39 Seconds to Breach

A

You're listening to the Cyberwire Network, powered by N2K. The biggest thing today is building networks and organizations for resilience. So not preventing every single attack, but being able to survive through the breach when they occur and keep your systems operational.

B

I'm David Moulton and this is Threat Vector. And I'm back with Wendy Whitmore, our chief Security Information officer, for another conversation. Wendy, welcome back to Threat Vector. Appreciate you making some time to come in today. I know you've been very busy, exciting

A

to be on again. It's been a while.

B

Yeah. I wanted to talk to you about something that is maybe a different angle on AI than all the other conversations that are out there, but you'll have to tell me. AI and automation together, that's what I want to get into. Sound good?

A

Let's do it.

B

So I know you've been in the industry for quite a while, special agent in the Air Force doing cybercrime, cyber intelligence. And folks, I can't tell you some of the stories that Wendy has given me little bits on, but they do keep me up. How did that foundational experience inform how you think about cyber security problems?

A

You know, I think anytime that you enter into solving a problem or a challenge with an investigative mindset, you're thinking about it like putting a puzzle piece together or using puzzle pieces to construct the entire puzzle. And I think that mindset and that curiosity is the foundation of what we are doing today. When we look at solving much larger breaches at scale, when we look at putting together patterns across clients and data sets and really getting that big picture idea of what's going on so that we can then stop as many attacks as possible.

B

You said something interesting, and I've heard that quite a bit this week, is this idea of curiosity and how important it is to this role. What makes the job one that requires curious people? What is it that allows a curious person to be successful in this role?

A

You know, that brings me back to when I was first, I was still in college and I had decided that I wanted to be a special agent in the Air Force. And the cool, sexy job to do at that point was to solve regular crimes, right? So drug offenses, murders, although thankfully there's not very many of those in the military. But that type of crime, that was seen as kind of the cool thing. But when I interviewed with the, at the time was the computer crime investigator's office, and I was getting a computer science degree, so I was already interested in that. And I talked to them and said, you know, hey, These crime guys are really trying to, you know, bring me over there, but I'm very interested in the cyber side of it. What's your perspective? And I will never forget what the person who ended up being my first boss told me. And he said, you know, the thing that I like about our job is that every day I work with criminals who are smarter than me. I am solving problems that I need to figure out how these very intelligent people conducted this crime, what their objectives were, what they're going to do after the crime in terms of stealing this data and what comes next. And he's like, you know, I would really much rather work with people that I feel like I can be learning something new every day versus maybe people that are making bad decisions more generally and committing other types of nefarious crimes. And so I think to me that kind of summarizes what is so exciting about the work that we do. Right. You get to constantly solve new problems. And so if you're a person that maybe gets bored easily, probably, I'm sure no shortage of us have ADD or ADHD or whatever. Right. We're distracted. It gives you that opportunity to constantly be learning new things. And that's super exciting to me.

B

And when you get into a case and maybe there's one that comes to mind, is there a moment where you find yourself getting into like a flow state where you're, you're digging in and you know, time and going and grabbing food or doing some of these other things that you would, you would need that it sort of melts away and you just like, you, you can't stop going.

A

Definitely. And I actually think if we then apply that to the usage of AI, I'm sure also there's no shortage of us who find that when we're testing new AI tools, when we're solving a problem with AI, that's a whole new area now where you can kind of get into and just be like iterating back and forth with this, what sounds like and feels like a close confidant to be able to solve this really challenging problem. And now obviously with a lot of the, you know, newer versions of the LLMs, they're continuously prompting that in terms of, hey, would you also like me to show you, you know, this new thing that you haven't thought of yet or this new angle to the problem. And so I think that that actually is going to be helpful for an investigators mindset moving forward.

B

Yeah. So let's see, you've led teams at Crowdstrike Mandiant, you And I met at xforce over at IBM and then led teams here at unit 42. How do the organizations and their different cultures, different scale, maybe the way that they operate affect what you're doing and or are there through lines that you see across those organizations because they tend to attract maybe that curious person or those folks that are always looking to learn the new.

A

That's a great question. I think each of those organizations is different culturally. And every organization you ever work at has pros and cons in terms of areas where you'd like to replicate more of or maybe areas where you're like, oh man, we're not doing this quite firing on all cylinders. And so you're constantly trying to then adapt a bit of the ways you solve problems to those unique organizational cultures. What I think when you ask about the through line though, to me, what's the fundamental challenge that needs to be figured out in every one of those organizations is how to align the right people with the mission. Even if there are some cultural dynamics, that shift in there. What I'm always trying to do is figure out what problems do I need to solve here at the highest level in terms of organizationally. I'm going to align the mission challenge we have with what skills I need the leadership team to have. And from there then figure out how can I build the best team of people who is going to be equipped to solve this problem most effectively. And that means you have to understand what motivates people on the team. The more to me, the more that you can align a person or a leader with tasks that they love to solve with a mission challenge that we need to solve this as an organization one, the better that individual leader is going to feel because they're going to feel like they are having major amounts of impact. They're going to feel good about the work they're doing. And a byproduct for the organization is they're probably going to work harder because they're really enjoying it. And so one of the greatest kind of joys I found is putting people together that maybe didn't necessarily think that they would get along or maybe even didn't want to work with the other people at the beginning. And knowing that, hey, okay, I've seen enough now in terms of leadership that I think these skill sets are going to work out or these people are going to really complement one another and that's what we need to build as a team. And over time, having someone who's come on board where other people have said, I don't think I'd hire that person. And then you look three, four, six months later, and those people are incredibly close allies, and they're saying, hey, we're so glad that you brought this person on board. They are so fantastic. And we didn't really see that at first. So I think that that mindset of aligning, you know, what is motivating to individuals with the objectives we need to solve as an organization, that's, to me, always the top level. Figuring out what problems do I need to solve, how can I best do it, what skills is that going to take? And then no matter what that organizational culture is, we can figure a path to achieve success.

B

Yeah, I've seen you do that here at unit 42, watched you do it at IBM. Where did you learn that skill? Where does that come from in your background to be that not quite matchmaker, but the person that can put a team together, that doesn't have the bias of everyone matches, it's the diverse group of complementary skills.

A

Well, thank you for that. But I think you need people that think differently. That's so important in all of the work we do. And I probably learned that in the intelligence analysis training within the Air Force, understanding that, hey, I got people with different skill sets. When I joined and entered the military, it was a heart of six months after 9, 11, we were straight into the war on terrorism. And it required people with all kinds of different skill sets and backgrounds, language skill sets, regional backgrounds, understanding of different ways to commit crime, to be able to solve all those cases. So I think that was incredibly helpful. But I also think I grew up. My parents were both teachers and my dad was a coach. And so I grew up on baseball fields, being around 20 older brothers at all times, type of an environment. And my dad was very good at identifying people's skills and then modifying what they were doing to fit the team's needs. So one example is I was a softball player, and I was a softball pitcher and in. In high school and then in college. But in high school, we had moved to a new location. I had to go to a new high school, meet all these new people. Yeah, it, you know, all the things that come along with that. Great. Pretty challenging. And we. Sorry, was new to the team, but I was going in and my dad had kind of already reached out to the coach of this new team at the high school, said, hey, you know, we moved into town. This is what we're doing. And he came to practice as an old baseball coach. So we started, by that time kind of Being interested in what I was doing and came to one of the first practices we had and there was a girl on the team named Jenny. She was playing first base. And he was looking and, you know, he had told me already, like after the first practice, like, hey, you know, we're not going to be good if you don't have a great catcher. Like, this team is going to go nowhere if you don't have someone who can catch. I'm going to need to find, you know, figure out who this catcher is. Saw the first baseman, saw that she was exceptionally fast, had the best arm on the team by far and could, was very coachable. And so approached her and said, hey, you know, Jenny, how do you feel about playing? You know, I see her playing first base. She's like, oh, yeah, I've always played first base. How do you feel about being a catcher? She's like, nope, I play first base.

B

Yeah.

A

And he's like, yeah, but, you know, catcher gets to do all these things, right? They're kind of the boss behind the scenes or doing this, or they're really the one that's telling the pitcher what to do at all times. Yeah, the pitchers like to think that they're in charge.

B

They're not.

A

And she's like, I don't know about that. And he's like, you know, you got a great arm. We could really use you in that position. And she's like, well, I don't know how to do that position that. You know what, Jenny? I was a catcher. I played in college. I played in the minor leagues. I can teach you how to catch. It's really easy. You're just going to have to boss the pitcher around. But knowing that was, you know, me. So he convinced someone who was very much set in their ways as we way outside of their comfort zone that, hey, you have the skills that we, the team needs for this role. And I think that was really pretty pivotal for me because I saw, oh, man, you know, I'm the new girl in school. I'm not trying to ruffle any feathers. These people already have their established positions on and on. She was thankfully willing to give it a try. So, yeah, Jenny. And by the end of two years later, as we were graduating, we were both the league mvp. We were on the all state team. She got a scholarship to college to be a catcher, went on to play all throughout college. So I think that moment was pretty transformative for me of like, okay, he was just going in and identifying what people did really well that was needed for the team and then molding them into something that was better than they even dreamed that they could do. And to me, that was really fundamental in when I went into the Air Force, was just figuring out, okay, what are all the things that we need to do in terms of what are the tasks that we have as a team and the problems that we got to solve, and who's going to be best positioned in each of these positions to do that?

B

Right.

A

And so it's really just putting people in the right position.

B

So you go and look for your catcher, they just don't know they're your catcher yet. And you put them behind home plate and you're right, you've got to have a monster of an arm to bank that throw to second. Right. Throw somebody out. What have you found in some of the best cybersecurity practitioners? That's that common thing. But maybe it doesn't show up on a resume.

A

I'm going to give you a couple different answers because I think it actually depends on the task that they're doing. So let's say, for example, when you come to incident response, so solving a data breach, to me, the hardest role on the team is that engagement manager who has to have the skill set of not only having the right level of technical depth so that they can challenge the team with the analysis that's being presented. And they need to understand enough about the network traffic analysis, enough about the host space analysis. Now they have to understand some about the cloud and the browser and all the data sets and telemetry that's feeding into the investigation. But they need to then be able to synthesize it in a way that they can talk to leadership at the client, and in particular that leadership client who is under fire, under the gun, trying to solve problems as quickly as possible with all kinds of influences and pressure coming at them. That's a really challenging role. You're having to do multiple translations and gear switching essentially in your brain multiple times throughout a single conversation. And so I think the ability to understand that role as a translator is one of the more important tasks that we have. You can really only master that if you will, after you've got proficiency in one or more of the other areas. So that's going to take someone a little bit of time, but it also then, I think, requires the ability to observe people, listen more than you speak, and really listen to understand versus listening to respond. And I think those are areas that are very hard to figure out on a resume.

B

Yeah, as you were talking about, that does AI help accelerate somebody into that kind of role, to synthesize data to bring in a understanding of the emotional state, the hot moment that you're in. Or do you think that we're not quite there where that AI is a good assistant for that kind of a role?

A

I think AI can be a great assistant at the communications piece. So again, the outputs you're going to receive are only as good as the inputs that are crafted for it. Right. But presumably if you're configuring prompts or creating your own, you know, GPT, LLM, gem, whatever your, you know, your choice is. Yeah. I do think that you could train it to explain the situation and whether you're applying that to a singular case or, you know, a set of case data over time to explain the dynamics that are going on and then be able to feed in, you know, let's say a status report and then craft out some outputs that no doubt would actually create the written outputs, but certainly from a verbal script perspective that would help you communicate more clearly. Now, I think if all a person's doing is, you know, programming it in and getting an output and then repeating that output, they may not be learning the actual nuance. And that's what's going to make you better and more effective time and again, where you continue to learn. Okay, said it this way this time, but that wasn't really quite received like how I might have intended it. Right. So I'm going to modify that for the next time. So can a help? Yes, no doubt about it. But can it needs to be done. I think very pragmatically.

B

You're making me think of my son. The last couple years, he's really come into his own on his sense of humor. I used to think I was the funniest guy in the family. I'm pretty sure I'm not. But a couple years ago he would land a joke and he didn't land it right. It wasn't funny. You could see the structure of where he was going, but it missed. And he had to have a number of bombing, if you will, on stage, just within the house of telling the joke until he finally got the timing and this tone and this person at this moment, but maybe that person at a different moment. Not funny, but he's nailed it. And so I think there's a moment where he could look up jokes and understand what they are. And then if he tries to say it doesn't work, practice kills. And I think what you're talking about is like, you can't let the robot turn your brain to mush. Right? You got to be able to do some of the thinking. But maybe it is a great assistant to say, like, here's how you might frame it, or here's some of the other contexts that this group is going to be stressed out about or concerned about that didn't come in from the diagnostic or the investigation or the technical side, but is truly important. Even understanding who's in the room, who's not in the room with an audience is always. I think it's interesting to think about that because it influences things. Let's see, Wendy, about a year ago, you took over a new role, Chief Security Intelligence Officer for Palo Alto Networks. What does that role and the shift that you have mean for you personally and the intelligence that you're used to getting access to for the organization? Just talk to me about that.

A

Yeah, so the role was really created for us as an organization to be able to take all of the insights we have across all of the products that we're building, the research teams that are embedded in Those, including unit 42, and to be able to really translate that into actionable insights for customers. So what does that mean? I'm meeting with an endless amount of customers. Right. Nearly every day it's a different CIO or CISO and really helping for me to learn what kind of problems that they're trying to solve and then making sure that the solutions that we're building, one I can translate that into, here's how we would recommend you do that, and here's the insights we can provide. But also learning are there areas where maybe there's gaps, where there's problems that these customers are trying to solve where we may not have solutions for yet? So that's generally not the case. Obviously, portfolio is pretty comprehensive at this point, but it's really been a great opportunity for me to just be in the field learning as much as possible about the challenges our customers are trying to solve.

B

Winnie, you're an official speaker at RSA this year, and you were on a panel called Inside the Hunt for China's Typhoons. That was a talk about cutting through the hype of AI to get to the ground truth around AI and automation and how they're shaping security. After running through hundreds of incidents, what does the ground truth look like? And maybe what did you learn from the conversation or from the panel that you would add to that?

A

Well, the conversation was pretty dynamic. I have to say. We were all surprised. It was in first of the morning. So 8:30am Monday morning, RSA talk. We thought maybe we'd have five adventurous people that joined us. And the room was packed with standing room only. And there it was spicy on stage and we got some great questions from the audience. So, you know, we started with setting the stage which was what's the difference between who are these Typhoon actors? Right. And in particular who's Salt Typhoon versus Volt Typhoon. And I think it's important in that conversation as well as this one to talk about just objectives and why that's still important when we look at attackers because certainly when you look at using AI, that remains important.

B

Right.

A

So you know, Volt Typhoon typically related to military pre positioning. So more of PRC attackers coming from China who are looking to embed themselves within critical infrastructure within the U.S. organizations throughout the country. And the concern is that's been going on for quite a long time. It's hard to find because they're not installing new malware that you've never heard of. They're simply leveraging the existing administrative tools that already exist in your environment and then using those for their benefit. So harder to evict and hunt in that sense.

B

And when you say in an environment, this is across the corporate network, it's an OT network, it's pervasive that way. Or is it really concentrated in some strategic areas?

A

Well, critical infrastructure focus. So certainly water, power, electrical grid and. But it's all over. So not just one specific geographical location or one specific part of a state. This is certainly pervasive throughout the U.S.

B

all right, and so you said that was Salt, that was Volt Volt, yeah, got me.

A

And in Salt Typhoon, typically more traditionally espionage related. So again, leveraging existing tools that are in environments so hard to detect, but for the purpose of data theft, of understanding what's going on and being able to steal in this case, specific telecommunications data. So about communications going between high level or sensitive individuals, existing ways to attack future telecommunications, and so obtaining intelligence about that. So two very different types of motivation here. But if we take that back to a CISO or a CIO who maybe has worked their way up in the organization because they were a great engineer or they were a great analyst, they network analysts, for example, they're probably not going to be a geopolitical expert and also understand how to defend their organization against a foreign military capability.

B

Sure.

A

So we're really asking CISOs and CIOs to do a lot in today's day and age where cyber is so closely coupled with the geopolitical threat landscape. And that was really the Next part of the discussion was going into then, okay, what are we seeing with Iran? How is that different? My take on it was that was a different phase of conflict. So if you look at Volt Typhoon, that's much more strategic. It's still military pre positioning, but we're talking about doing this years in advance. Salt Typhoon, still strategic, but a different angle. Right. It's more data collection and understanding and some, you know, theft of data related to specific types of data that you might be interested in on these conversations. Now if we look at what Iran is doing where it's much more tactical, so tactical disruption, tactical destruction, wiping and these are, you know, Iran and Iran related groups out here seeing and investigating. And the reality is that a modern day CISO has to be able to protect against all of those and defend against them in addition to, oh by the way, all the cyber criminal groups that are out there that might want to steal data so that they can conduct a, you know, financially motivated attack against you.

B

Well, and maybe not part of the conversation, but we've also been seeing and reporting on activity out of North Korea and fake IT workers and theft there. So if you're a ciso, you've got every different flavor of problem and you know, with massive funding behind it, different strategies and capabilities. I do want to go back to you said it was an animated conversation on Monday morning. I think that's a good thing that people are involved and have some questions. What do you think is so animating about this topic right now?

A

I think that those of us who've been in the industry for some time really want, are frustrated that these same types of attacks continue to go on and want the United States to have a coordinated defense and certainly not only United States, but across our allies and across the private sector. So we spoke a lot about how we could work together to effect change and what that looks like. I think there's many great examples of that work that's already ongoing, but no doubt it needs to continue to be operationalized much more effectively where it becomes routine on a daily and weekly basis. And that's where a number of us are very passionate about.

B

Ali Mellon came on talking about Code War, her new book. And in there she described the histories of the countries and she mentions the US she talks about China, Russia, Iran and some others and how our histories and our social contract are what drive what we do and don't do. The cybersphere. Do you think that the US is social contract that we have this idea of as minimal government intervention as possible? Maybe Distributed systems that aren't always coordinated is one of those things that is at odds with being able to pull together that coordinated integrated response that's necessary to address some of these huge problems that are in front of us.

A

Well, I think that no matter what way any country or large organization organizes our infrastructure, it's likely to be used against them by the adversary. So we start there and then apply that concept to what we're seeing today. So the fact that there are distributed systems, that much of these attacks actually occur on private networks within organizations that are far outside of the government, but then the government has the authorities to affect change, those being two separate entities certainly can work against us. But I don't think that means it's the wrong approach. It just means that we need to work together more effectively and learn how to overcome some of those barriers that we may have constructed in order to achieve the outcomes at a speed that we need.

B

Well, speaking of speed that we need, how is AI affecting this problem? Either in a making it more urgent or helping things out, or maybe it's a little bit of both.

A

I think the biggest change by far is just the speed with which an attacker is able to operate. So we talk about in our report where we see cases where in 72 minutes that we've seen from initial access into an environment to data theft. We also talk about stats today where we've seen 400 time increase year over year in terms of being able to see data exfiltration in as little as 39 seconds. That is a massive amount of speed that you can see. If you're applying a manual detection and response capability, you're going to be beat by the attacker every day. So that's the biggest change and that is I think the most pivotal reason why it's critical that we fight AI with AI and that organizations like ours who are really building world class capabilities continue to be innovative and cutting edge.

B

Yeah, I feel like going back to your softball stories and baseball. It's kind of like playing T ball versus the bigs. That ball's coming in a whole lot faster now and if you're not able to respond, you're going to get struck out pretty quickly. The adversaries are using AI too, and not just nation states, cyber criminals as well. But the FBI has flagged the nation state actors in particular and specifically China are testing AI across the full lifecycle. And you just mentioned EXFIL in 39 seconds. An attack completed in 72 hours. I was speaking with Steve Ellevitz earlier this week and in My head, it was 72 days and he's like, no, 72 minutes. Move your time structure there. And it's just wild to me that it's moving that fast. How do those changes affect offenders who are still trying to deploy tools and structure the stories to the teams that help finance and fill the roles, who maybe don't understand the urgency that we're up against?

A

Well, I think it should be a big wake up call in terms of the timeframes that we need. So if we're still applying more outdated models of approaches of how we're responding to attacks, then we're not gonna detect them in time, we're not going to be able to respond and contain them in time. And the win is not going to be that we prevent every attack from ever occurring. It's going to be how quickly we can detect it, respond and contain it so that a compromise of an individual system doesn't become an entire enterprise wide compromise.

B

If next year you're sitting on a panel, what does success look like? You mentioned the community piece. Working together. Is that the direction that you think things need to go? Are there other elements that you would add to that?

A

That's a great question. I think one of them is specific to AI and so I'm going to cover that and then I'll talk about the community piece. But specific to AI. One thing that to me looks more like success next year is if the innovation of AI doesn't so far outpace the security of AI. Okay. And I see that happening today because organizations, CISOs, CIOs are pushed by every angle of the business, every department, their leadership team, to drive efficiencies. And so they want to implement and innovate AI as quickly as possible, which is great, we're all for that. But what we're not for is keeping the same level of security, which then creates this massive increased attack surface that now, a year from now, we have an attack surface this big versus this big. So what, you know, what is needed for that? Cyber security for AI is needed. So we all talk about AI for cybersecurity in terms of, hey, we're creating these new capabilities and we're innovating with cyber security detections and we're able to take billions of attacks and get it down to one per day for manual. Like all of that's awesome. But that is AI for cybersecurity. We, we equally need cybersecurity for AI in terms of making sure that we keep those guardrails in place so that companies can Safely innovate, can build and drive those efficiencies without exposing themselves to such a massive attack surface that's going to be unable to defend against and create inevitably more problems for them. The second piece, the community side, what does that look like? I think what that looks like in an ideal state is that we've really operationalized more of a disruption piece that we have as a community, a group of private partners who are really working together to share telemetry across the board with the government in a much more operationalized routine manner that enables doesn't violate any legal challenges in terms of best sharing data, certainly not sharing customer specific data, but also doesn't violate any government titling and authorities either, but really creates the opportunity for us to operationalize intelligence as quickly as possible so that we can make it more expensive for attackers to conduct attacks, make sure they don't reuse infrastructure, make sure that they cannot continue to use one attack and be successful against many organizations that it's more than one to one for a security

B

leader who is in the unenviable position of figuring out the differences between the typhoons and dealing with the conflict and the output from Iran or a nation state like North Korea, or run of the mill cybercriminals at the same time that they're trying to figure out their AI and their automation strategy with that pressure from their business or from their industry to continue to move fast, to innovate, what's the most important thing for them to get right before they start deploying the tools that would allow them to be exposed on a larger attack surface and or massively exploited by some of these nation states that have more funding to find those weaknesses.

A

I think those challenges both require the same solution at the highest, most simplest level, which is the right visibility into the environment. So the visibility for your team members, for your analysts to be able to detect at scale very quickly with one screen and then when you get into AI, what's being deployed across the environment, CIOs and CISOs need to equally have visibility into that environment. They need to understand visibility into shadow AI and what's being implemented in the organization that they haven't approved same visibility into to the actual prompts that are being input and ensuring that prompt injection is not occurring within an AI system that they've got red teaming into the models and at runtime so that all of that kind of level of visibility is going to enable the innovation they need to implement moving forward.

B

Wendy, this has been really fascinating. I'm sure that a number of our listeners are curious to reach out to you. Where can people find you online and continue the conversation?

A

You can find me most often at LinkedIn. Okay, I believe it's LinkedIn.com Wendy Whitmort

B

2 okay, we'll have it in the show notes. So LinkedIn is, is a good place to go and drop your questions for Wendy. And you said you're out there talking to people a lot so you know, she may not get back to you instantly. I really appreciate you making time for me today and for coming in and having this conversation, giving me a little bit of a snapshot of the conversation you had at rsa. We'll go ahead and link to that so people can experience the spice that you mentioned and understand what that's all about. And again, it's always good to have

A

you on for our doctor Fantastic. Thanks for your time today, David. Really enjoyed the conversation.

B

That's it for today. If you like what you've heard, please subscribe wherever you listen and leave us a review on Apple Podcast or Spotify. Those reviews and your feedback really do help me understand what you want to hear about. You can reach out to me at threatvector palo alto networks.com I do read every email and it shifts the direction of the show at times. I want to thank Mike Heller, our executive producer. Original mix and music by Elliot Peltzman. We'll be back next week. Until then, stay secure, stay safe. Goodbye for now.

A

Sa. Sam.