. So let's look into the future a little bit and predict what are some of the blind spots that concern you?

A (17:17)

I think right now the speed with which AI is being implemented and the level of vulnerabilities that that presents to organizations as they need to build AI within their applications. They need to adapt and adopt technologies that are leveraging AI. It's just creating a lot of potential for new areas of weakness that we haven't yet identified. Just this week, the FBI released information that suggests that the Chinese government is testing AI as part of the entire attack life cycle. And that's something we suspect not only nation states are going to be doing, but certainly cybercriminals as well.

B (17:57)

What's the top step organizations should take right now?

A (18:03)

So we often say, David, that organizations should be fighting AI with AI, but that term can be misinterpreted or it can be kind of ambiguous. And so what do I mean by that? I mean organizations need to be looking at on the defensive side, how they implement AI into their workflows to give them increased visibility and increased speed to detect threats. There is no way that we are going to defeat these adversaries if we are working at manual speed and not taking as many of the manual tasks away from the humans, letting machines do those and letting humans do what we do best, which is really then work on solving the most challenging problems that exist within the space with the aid of technology. That's solving some of the larger more processes that we can automate.

B (18:54)

What is the one thing a listener should take away from today's conversation?

A (18:59)

Cybersecurity has never been more important than it is today. So the more that organizations can take that threat seriously, know that other nation state adversaries throughout the world are leveraging cybersecurity to attack us, to attack our allies and the investments that need to be made in making sure that their organization is in a consistent shields up posture at all times.

B (19:30)

Wendy, thanks for a great conversation today. I really appreciate you spending the time sharing the insights, talking about public, private, talking about some of the things that you're seeing that are going on with nation state cyber threats. We'll look forward to having you back on threatvector as soon as you're ready.

A (19:46)

Awesome. Thank you, David.

B (19:48)

That's it for today. If you've liked what you heard, please subscribe, wherever you listen and leave us your review on Apple Podcasts or Spotify. Those reviews really do help me understand what you want to hear about. If you want to reach out to me directly about the show, email me at threatvectorpaloaltonetworks.com I want to thank our executive producer Michael Heller, our content and production team. Teams which include Kenny Miller, Joe Bacourt and Virginia Tran. Elliot Peltzman edits the show and mixes the audio. We'll be back next week. Until then, stay secure, stay vigilant. Goodbye for now.