A

You're listening to the Cyberwire Network, powered by N2K.

B

Welcome to threatvector, the Palo Alto Networks podcast, where we discuss pressing cybersecurity threats and resilience and uncover insights into the latest industry trends. I'm your host, David Moulton, senior director of thought leadership for unit 42.

A

One is have intelligence drive your operations. Really understand what's going out there, who the adversary is. You know that's out there. Again from that, use that to drive your operations on where you're focusing on in. In your SoC, whether that be TVM or your SIM and soar work or whatever. And then finally, game plan. Put all that into play through tabletop exercises. Get that muscle memory, you know, so that when, when you do get attack, you will. You're not going through the fog of war in those first 24 hours. You, you know, you have that muscle memory. You know how to react, you know how you're going to respond to that, and you'll be much more effective.

B

Today I'm speaking with Keith Milarsky, Chief Global ambassad for Q Intel. Keith spent over 20 years as a special agent with the FBI, where he led groundbreaking cybercrime investigations, including operations that dismantled the Game Over Zeus botnet and the infamous Dark Market forum. Now, at Q Intel, he helps organizations translate intelligence into proactive defense. And today we're going to be talking about how the SoC can evolve by learning from the underground and why thinking like the adversary is more important than ever. Keith, welcome to Threat Vector. I'm really excited to have you here today and hopefully on our third try, now that the tech is working and the record button is there, we're going to make an incredible podcast.

A

David, I am excited to be here, and I think it's going to be a lot of fun.

B

So talk to me a little bit about your journey from the underground cybercrime investigations to now global security evangelism.

A

Yeah, so I had a very unique start. You know, I started at the FBI in 1998. I started out working Russian counterintelligence back then in counterintelligence. And I got to work some really cool cases, like the Robert Hanson investigation, bugging at the State Department. And then I worked 9, 11 as well at the Pentagon. And like around 2004, my wife, we were living in Washington, D.C. at the time. And I don't know if you've ever lived there, but the traffic is horrible, horrible. And my wife jokingly said, I'm giving you five years to get us out of D.C. or we're getting divorced, jokingly. So I started looking for jobs, and a position came open in this new, small little unit, a cyber unit in Pittsburgh at a place called the National Cyber Forensic and Training alliance, or the ncfta. And this was a cyber unit to work with private industry. So I had some technical background that I had learned at the FBI, and I applied and got it, and it was just me and another agent. So I started working with industry and started looking at the dark markets and, you know, the cyber underground. So I work with the industry, and we crafted a legend for me to work undercover. And I worked undercover for a couple of years, and I'm sure we'll talk about that a little bit more in depth as we. Yeah. In our conversation. But then my cover got blown after a couple years, so my undercover days were numbered and done. And so then I went over to the Pittsburgh field office and led the most amazing cyber group I've ever seen in my entire life over there. I was very fortunate to have just some thoroughbreds and some rock stars there, and we were able to work some great cases. And I had a great U.S. attorney's office with Dave Hickon there. And we brought the very first nation state indictment against Chinese Nation state actors, Apt 1, which we could talk about that as well as we go forward, I'm sure some stories. And then we brought some big botnet cases down, like Game Over Zeus and things like that. And then in 2018, I got my 20 years in at the FBI, so it was eligible for retirement. So it was time to move on to greener postures in private industry. So I was fortunate to get a position at Ernst and Young. In the last couple years, I led their Cyber Threat Management Group. So it was interesting now to be able to then see the different perspective of what Fortune 100 companies were interested in and how they viewed cyber compared to what we looked at cyber and the FBI. So a nice bridge between the two.

B

So that's really fascinating. And I don't know if you're a fan of David Epstein's range book, but you just remind me of somebody that is able to go and pick up enough skills, go deep enough, and then shift gears and apply them in another space. And as a former designer, that really appeals to me. You know, 20 years of building systems, probably not the most secure, designing things that were, you know, user. User experience focused and delightful. But I know caused some headaches for the engineers, and now I can go onto the other side and go, okay, this is what we're trying to achieve. On this side, here's what we're trying to achieve there. How do you bring it together?

A

And.

B

And you're the epitome of being able to do that at a totally elevated level within security. It's pretty amazing.

A

Well, thanks. It's definitely a different perspective, because how we viewed the cyber threat when I worked at EY and working with corporations is a lot different than how we viewed it in the government. When I was working, we were looking at the SoC. You're looking at how do we prevent, how do we protect? And you're in defense mode on the government side. You're really looking at people. You're looking going offensive or trying to get cuffs on people. So it's really two different perspectives, and to kind of be able to bring experiences from both sides, I think is really unique.

B

So let's go back to that undercover work that you were talking about, where, you know, you didn't have forever, but you did have some experience with it. You know, you worked undercover on the Dark Market forum, and that's been widely covered. You know, it's been in books like Kingpin or Dark Market. What's the one lesson from that experience that still shapes how you approach cybersecurity today?

A

Yeah, it's definitely about the people. You know, we get so tied up in cyber with this malware, with this exploit, with this new attack, that we forget at the end of the day, it's just people that are behind that keyboard. You know, it's. I think my good friend Sean Henry, who's a crowd striker, was at the FBI. He had a saying. He said, you know, you don't have a cyber problem. You have an adversary problem. And really those adversaries are people that are sitting every day. When you think about APT groups, they work for the government. So they're government employees. They're working nine to five. They're working government shifts. They're coming in, they're ordering pizza, going out for runs during the day, and you can track all that stuff. And the difference is that they're coming to work and they're hacking in the companies as opposed to doing something else in the government. Cyber criminals, it's the same thing. Some of these cyber criminal organizations are very sophisticated. You know, they are recruiting coders and, you know, programmers, just like you would, you know, a regular corporation. They're setting up, you know, dummy and shell companies, distributing films and opening up restaurants and things like that. So these are corporations, they're businessmen. But really, at the end of the day, it's really the people that you're dealing with, it's not just a piece of malware.

B

Yeah, I was just talking to one of our writers here. He's got a series called Control Delusion. Well, he went back and looked at things like Sneakers or the Net, some of these hacker movies. And there were a lot of liberties that the directors took with these to make it interesting. And one of the conclusions that Ben and I got to is on some level, being an attacker, being an adversary, is inherently boring. It's just somebody at a computer staring at a screen, doing work. And you really can't make great cinema out of that alone. So you've got to find other ways to inject drama in it. But we also think of this sort of like, lone wolf mentality, this attacker that's out there, that clacks on the keyboard a couple times and they're like, ah, I've got access. It's very quick. And I think that while that is fun media, fun cinematography. Right. Like on the other side, it's done a disservice where people think that there's some sort of, you know, mystery to this. But what you're describing and what I think is the reality, a lot of this is just work. It's just a job. And depending on what your goals are, whether it's an apt that's looking for, you know, government secrets or some sort of espionage, or if you're on the criminal side, you're looking to say, can we turn a profit? You know, that is in excess or a number of margin points ahead of the cost of doing the work. It's just a business. And then I think you do get back to that, like, it's a business of being an adversary. And, you know, then you have to, like, look at it through that lens. And I actually want to get into that with you a little bit today. And. But. But let's start with the sock, right? Like the state of the SOC today. From your perspective, what's fundamentally broken or outdated about the way that many security operations centers are set up?

A

It's alert fatigue. I mean, it's just, you know, every day that's just triaging things. I love. When I was at ey, I was in a meeting, I went to one of their board meetings, and the CISO got up and he was given statistics about the attacks that they blocked. You know, and it was like we blocked. I think it was like something like 25,000 attacks or something like that. I mean, I mean, those are like firewall logs. I mean, that really Wasn't, you know, that's people touching your door. That's really not understanding that you're getting attacked, you know, and it's just, you know, reacting to this alert, to this alert, to this malware, and it's really not understanding the context of, you know, why you're getting attacked. And I think that's one of the biggest things of that that I see. That's what's wrong with the soc. It's just that you're so focused on looking at that pane of glass, preventing, making sure that, you know, you're. You're not going to end up, you know, in the newspaper for the. Being the victim of a latest ransomware attack, you're really failing to understand the context of why you're getting attacked or really what's happening.

B

So I've heard this phrase of like, be careful what you measure, because you may get it. And I think you're getting to this to a level of like, you know, are attacks are really firewall logs, or we're measuring throughput on tickets and not really looking for, did this make us more resilient? Did we go out and threat hunt? Did we actually move the company or the organization towards a point where we've lowered our risk and the KPIs are set up on activity, not on lowering risk? What's the biggest mismatch you see between threat reality and SOC design?

A

Yeah, well, let me, let me backtrack on, just to hit a point on, like, I think people miss a lot on context. And I'm going to share a story of when I was at the FBI, you know, we were working with a company, and the, the Chinese threat actors were, were in their system. And, you know, the company had great visibility into this, you know, the activity of the threat actors in there. And every Tuesday night, the threat actors were coming in and they were stealing email inboxes, you know, and I'm talking to the ciso, and he's like, look, you know, we know what you're doing. They're nowhere near our crown jewels. You know, I don't want to boot them out, because then we may not have visibility again. So I know what they're seeing. It's just email inboxes. So I started talking, and I'm like, okay, well, whose inboxes are they taking? And it turns out it was their chief negotiator who was doing a deal in China. You know, so. So the Chinese for weeks were just reading what this company's bottom line was, their whole strategy of what they were going to do over there in China. So when they went over there, you could guess where the China, you know, they saw the bottom line, you can guess where the, where, where the Chinese opened up their bidding right at their bottom line. So they, they from email hacks, they literally lost billions of dollars because there was no context, you know, because it's just triaging this or triaging that, really not understanding who your adversary is, why they're attacking you and what they're really after. That's what's really missing in today's SOC operations, in my opinion. You know, I think the tools do a good job a bit, you know, if you're not getting the context, you know, I think that case just blows my mind.

B

Yeah. So I don't know much about the case, but you're basically saying that the crown jewels were not defined as the company's intel and business strategy in inside of China and therefore they gave it away. Like they knew it was being taken and they're like, oh, it's fine. Which is a context issue. If you understood what the adversary was really after, you would have said, we gotta shut that down immediately. Oh man.

A

Or if you had that visibility, you could think offensive. Maybe you throw some disinformation out there and kind of help yourself and have some kind of fun with it. But yeah, it was a losing situation.

B

That's unfortunate. No, and I like that idea of like, if you know that's there, maybe you're not going to get rid of the visibility because you want to be able to keep an eye on. But how do you mix in something that is confusing or causes the negotiations to maybe flip back in your favor that's a little bit more sophisticated and I think a little bit of a departure from what most defensive minded security is all about. So I like how you're thinking there, Keith. The idea of giving a little bit of a honeypot to go get tricked on. That's fun.

A

Yeah, yeah. Those kind of operations, you know, anytime you could do that is a blast.

B

Well, you've had this front row seat to how cybercriminals collaborate and evolve. Right. What can security teams learn from how adversaries operate that would make their socks more effective?

A

I think you need to get visibility into the dark web. So when we're talking criminals right now, you need to make sure that you're getting intelligence on the forums that are out there, the telegram channels, the jabbers. So you need to have visibility and see what they're talking about. I mean, there was just recently in klopp, using a new exploit that's out there, people were talking about how to leverage that in, you know, in the forums right now. So if you're not seeing what the criminals are talking about on how they're going to use it to attack you, you're, you're flying blind. You know, we had, we had a term in the FBI where we said intelligence should drive operations. So that's where you're collecting. You understand what you're up against, you understand what the adversary is going to do. And once you do that, then that could drive operations. So, you know, if we hear that cybercriminals are talking about exploiting the CVE now, maybe now you should be looking at your TVM program. You know, how are you prioritizing is, you know, you know, your patch cycle of 30 days is that good right now? Or, you know, or hey, this is being exploited right now in the wild. You need to make this, you know, critical and patch this, you know, right away. So really, you know, having that visibility and having that intelligence of understanding what's going, you know, in the marketplaces that should drive your operations on where you should be focusing in on. So whether that be focusing on something with identity or focusing on something with tvm, you know, really the bad guys are going to kind of drive that for you, in my opinion.

B

So how do you take a, essentially an IT function inside of secure or you know, security, which is inside of it, that needs some lead times and has some of these process and build in I guess a culture of being opportunistic and being able to sense and respond to that intel, to those behaviors, those observables so that you're not caught flat footed. Where, you know, is it a 30 day patch cycle, is that good or bad? How do we move it up to today? How do we not worry about it? Because for us it's got, you know, defensive depth and we've got some layers in place. So we've probably got ourselves 60, 90 before we have to roll that out. And you know, just, just looking at those types of things that need to maybe change as far as like a culture or a process. What do you recommend there?

A

Yeah, I think, I think you got a, you know, game plan. You got to do tabletop exercises. You need to be having these type of discussions. You know, you need to kind of be like a, like a football team. You know, when you, when you think about like, you know, as a CISO, you're like a football coach. You know, you have 15 games or 16 games that you're going to. Well now I guess in the NFL, 17 games that you're going to play. And you know, you see your schedule and you know who you're going up against, you know, whether this is a passing team or a running team. And you watch game film and then you practice, you know, for that. So again, you know, kind of, if you view it like that, where, you know, you're looking, using the intelligence, seeing what the playbooks are that the adversaries are using and then, and then you put it into play with tabletop exercises, going through the procedures, testing your, your incident response plan, texting, testing your policies, understanding what the C suite, how they're going to make decisions on things. I was in a tabletop exercise, for example, when I was at EY and we were with a company and we had a great ransomware scenario set up. This was going to be like a 3 hour TTX and we get in there and it was going to hit one of their facilities and you know, that was making like $2 million a year. And the ransom was, I mean, $2 million a day that they were, that they were going to lose if they were down. And the ransom was like $3 million. And literally in the first 15 minutes we were there, the CEO comes in and goes, he goes, so we're losing 2 million, we lost 2 million yesterday from being down. We're losing 2 million today and the ransom is $3 million. Pay the guy. You know, I mean, it was like literally in that quick, you know, so, so you kind of knew where, where they stood, you knew what the culture of the company was and kind of, you know, how they were going to view on other ones. You know, I was in places where people were like, no, it is a, you know, a sense of pride that we are not going to pay this ransom, we are not going to give in to the criminals. So you really need to know, again, again, discussing with your team how things are going to evolve, what you should be focusing on, understanding really how the CEO and legal and all that, how they're going to react to different things too. And that could help you prioritize what you're focusing on, what you're not focusing on as well.

B

Keith, you talked about this idea that security is a people problem. And you've worked in law enforcement, you've been in consulting, now you're in threat intel. What are some examples of the most successful cross sector collaboration and what do you think made it work?

A

Well, public private alliances and that sharing between are absolutely pivotal. Last week, I was just at Europol where there was a cyber conference there, where they had all of the law enforcement from the EU and a bunch of industry there as well, just to kind of get together and talk about that. It is so imperative because no one organization or company has complete visibility into this problem, you know, so, you know, even when you think about, like, financial crime, not one, you know, financial institution is going to have complete visibility. But, you know, you bring in, you know, let's say, you know, five different FIs come together, sharing the information back and forth. You bring law enforcement in, understanding the threat that's going against them. And then, you know, then you could bring in some other security reachers, you know, like people at Palo or people at Q Intel, you know, to give a little bit of context of what you're seeing out there. You know, maybe, you know, come up with other solutions and, you know, and then you can come up with a strategy on how to attack things. I think, you know, we hear too often about, okay, you know, the government just says, share your data with us, you know, with industry. And that's just so broad. I think the biggest successes that we've had in public, private alliances are when we have things very narrowed on what we want to accomplish on, let's say, an initiative. So to give you, like, from my background, you know, I've been a part of a number of botnet takedowns. So, you know, let's say, like, Game Over Zeus, which we talked about, you know, that was a great one where, you know, the. The banks were getting hit by. By Zeus that was out there. The security companies were looking at the malware and they were able to come up with a great way to be able to poison the botnet. And then the FBI, we were able to go after the bad guys and kind of get the legal thing around it. So bringing everybody together to go after this one botnet to come up with a solution on how to prevent the fraud, a solution how to take down the botnet and then get the legal framework in from the government to be able to actually execute that made it very successful. And there's been a number of big takedowns, like Operation Endgame that was just done recently against some of the Steelers, and Trickbot takedown as well. So it is so imperative that we pull together, but it's also imperative that we really be targeted on what we're going after.

B

So you've mentioned these different groups, and each one has a different mission, but when they come together, they can work towards that common goal. What things have you noticed in different cultures that make it easier to work together or the kinds of things that you may say, look, if we want to get to that point where we're collaborating and we're having these big successes, these big wins, we need to move away from in our culture because it seems to me that that's the, you know, the crashing together of these different cultures could either define whether it works or whether it fails.

A

Yeah, I mean, I think we're making strides. You know, we're here in the United States and I think, you know, we're a few years ahead at least, definitely on the law enforcement side than maybe some of our other partners were. And, you know, and they're, you know, they're rapidly closing that gap. You know, even just like the security apparatuses in the United States, it's a lot different than in the eu. So like, if you go to like RSA Europe compared to RSA in San Francisco, it's like night and day. Same with Black Hat as well. But I think we're bridging that gap a lot more and I think we're trying to get some of the laws up to speed. So some, some countries, let's say in the EU or across the world, they don't have the same cyber laws that we have here in the States, even though some of our cyber laws in the States are a little bit old too. So sometimes you have to call it something different instead of cyber. Maybe you call it wire fraud or bank fraud or organized crime and you put it in those terminologies and then they get it bit of, you know, some countries are, you know, like Germany and the Netherlands and you know, the Brits, they're really on the forefront pushing things as well. So I just think it's just kind of, it's slowly evolving. We're not where we want to be yet, but we are getting better, I think, moving forward.

B

So let's talk about the adversarial landscape for a moment. You know, each time I look at some of the research and, or I read what others are putting out, it seems like it's getting more sophisticated over time. What are some of the emerging tactics or trends that you're really watching closely right now?

A

I think supply side attacks, I mean, that's just the biggest thing. We saw how successful that could be with Solarwinds. We saw how that could be successful with just attacking a third party to get access to the networks. We're seeing much more from, let's say a nation State standpoint of trying to live off the land robber attacks, things that really aren't, you know, leaving, you know, artifacts on the systems that edr, because EDR right now is, I mean, EDR is pretty amazing, you know, of where it was 15 years ago to where it is. And the bad guys all know that as well. So they try to get on places where they know there's not edr. You know, they, you know, so, so, so they're becoming more sophisticated on that from the cybercriminal side, you know, still tried and true techniques are still working. Phishing is still huge. Here we are, you know, 20 years, you know, I started working the digital fishnet project in 2005 and here we are 20 years later, still talking about fishing being one of the, you know, the biggest thing. There's all these different fishing kits. AI is making phishing lores much more, much better that are out there. But at the end of the day, social engineering still works very well. So we do talk about sophisticated attacks and those are really fun to investigate and look at and see the emergence of that. But there's still just a lot of basic things that are out there with phishing. People using RMM tools to now being their initial infection vector because those are usually whitelisted. So now if you're going into an RMM tool, it's not going to get detected.

B

Love the breakdown there. Where can folks find you out on the Internet if they want to continue the conversation or look at what you're publishing?

A

Yeah, so I'm on LinkedIn. So I'm doing a number of thought leadership things out there on LinkedIn. You could always reach out to me. I'm on a, a podcast with two amazing people. Selena Larson from proofpoint and Dave Bittner from Cyberwire. Our podcast is called Only Malware in the Building that's monthly. So you could check us out there where we have a lot of fun talking about cyber issues. And then I'm out and about at many different conferences. So always glad to have the conversation.

B

Well, and let me take it back to the only malware in the building. How did you get to be the one to not eat the hot sauce on that episode with Bittner and Selena?

A

Oh, I ate the hot sauce. So here's a funny story with that, Dave, is that I was watching Hot Ones to prepare for it and I thought that, hey, I could only just take a bite. I just had to take a bite as I was asking the questions. But we got three of them in and they're like you're not eating the whole wing. So I had to go back and eat all my wings there. So I did do all the levels, including. We did. All three of us did the highest level twice when Dave tried to turn on his FBI interrogation techniques on me, which was a lot of fun.

B

Well, I gotta say that that was a lot of fun to watch that episode. I'll go ahead and make sure that there's a link to it in the show notes. And yeah, I was talking to my brother about Hot Ones. And Da Bomb is always the one that people start to have their mental faculties. They lose it, man. That's the reason you watch the show on some levels. That one hits and I get this random package in the mail maybe two weeks ago, and I open it up and it's just a little ball or a jar of this Da Bomb. And sometimes the intrusive thoughts come in and you're like, I'm gonna try it, I'm gonna try it. And then I'm like, nope, nope. That's like an entire day, maybe two days just gone on a bottle of hot sauce that I don't need to risk it on.

A

I recommend if you do the hot sauces you gotta do, it makes. Not that it's any easier, but when you go up and grad and you graduate gradually go up, I think it's a little bit easier as opposed to just like going and popping one of those big ones. I think that will crush you. One of our producers, when we were filming that did the hot one right at the end and she was dying, she's like, how did you do it? But when you kind of build up to it, it wasn't bad. It was a lot of fun.

B

It's kind of like getting into a cold pool, you know, toes in, stay there for a little while, and eventually are up to your chin. But yeah, no cannonballs then. We're not young kids anymore. Well, Keith, thanks for coming on. This was a fun conversation and I really appreciate you sharing your insights around the sock, but also some of your stories. And we'll have to have you back on as you see what the next chapters bring for you. Because I don't think that you're one of those guys that's going to say, you know, I popped out of the FBI, did a little bit of a stunt here, and then. And then went and found my rocker and did nothing. I'm going to see what you're actually rocking here in the next couple of years.

A

Sounds good, David. Pleasure is all mine. Thanks a bunch. Of foreign.

B

That's it for today. If you like what you heard, please subscribe wherever you listen and leave us your review on Apple Podcast or Spotify. That feedback and your reviews really do help me understand what you want to hear about. Or you can reach out to me directly in the show. Email me at threatvector palo alto networks.com I want to thank our executive producer Michael Heller, our content and production team, which include Kenny Miller, Joe Benecore and Virginia Tran. Original music and mix by La Peltzman. We'll be back next week. Until then, stay secure, stay vigilant. Goodbye for.

A

Sam.