CrowdStrike’s first Fal.Con for Public Sector cybersecurity conference — held last week at the new International Spy Museum in Washington D.C. — brought together more than 140 cybersecurity professionals and experts from across federal, state and local public agencies, with many more accessing a livestream of the sessions.
Participants gathered for a day of in-depth discussions and compelling presentations by industry and public sector leaders, as well as panels of experts. They discussed the state of the current threat landscape, how it is impacting public sector entities, and how these organizations can increase their cybersecurity readiness.
The following are some highlights from the keynotes and sessions at the conference.
You can access all the session and keynote videos in one place by visiting the Fal.Con for Public Sector webpage, or access each video separately via the YouTube links below.
Countering Cyber Adversaries: Attack Trends and the Importance of Speed
CrowdStrike Co-Founder and CTO Dmitri Alperovitch opens his discussion by outlining the three generations of cyberattacks that he has observed over the years and how we are currently in the “age of destruction,” where the cyber world has crossed into the physical. Evidence of this can be seen in nation-state attacks against government agencies, public utilities and other entities. These attacks are designed to cause damage and disruption.
In his session, he advises that to successfully defend against these sophisticated attackers, both public and private sector organizations, though differing in many ways, must incorporate the same strategies into their security: continuous threat hunting, cloud-enabled technologies and speed as a priority. He also explains the following principles:
- Speed is of critical importance, as is knowing your adversary and how their “breakout times” differ (the amount of time it takes for an intruder to move laterally after compromising a machine).
- The 1-10-60 Rule (1 minute to detect, 10 minutes to investigate and 60 minutes to respond) represents the response times needed to defeat most of today’s adversaries.
He concludes with the advice that public sector agencies that can meet that criteria have a better chance at thwarting today’s innovative and sophisticated threats.
State of the Threat: A Global Intelligence Perspective
CrowdStrike Vice President of Intelligence Adam Meyers addresses attendees on what threats his team has observed targeting the public sector, and what could lie ahead. He also cites recent intelligence trends and why it’s so important for public sector organizations to operationalize threat intelligence, which can help them mount an effective and proactive defense.
He begins by advising that the first objective in assessing your adversary is to figure out whether the threat actor is working on behalf of a nation-state, eCrime organization or a hacktivist group. This reveals motive. He also rates various adversaries according to the strength of their intentions and capabilities. Some adversaries, such as Iran, have strong intentions — meaning a strong desire to engage in attacks — yet their capabilities are weaker. Others, such as eCrime actors, may have strong capabilities but their intentions aren’t as strong unless they stand to achieve substantial financial gain.
Big Game Hunting
Adam also discusses ransomware as a powerful trend, which he says has evolved from mostly commodity-level attacks in 2016, which targeted large numbers of individual victims with lower ransom demands. Today, adversaries have transitioned to targeting specific large enterprises and demanding much bigger ransomes — often in the hundreds of thousands of dollars. These attacks are known as “big game hunting.” He explains that big game hunting attacks don’t have to be complex — attackers are using means like commercially available penetration testing tools and “living off the land” techniques leveraging legitimate software tools already on the network. While this approach might take attackers some time to move laterally and break out of the environment — once they do, the losses can be substantial.
Adam covers the major big game hunting actors, including BOSS SPIDER, INDRIK SPIDER, GRIM SPIDER and PINCHY SPIDER, and also discusses some new eCrime tools his team has observed, in use by threat actors such as LockyGoga and Robbinhood.
He cautions that nation-states such as North Korea are constantly improving their capabilities — finding new and innovative ways to thwart security. He notes that these groups will continue to target government agencies for financial gain, because getting their systems back up and running is of paramount concern, often making them more willing to pay a high ransom.
Strength in Numbers: Finding Private/Public Sector Synergy in Global Cyber Defense
President of CrowdStrike Services and CSO Shawn Henry’s opens his presentation by recounting his previous work with the FBI investigating terrorism, organized crime and financial fraud. He echoes Alperovitch’s concerns that the cyber world is much closer to the physical world than ever before.
He also addresses several factors that make cybersecurity particularly challenging for government agencies. These factors include: networks covering multiple agencies and thousands of endpoints; the lack of communication and coordination; how extensive government networks are, with multiple agencies involved; the bureaucracy and transitional nature of the government workforce; and finally, the increasing innovation by adversaries targeting public sector networks.
Opportunities for Improvement
Shawn addresses the need for improvement and says that government entities can learn from the private sector. He emphasizes the OODA (observe, orient, decide, attack) loop, a model that can be critical to any effective defense strategy, and reiterates the need for speed in response to threats. He also recommends specific steps federal, state and local agencies can take to improve their cybersecurity readiness:
- Create a culture that will enable people to stay — establish good compensation plans, build internal career paths and foster a sense of a mission.
- Have a comprehensive security plan in place; monitor your supply chain and train your workforce to ensure that the right people and capabilities are in place to prepare for and manage new technologies.
- Use intelligence: The private sector monitors indicators of compromise (IOCs) and indicators of attack (IOAs), and public sector organizations need to make sure they share those capabilities. Make sure your infrastructure allows this intelligence to come into your agency, and that you are able to use it.
Government Keynote: Rob Joyce of NSA
Senior Advisor for Cybersecurity Strategy to the Director of the National Security Agency (NSA) Rob Joyce opens his keynote by discussing the four trends the NSA is watching as they monitor the current threat landscape:
- High-end cyberthreat activity is getting more sophisticated: Adversaries are good, but they are getting even better and finding novel, new ways to exploit networks.
- The level of required expertise within the adversary ranks is decreasing: As new and sophisticated exploitation tools developed by high-end actors are pushed out and propagated — less skilled threat actors are able to adopt them successfully.
- Cyberattacks are moving toward disruption. The objective of many attacks is now to disrupt and take systems down, and the physical world is increasingly being affected by cyber world activities. He points out the increase in attacks against SCADA (supervisory control and data acquisition) systems, which include telecommunications, water and waste control, energy, oil and gas refining and transportation.
- Cyber intrusions are leveraging data — leaking and exposing it — which creates doubt and disruption. He cites the disruptive influences at play in the 2016 election as an example.
Rob’s recommendations for how public sector agencies can better defend themselves in light of these trends include:
- Know your network: “You can’t defend what you can’t see.” He recommends that security professionals learn the paths and protocols on their networks and have the ability to assess what “normal” looks like.
- Figure out how to disrupt the chain of events in an attack: Use the MITRE ATT&CKTM Framework and learn where in the chain you can stop an attack. He also reiterates that speed matters.
- Organizations need to have a disaster recovery plan that spells out the steps to take should a cyberattack occur.
- Embrace the cloud and have team members who are skilled in cloud technology.
Other Fal.Con for Public Sector Sessions
Protecting the People: NYC Cyber Command’s Mission to Defend
Geoff Brown, Head of New York City Cyber Command
- Max Everett, Chief Information Officer, U.S. Department of Energy
- Michael Witt, Chief Information Security Officer, National Aeronautics and Space Administration (NASA)
- Jerry Dixon, Chief Information Security Officer, Crowdstrike
- Moderated by: David Blankenhorn, Chief Technology Officer, DLT
- Erin Joe, Director, Cyber Threat Intelligence Integration Center, Office of the Director of National Intelligence
- Quiessence Phillips, Deputy CISO, NYC Cyber Command
- Ann Barron-DiCamillo, Vice President, Technology, American Express Company
- Charles Seel, Chief, Cyber Threat Analysis Division, Bureau of Diplomatic Security, Department of State
- Moderator: Jeremy Bash, Founder & Managing Director, Beacon Global Strategies LLC
- Find links to all the presentations on this webpage: Fal.Con for Public Sector 2019: State of the Threat and New Defense Strategies.
- Learn more about CrowdStrike public sector solutions by visiting the public sector webpage.
- Learn about improving your organization’s cyber defenses by visiting the CrowdStrike Falcon product page.
- Get a full-featured free trial of CrowdStrike Falcon Prevent™ and learn how true next-gen AV performs against today’s most sophisticated threats.