A

You're listening to the Cyberwire Network, powered by N2K. It's the tragedy of the Commons, right? We all collectively are operating without any individual taking responsibility for action. And so the collective security posture suffers as a result. And then we. From our side, we have the added curse of vision that where others don't see the totality, we do. And so through all of our investigations, we have a much better picture. And that is a big part of why a push like this is important and why we've felt so driven to push this out and really become. Be a little more public and supportive of collective security through Operation Winter Shield.

B

I'm David Moulton, and this is Threat Vector. Today I'm speaking with Adam Matic, Section chief of the FBI's Cyber Technical analytics and Operations section, and. And Jared Forgeschlenker, Assistant Section Chief leading the FBI Cyber Division's private sector engagement. We're talking about Operation Winter Shield, the FBI's effort to help industry take concrete steps to reduce the attack surface adversaries depend on. We'll talk about the recommendations at the heart of the operation, what investigations revealed about where defenses failed and. And what a real private sector partnership looks like on the ground. Here's our conversation, gentlemen. Thanks for being on threatvector to talk to me about the work that you've been doing over the last couple of months. I'm really interested to have a conversation to get to know you a little bit and then to get to know your work so that we can broadcast this out to, you know, our listeners here on threatvector.

C

Great to be here.

A

Yeah, thanks for having us.

B

Jared, I know that you studied philosophy at Brown, then went off to law school, spent what, three years as a strategic intelligence analyst, briefing the FBI Director, the Attorney General, and then you moved into the field of cyber investigations before landing in your current role leading this private sector engagement. That's really not a straight line, not a criticism. I've done the same thing. What pulled you towards cybersecurity specifically?

A

I was always interested in the technical pieces. I was the nerd when I was growing up who was always buying the computers for my family and getting excited about the different. All the details and all the specs for the computers. And so I had that interest. I just wasn't able to manifest it until I got here. And, and then recognizing how integral to all of the criminal investigations, national security investigations, the cyberpiece was, I really couldn't help but steer my career in that direction.

B

Adam, I'm going to kick it over to you. You Spent eight years with Ford in the office of the Chairman. By the way, I have a Ford Mach E. I don't know if I'm allowed to say Mustang. Some of the hardcore Mustang owners disagree that that pony logo's on there, but boy, do I love that car. Before you joined the FBI as a special agent and you've now been with the FBI's cyber division for 20 years, you know, earlier, you alluding to your early Radio Shack computer buying days. So, you know, 20 years at the FBI, you've seen an incredible shift in what's going on in this space. Do you remember the moment that you made the switch from private sector to going to the FBI? And what caused you to want to go into the FBI?

C

Yeah, it was an interesting path for sure. I kind of landed at Ford right out of college. And in those days I had no thought that I was going to go into law enforcement. I was just always interested in computers, had studied them in college, landed there and looking back, it was a bit providential in the sense that I landed at a really large company, obviously that has an enterprise IT apparatus. I mean, they have computers on every content that is inhabited and hundreds of thousands of nodes on their network. But even in those early days, when I landed there in the late 90s, they were already making some pretty good decisions as far as network architecture and systems architecture.

B

Let's talk about Operation Winter Shield. Right. This is a list of 10 specific recommendations rooted in Yalls recent investigations. And before we get into those individual items, I'm hopeful that you can help me understand your process. How do you go from hundreds of cases to, to this short list of 10 actions and then decide those are the ones to worth that, that are worth amplifying to the public right now?

A

Yeah, that's, it's not necessarily an easy task. Right. Because we, we, we're constantly dealing with all kinds of different manifestations of criminal activity. We're seeing a very broad scope of the way in which actors are manipulating and exploiting systems. And to your point, it's, you know, we're in the hundreds and thousands of cases and incidents. So it isn't necessarily intuitive. However, it. These, these things that are in this, the key defenses that we have listed here exist in most, if not all of the cases that we have. So it may seem challenging to, to break this down, but as we see this repeated over and over and over again, it's fairly intuitive from our side. What bubbles to the top and, and which vulnerabilities make their way into all of our cases. And so, you know, externally it seems like there's, there's a lot more complexity to it. But as we, as we have our, from our headquarters side, our program managers that are, that are keeping tabs on and tracking all of our investigations across our criminal threats and our nation state threats, we have that awareness from a top level on what aspects are being exploited continually. And so it was a fairly easy mechanism for us to build this out pretty quickly in terms of which controls are the most commonly exploited.

C

Yeah, I was going to say it's a little bit more intuitive than it is like entirely data driven. We don't have every single one of our case files tagged with the specifics of what exploit was leveraged and what security, vulnerability and weakness was actuated by the threat actor. But we know as investigators what we continually see. And when we just talked internally as a team, these 10 things just bubbled to the top.

B

Let's shift gears. The phishing resistant authentication leisure list and we've been talking about MFA for years. So guys, what's still broken?

C

Yeah, there's a couple of things. I think maybe we should just define what multi factor authentication is and the value that it adds and why it makes you resistant to phishing scams in the first place. Which is effectively that it's pretty easy for bad guys, criminals to trick people into giving up their passwords. Lots of mechanisms that they use. It boils down to social engineering. Multifactor authentication is supposed to be based on this principle of something, you know, and something you have like a physical device that you have with you and that you need both of those things to authenticate yourself to a system. And back when I started deploying multi factor authentication, it was almost always a hardware token type of device, mostly the rsa, secure ID tokens, And now there's many, many, sorry, there's many, many manufacturers in that space making those kinds of devices. But over time I think because of cost and simplification, we started to see SMS text messaging based platforms for that second factor. Supposed to be something that you have, you have your phone. And so if we send you a text message then that qualifies as that second factor. Problem with that is that it's actually not that difficult for motivated criminals to basically steal your phone number temporarily to be able to intercept those kinds of messages. And they've primarily done that through technique that we call SIM swapping, which is where you social engineer effectively tech support at the phone carrier and trick them into transferring the phone number from the real customer's phone to an alternate device and then usually switch it back at some point so that the victim doesn't know that that's been going on. But they do that for a period of time where they're trying to authenticate with a password to steal that one time token that's sent as a text message. The other bucket is tricking the user into disclosing the message that was sent to them as a one time password through social engineering. So you reach out, a criminal reaches out to a victim and says that they're Joe from tech support and we sent you a one time pin, we need you to verify that so we can proceed with this call. And an unsuspecting user gets that as a text message and goes, oh yeah, I did actually just receive a code and another message. They copy paste it and they've effectively just given that message over to the criminal who's trying to steal their login identity. And so what we're really encouraging people to do it, administrators to do is to look for mechanisms that are resistant to those kinds of techniques. And that's going to be going back to hardware tokens primarily. It's going to be something like secure ID or Yubikey or some other kind of physical device that you have to either plug into your computer or you have to read a code off of a little display and type it in. We still have to deal with educating users so that they are internally resistant to those social engineering ruses where if they do have a secure ID type of a device and there's an LCD number on it, they're not just handing that over to a bad guy who's trying to steal it from them through some other kind of social engineering ruse.

B

So end of life technology shows up in a number of the case studies behind your recommendations. I think you had SOHO routers, you had IoT devices. Walk me through what an attack actually does or an attacker actually does when a device isn't receiving patches anymore and why you think that problem persists in organizations at every size.

C

Sure, yeah. I mean, it's really the intersection of, you know, the inevitability of software vulnerabilities and a device being end of life, meaning it's not supported by the manufacturer anymore. And when those devices are on the wide open Internet, they're at the edge of networks, they're routers and firewalls. It becomes basically trivial for threat actors to use them as obfuscation points in trying to attack other systems. So effectively, what it looks like in practice is you've got A small router on the edge of a home network, it's not supported by the manufacturer, it's not supported by the provider. And there's a vulnerability in the management software of that router where effectively an attacker can just send the right type of packet, the right type of communication to some port on the outside and immediately they have full root access to that device. Even if the owner ends up rebooting it, then they can just get back in very quickly because the, the vulnerability is still there. And what we've seen in practice is that threat actors are using automation to stitch together hundreds or thousands of these types of devices into, we either call them proxy networks or obfuscation networks. In some cases they're using them for their own nefarious means to launch attacks against US industry or other victims around the world. And in other cases they're using them, they're selling access to these networks to other criminals who are wanting to do similar things. And you know, they're paying an hourly or a daily rate or whatever to use the obfuscation network or the proxy network.

A

Something else too on it is that with regard to these, this small office and home office routers, the SOHO routers, those targeted entities may not be the ultimate final end and target which I think folks don't necessarily entirely grasp or understand. So you may have a small business that doesn't have the ability to, to purchase new devices to increase their security posture, but because that doesn't occur, that obfuscation network is able to expand and persist and then other more sophisticated targets can be accessed. And we have as investigators and law enforcement have a real challenge back to ultimately disrupt those actors because of that initial compromise downstream of the ultimate intended target. And so a lot of what Operation Winter Shield is meant to do and the, the objective of this is to communicate and educate some of those smaller businesses and medium sized businesses about the way in which the, the security within those organizations or potentially the, the lack of security or lack of security measures consistent with the 10 key defenses that we highlight ultimately result in a lack of security across all of our networks that puts everyone at risk.

B

The winner shield framing positions industry not as this like passive recipient of intelligence, but as a, as a critical ally alongside the FBI. What does active partnership look like day to day beyond following these 10 recommendations,

A

I can, I can definitely jump in on that one. You know, as, as the, the, the guy who's kind of overseeing our private sector engagement strategy from, from headquarters side. A lot of what we do with our industry partners occurs at the field office level. So we have our 56 field offices spread across the country, currently operating with 55 that have private sector co in each of those offices. And those folks are interacting on a daily basis with different organizations. And it can range from as simple as just knowing who to be in contact with at the FBI in the case of an incident, so that as a company has to quickly spin up and deal with a compromised situation or a potential compromise or breach, they can reach out quickly to us and we can potentially share information that would assist them and help them in securing their networks or remediating more quickly or mitigating for the future. So it can happen at that level where we are able to share threat information and indicators of compromise to organizations that are suffering from a potential breach. And then it can go all the way up to maybe a more sophisticated relationship that we may have with industry partners where, as, as Adam mentioned earlier, you know, we have these organizations that have global telemetry, that have networks that span hundreds of countries and geographic locations that are receiving inputs on threat activity on a scale that we in the FBI could never have as broad a picture. And so that inevitably results in an incredibly broad understanding of activity that's occurring on the Internet and on networks that is malicious in nature. And we have mechanisms in the US to allow private organizations to share that cyber threat, the cyber threat intelligence and measures for defense with law enforcement so that we can be informed as we are investigating, but also so we can then inform the public back on how they can protect themselves. And so the private sector in cyber is very uniquely situated versus some of our other threats, where a lot of our industry partners have an insight that is far broader than we do within the law enforcement community. And so that's where that that active participant from private industry in the collective effort of security really factors in.

C

Yeah, well said. I'll just add that, like, because I do work with the Cyber Action Team, we deploy to companies and government agencies that are experiencing computer intrusion incident, and we help both investigate the activity so that we can piece together the narrative story of what happened. And we can then pursue national security interests or criminal prosecution as the case may be. But when we get there, it's effectively a digital crime scene. And when you think of how crime scenes are managed in like traditional meatspace investigations, anything you've ever seen on tv, whether it's a bank robbery or a murder case or something like that, law enforcement comes in and they dominate the crime scene, they put up police tape around it, they control the area, they Control who can come in and who can leave and all that kind of stuff. But in a digital crime scene where there's a computer intrusion, it's so much more of a partnership with the system owner because we don't want to create extra harm by being too overbearing in the way that we investigate a computer intrusion. But our objectives are still the same. So we come to a company and we're asking for their partnership in enabling us one, to fulfill our mission of figuring out who committed the crime and collecting evidence on them so that we can then you fulfill our mission, but also helping them restore operations. Because by finding the artifacts, the indicators of compromise, the log files that show what exactly happened, that actually pivots really well into helping the victim remediate the threat, patch the systems that were vulnerable, evict the threat actor, and then, like I said, resume their business operations, which is generally, generally their main goal in all of it.

B

Could you briefly describe the difference between what happens when a company calls the FBI really early in an incident and then maybe what it looks like if the FBI is brought in after the fact?

C

Yeah, the earlier that we can get out onto that digital crime scene, the more likely that we can actually collect evidence. While the threat actor is potentially still even engaged with their networks, which would be real time information and potentially volatile information that wouldn't be retained in log files that might point to not only where are they coming from as far as IP addresses that they're connecting from, but also the credentials that they're using to log in or the vulnerability that they're exploiting. The more time goes by, you know, it doesn't mean we can't do our job, but it means that we're relying on whatever, whatever information was logged by the security operations facilities at that company, which some are good, some are bad. They all have different amounts of information, granularities of information that they're collecting, and different data retention policies. But the fact always remains that the sooner we get there, the better the fidelity of information that we're going to have to tell the story of who did the crime, but then also to help repair the systems and resume operations.

A

And I'll add to that too, from the other side, from the organization side, if a company brings us in early, there's a greater likelihood that we will be able to inform that organization early on regarding the tactics, techniques and procedures that that threat actor uses. And sometimes that may be technical on the network, but some of it might not. Some of it may be things like this threat actor doesn't encrypt, they just exfil and extort. So you've got, they've given you a notification with a ransom payment request. You don't need to be as concerned about them encrypting your data, but you will need to be concerned about them extorting you. And that can then factor in, in the calculus that the organization takes as to how to respond to the threat actor. If they don't bring us in, then we don't. We can't necessarily inform them on what that looks like. And an organization may be operating blindly. And a lot of those aspects of threat actor activity, that's where we have unique insight because we're dealing with that threat actor through the totality of the victimization for the organization. We see that from start to finish, all the way through. Where an incident response organization only sees a sliver of that, a piece of that, they can handle some aspects, but not others. So there's that component too, where the organization can make better or more informed business decisions about how to respond to the threat actor. Sometimes if they bring us in earlier versus later and already going down a path that may be unproductive.

B

Yeah, it kind of reminds me of a coach that has watched all the tape and knows the tendencies of the. The opposing defense or offense. They can sometimes get a. A jump on what's going on just by knowing what those tendencies are. But if you're flying blind, you got to really hope that your playbook holds up, guys. The final recommendation is exercising your incident response plan with all your stakeholders. And it explicitly calls out your local FBI field office if you're listening. Do you know who at your local FBI office is supposed to be participating? And if you don't, I'm going to recommend that you figure that out today. I don't think most organizations think of the FBI as a participant in those tabletop exercises. Talk to me about how including law enforcement changes those tabletop exercises. And what do organizations discover when they include you all? For the first time,

A

when I was in Kansas City, I did a number of those and had a lot of a good deal of outreach with our partners within the Kansas City area of responsibility. And I'll say maybe. I'll answer your second question first. As far as what they learn when they start to bring us in and have us participate, I found that a lot of organizations are really surprised by how willing we are to take a backseat until there's a necessity for us to contribute or bring value in some way. We, as Adam mentioned, do not Come in and just take things over. When we're dealing with engagement with a victim in an incident response type scenario, unless that victim wants us to, which happens in certain circumstances. But we don't enforce that aspect of our authorities when we're dealing with victims. And I think that is very surprising to organizations as they look to bring us in. I think that that's different than expectations. I think another thing that folks learn is that we are incredibly deferential and respectful of the victim, their data, how they, they protect that, how they proceed with it. And that's something that's very important to us. And I don't know that everyone fully grasps that or appreciates that at the outset as far as what it looks like and what we bring. To answer the first part of the question now, a lot of it is just giving organizations reps on when to reach out and what that communication looks like. So that comes in the way of just for example, using out of band communications. Sometimes organizations don't necessarily think about, hey, if I have a compromise, even though there's no indication immediately that it's affecting my, you know, my email server, I really shouldn't be communicating with the FBI about the compromise over my email server because that could, that could give, you know, tip off to threat actors. Right. And some organizations may not have thought through that yet and they might not be considering that. And those are things that are just, just standard practice for us as we're dealing with that. But we can bring some of those perspectives in and potentially cause organizations to either more aggressively highlight certain aspects of their incident response, that they're following those, or add aspects in that they might not otherwise have considered or included or thought of.

C

I think you can't also underestimate the value of just knowing a person before you have to deal with a stressful situation. You also, you just don't want the first time that you've thought through some of these really complex scenarios to be when you're dealing with, you know, a ransom demand from, you know, a threat actor out there in the Internet and you're, all of your data is being encrypted or you know that they've exfiltrated your, your crown jewel information. And the other area that I think that that applies, especially the having thought through things in advance, is in the legal aspects of it. You know, Jared and I are, are you an attorney?

A

I am an attorney.

C

I'm not an attorney. Jared's an attorney. So correct me if I'm getting anything wrong, but like we work with lawyers all the time. And we know that it's sensitive to share information with the government. We value the Constitution and the Fourth Amendment. And in many cases, we're coming in and we're asking for some sort of written consent to be able to collect some critical evidence that' and going to be useful in our investigation. And if a company's never talked with their counsel or inside or outside about what that looks like, to sign over that, that kind of consent to the, to the government, then thinking about it in the moment of a critical, you know, incident is probably not going to be as fruitful as having had those conversations in advance.

A

Yeah, the way I like to think of it is you don't want to build trust under pressure, and you don't want to build process under pressure. And for us coming in, both of those things are very critical and important to a successful outcome. So by practicing running through your policies and procedures on a tabletop exercise and bringing us in, we can build both of those things before we need to deal with any of it.

B

What should an organization have ready before they reach out to their local field office to start building that relationship?

A

Honestly, I don't think they really need to have anything ready. They just need to reach out. It's really that simple. We're all the cyber supervisors out in the field and the investigators out in the field. We deal with people day in and day out. That's why a lot of us came to this job. We're just people ourselves, and we'll just. The conversation will go where it goes and where it needs to go once they reach out.

C

You can almost go in the wrong direction if you think that you have to collect a bunch of information or evidence before calling law enforcement. Because we're trained at collecting evidence, and we know how to do the forensic side of things and all that. So if somebody doesn't know what they're doing is trying to get their act together before calling the FBI, there's things that, that they could do that would actually harm the investigation.

B

Okay, so no homework, really. It's just a willingness and an openness to make the call and then knowing who to call. Guys, let's end it here with my favorite question that I ask on Threatvector. If a listener takes one thing away from this conversation and they act on it this week, not next quarter or next year, what should it be?

A

You want to go first?

C

I was going to say there is no one thing. That's why we have 10 things on our list. But, you know, I. I think it's here would be what I would say to the the sizzos that are out there is you're not alone. This is, as we've said before, this is a community effort. And then to the CEOs that are out there, I would say probably listen to your sizzo.

A

The one thing that I would like folks to take away if they were too is that within FBI Cyber we recognize that security is not a fight that we can win from a law enforcement side on our own. We need partnership, participation, engagement from the private sector and we are willing and we are open to doing that in the ways that look right and are effective.

B

And I think I know what the answer is going to be on this one. But is there a resource, a website, a contact point that our listeners should start with to get engaged with Operation Winter Shield?

A

Yeah. So FBI.gov wintershield has resources. It has a lot of the communications that we've put out. This was a multi month operation that we had and so there was a lot of content that was generated and that would be a good place for folks to go to review that content and engage with the content so that they can start implementing some of these things and considering from their perspectives within their respective networks.

B

And we'll go ahead and make sure to have the link in our show notes. So if you're listening on your favorite POD app, you should be able to pop that open and find the link directly to those resources. Adam Jared, thanks for this awesome conversation today, for the work that you're doing and I always really appreciate talking to people who have a sense of mission over reward and it seems to me that both of you exemplify that and it shines through with Operation Winter Shield. And I'm just, you know, as a participant in the community, really thrilled to be able to share a little bit of time with you and talk about what the FBI is doing and seeing on the ground.

A

David, thanks so much for having us on. This was a great opportunity and really appreciate the conversation as well.

C

Well, it's been a pleasure. Thank you.

B

That's it for today. If you like what you've heard, please subscribe wherever you listen and leave us a review on Apple Podcasts or Spotify. Your reviews and feedback really do help me understand what you want to hear about. And if you want to reach out to me directly, email me at threatvectoraloaltonetworks.com I want to thank our executive producer, Michael Heller. Elliot Peltzman edits the show and mixes the audio. We'll be back next week. Until then, stay secure, stay vigilant. Goodbye for now.

C

Sa.