Armed services, social engineering and sensationalist reporting

Chris Sienko: Hello, and welcome to CyberSpeak with Infosec Institute, a podcast and video series about security-awareness issues, tech career tips, and the state of the security industry. Our guest today is Michel Huffaker, director of threat intelligence for ThreatQuotient. Our talk today will be in two parts. First we'll discuss some security awareness issues specific to the US armed services, and after that we'll go through some of the most attention-grabbing headlines and see if we can find the real story within. Michel began her career as a Chinese cryptologic language analyst for the US Air Force before moving on to become an intelligence analyst for the US Department of Defense. Working for a number of technology vendors, iSight Partners for five years, and now as the Director of Threat Intelligence at ThreatQuotient. Michel, thank you for joining us today.

Michel Huffaker: Thanks for having me.

Chris: What are some of the biggest security issues currently happening on a personal or individual level in the armed services right now?

Michel: I would say that probably phishing will continue to be a pretty [inaudible 00:01:07] of an issue for the armed services, as well as social networking, sort of exploitation. If you remember back around 2009 there was a profile created under the name Robin Sage, that was fake, by a security researcher, just to see how many people they could get to actually connect with this individual who was not real. So she was posing to be an intelligence analyst, and friended over three hundred people, and was able eventually gain access to secret military- not necessarily documents, but locations, through photographs and things like that. So I think just the nature of the tight-knit relationship of modern armed services would lead them to be more vulnerable to this type of attack.

Chris: Are there any sort of specific phishing attack vectors that are sort of being used at armed service people?

Michel: I would say it's not too different from what you would see in the commercial sector, other than it would be tailored. For example, phishing messages about industry-related conferences, defense contractor sort of conferences, as well as things around even earning statements, any sort of holiday schedules for the government, and anything that might be related to benefits through something like TRICARE.

Chris: What are some of the more surprising phishing tactics that have actually worked? Do you have any sort of odd stories in that regard?

Michel: I don't know about odd stories. On one hand it's a little bit surprising that any of them work, and then on the other hand, it really isn't, because of how well-crafted they can be. Some of the things that are really prevalent across the board, both private and military right now, are things around getting individuals to try to reset passwords, for example, for things like Gmail accounts, Outlook Web Access; some of these are well-crafted, those generally come from the more advanced actors, more nation to state sort of strategic stuff, but then there are those that are really poorly-crafted that come from developing nations, and so you see sort of a broad spectrum of capability, and then it turns out that generally it becomes a numbers game. So people will eventually click some of the poorly-crafted ones, and I think that's surprising.

I don't know that there's anything that I've seen recently, and to be fair, I've been out of the military for a while, that is overly shocking in terms of expertly-tailored on the broad spectrum of targeting that the general addresses.

Chris: You know of any specific educational initiatives or security training programs that are being put in place to, sort of, prevent this? Is there any kind of standard operating procedure to let people know to sort of watch out for these sort of threat actors?

Michel: Absolutely. I think the armed services themselves, each individual agency on the civilian side, as well as the government at large is looking at different sort of awareness programs. I know in some of the agencies I've worked with before, they did sort of gamification type things where they would show subject lines to see if people would click or not, and then give a score at the end and help do some awareness training around that. I would say that, generally speaking, people in the government and military are aware of security threats. They're constantly trained on how to be vigilant, and to watch disclosing certain things in public, but it's obviously very much focused on the physical side. So I've seen a large effort over the past couple of years to really get people to focus on the cyber side. It's not always the most interesting of topics, so it's difficult to kind of keep that awareness material new, but I do think that there is a large effort to try to keep that stuff safe.

Chris: What are your thoughts on the recent national cyber strategy brief released, especially its creation of the Cyber Defense Initiative? What are some of the issues this organization is being created to address, and what do you think the methods are going to be to achieve these ends?

Michel: My initial thoughts are that it's a good thing, right? You want the government to really be focused on these issues. You want to see administrations carry on from president to president, from administration to administration, these types of initiatives have been bringing cyber to the forefront. I think that there has been a lot of political talk around it, and a lot of focus on the offensive side, but if you look at the actual briefing, there are a lot of things in here that are good. There's a focus on generally securing critical infrastructure, there's a focus on making the internet interoperable, there's a focus on educating the public. So as long as that framework stays in place, and there's an actual tactical and operational way to achieve that strategy, I think it's a great thing.

It's a huge problem from a national perspective, so I think it's a difficult thing to do, and getting the different agencies who are responsible for this, the different non-profits, even industry on board to share information to address these issues would be very beneficial, and the things that they're really working against are securing our economy, securing our critical infrastructure, and protecting the data of the citizens of the US. So, as long as that remains the focus, rather than the political side, I think it is ultimately going to be successful.

Chris: Based on what you've read of the brief and the proposal so far, are there a lot of sort of practical steps that have been implemented? Or is it still sort of a declaration of interest, i.e., 'we want this to happen, this to happen.', and if there are sort of concrete details that you've seen and evaluated, do you think that it looks like an effective plan thus far?

Michel: From what I've seen, it's mostly a framework and a declaration. I think if there were very specific tactical steps then the cyber problem would be solved. I think the most important thing is that the issues are being raised, they're being raised publicly, and it's giving people the opportunity, and potentially the funding, to actually focus on mitigating some of those particular attack factors.

Chris: I guess, sort of speaking to that, if you were to have the magic gavel and implement a parcel of bills or a legal bill that would, as you said, end security issues overnight, what would your strategy be? What's not in place that you would like to see in place in that regard?

Michel: That's a good question. I think more of a tolerance to people publicly speaking, not necessarily people but organizations, speaking about their own vulnerabilities, their own experience with some of these breaches and these attacks, without being stigmatized, and with the government industry's help. I think there's on one level where people are competing, which makes a lot of sense. That's a lot of what our country is about, but on the other side, if an entire industry is weak in one particular aspect, then the entire economy is. So, I think mostly it would be really showing up the ability for the government and industry to quickly share information, it's actually critical that its actionable, and to help foster communities within industries to actually share this information quickly.

Chris: Do you think there's any behavioral change that can be implemented by service people that would reduce the dangers of phishing and cyber crime in the military sector?

Michel: Service members and government employees are well aware of security threats in general, so I think that just reminding them of the value of their information would ultimately create sort of a grassroots of behavioral changes to protect that.

Chris: What roles have threat hunting or threat intelligence or deception played in countermeasures to these security issues? Are there benefits right now of going on the offensive and sort of tracking these- especially overseas, threat agents?

Michel: Okay, two parts, yeah. I would say that obviously threat hunting, threat intelligence, deception, those types of defensive techniques are incredibly valuable. Without threat intelligence, there's so much data and there's so much information out there that it becomes almost an impossible problem to understand. Threat hunting is almost going on the offensive within your own network, to really look for those kind of blatant threats and those things that are so sophisticated that your sensors can't find. So that's obviously a very valuable, very mature way to approach security. And deception, you're seeing a lot of vendors that are coming up with deceptive technologies that seem to be very effective, but that's a tough thing to maintain. You have to continuously update those environments. So, I think they're all critical.

As far as going on the offensive, I would say that the most important thing to think about, especially if you're speaking in terms of the government, or even an industry, is offensively attacking with cyber means can be tantamount to kinetic attacks. So I think all the diplomatic things have to be weighed, all the political discussions have to be weighed, to do something like that without going the same process that we would a kinetic attack, I think would be reckless and dangerous.

Chris: Okay, so let's sort of move on from there to another interest, when I was talking to you earlier, you said that you do a lot of work sort of breaking down what you described as sort of sensational hacks that are written up in large, lurid letters in the news. You said that high-profile stories like pacemakers being hacked are written to cause panic, and that you have proof points that sort of quell fears on these sort of fantastical topics, so let's start with the pacemakers. How is this topic being poorly reported?

Michel: So on the one hand, first I want to preface this by saying I think when there are vulnerabilities in things that are critical to human life, there is a responsibility to report those publicly. What I'm speaking about specifically is the oversensationalisation of it, and this sort of fear-mongering approach. I think there is a little bit of a sort of a culture around kind of mystifying the idea of cyber, this whole sort of sci-fi thing where you can just in one fell swoop take down a power grid, or something like that. While occasionally those formidabilities do exist, and there is a right for the public to know, it's whenever it's presented in a way that creates fear rather than informs, and you can tell the difference very easily, in fact there was one, it was just in August of this year before black cat, reporting about pacemakers again.

There is a very big difference between an article that is more focused on the industry itself, that simply explained 'These vulnerabilities were discovered, this is how they're addressed, if you have these particular pacemakers, here's how you can fix it.', as opposed to some of the mainstream reporting around it was very like 'Oh no, if you have a pacemaker, China can

Chris: This is the end, yeah.

Michel: ...Right. Those sorts of things, and I don't think that that fosters a good trust relationship between the media and the public, so that whenever there is a real issue, you know, if you've been crying wolf for so long, then it's going to be difficult to eventually get attention.

Chris: That is true, now what would be some strategies that you would suggest to savvy readers of the news to spot these sort of overheated articles? What should we be watching for, and how would you sort of know when it's not as bad as it looks, or it's bad in a different way, or something like that?

Michel: That's kind of a tough one, it would depend on the type of news, whether it's social media, or regular public information. I would say headlines that sound extremely definitive that warn of anything like sudden death, or are very clear cut that 'x' person can stop 'x' device and with 'x' result, because it's often if you get to the second or third paragraph, you start to see where the definitiveness of that unravels. For one thing, it's vet your sources, really get a trust relationship with your news providers, and second is if you're one of those people who just reads the headlines, if you find something alarming in the headline I would recommend really digging into the article rather than taking it at face value.

Chris: What are some other high-profile cybersecurity stories that you think are being currently reported in a sensationalistic way that you think would be more effective if told more directly? Are you following any particular stories that sort of bother you in that regard?

Michel: The most recent one I can think of was the series of natural gas explosions that happened around the same time as Hurricane Florence. I know there were some media outlets that were very quick to report that that was a failure in cybersecurity, ultimately, that there was a critical infrastructure failure. Even if that is the case, or it's found to be a culprit, or at least contribute, it was, in my opinion, pretty reckless to come right out with that sort of assessment. There's a lot of implications to insinuating that someone has hacked and ultimately caused actual destruction, and I don't think we would as recklessly talk about an actual physical attack, in the conventional sense. So I would just encourage people exercise caution. Really contact the experts, people who can speak to these issues in layman's terms I would say are probably more credible than those who are just kind of babbling technical jargon, because they really understand it and can explain it in a way that would help the public kind of wrap their arms around it and understand how it could eventually affect them, and how they can protect themselves in the future.

Chris: To wrap things up here, what security issue that you hear in the news about do you think people should worry about less than they do, and what issue do you think they don't worry about enough?

Michel: I don't know if this will come back to bite me or not. I would say that generally, people should probably worry a little bit less about critical infrastructure attacks, like from power grids, attacks on specific sort of IOT devices, internet of things, Smart cars and toasters, and while there are absolutely vulnerabilities in those things, and there are attack methodologies out there, there is always something you have to evaluate, which is access, capability, and motivation, and you really have to figure out where you are on that spectrum. If you're just a person with a toaster, and it happens to be internet-enabled, I'm sure there's a possibility it could be caught up in some sort of opportunistic threat, but the likelihood that it's going to be used to kill you is pretty low. So I think just maintaining some general education around those things would be more valuable and a better use of your time and energy than buying into this whole sort of crazy sci-fi thing.

Things I wish people were more aware of, I definitely am sort of expecting to see a balance between people expecting companies to protect them, and companies expecting their users to be a little bit more responsible. So I would say things like enabling two-factor authentication on any accounts that someone has, watching credit card statements closely, and using credit cards only on trusted websites and things like that. I think people have almost gotten used to the disposability of a particular credit card number because the vendors bear the brunt of those types of fraud, so I think it has lowered their guard a little bit, but in the end, it is each individual's information that they're responsible for, and who can ultimately be damaged by that, so I think just controlling your small world, what you have impact over, and making it as secure as possible would help lift the entire posture.

Chris: Sounds great, and I think on that we're going to end today. Michel Huffaker, thank you very much for your insights today.

Michel: Absolutely. Thank you.

Chris: And thank you all for listening and watching. If you enjoyed today's video, you can find many more on our YouTube page, just go to YouTube and type in Infosec Institute. Check out our collection of tutorials, interviews, and past webinars. If you'd rather have us in your ears during your workday, all of our videos are also available as audio podcasts. Please visit Infosecinstitute.com/cyberspeak for the full list of episodes. If you'd like to qualify for a free pair of headphones with a class signup, podcast listeners can also go to Infosecinstitute.com/podcast to learn more. And if you'd like to try our free security IQ package, which includes phishing simulators that you can use to fake phish and then educate your colleagues and friends in the way of security awareness, please visit Infosecinstitute.com/securityiq. Thanks once again to Michel Huffaker, and thank you all for watching and listening. We'll speak to you next week.