Richard Ford, Chief Technology Officer at Praetorian joins Tech Transforms to talk about the cyber security threat landscape. Red team versus Blue team is a common and effective threat protection practice, but what could cyber security experts gain from team Purple? Listen in as Carolyn and Mark learn about the importance of managing your attack surface, implementing multi-factor authentication, and protecting against cyber phishing attacks.
Carolyn: So today our guest is actually an old friend, Richard Ford, who is Chief Technology Officer at Praetorian. For over 25 years, Richard has been able to design and implement NextGen product strategies and provide customers with the best threat detection available. Today, we're going to talk to Richard about the cyber threat landscape and what a good defense looks like.
Richard: Hi, it's nice to be back on a call with you Carolyn, and Mark, it's good to see you.
Carolyn: Yes, really good to have you today. So let's just jump right in. I want to know what your view is, what are our biggest cybersecurity threats? What does the cyber security threat landscape look like and how do we defend ourselves from it? So there's like three-part question there.
Richard: So, we're starting with an easy question. I think the threat landscape is incredibly messy and I think that the most important part to think about is change. So if you think about just the last quarter or two that we've gone through you had, like log4shell someone we're all running around looking for log4j vulnerabilities. Then it's Spring4Shell, which wasn't as serious, but was still pretty nasty if you were impacted.
The problem, we have this tremendous rate of change so the thing that was important to you yesterday may not be the thing that's important to you today. It's unlikely to be the thing that's most important for you tomorrow. So when we think about the threat landscape, the first thing to say is, if I give you an answer, it's like looking at a single, still image from a movie and telling you've watched the movie, right?
Richard: Then as soon as we go click, you know that threat landscape will change. With that said, I do think there are some common themes that keep coming back, right? So there's a threat we have around being desperately short of people. There's a threat around, we don't know what assets we have. Even if we did know what assets we have, we don't know what they're running.
Then the business conditions are driving us forward so quickly that it's difficult to keep security on the front burner. It sometimes drops to the back burner so we don't think about security as much. Perhaps, as how do I meet these business objectives that we have. I think this has created this sort of very unpleasant, perfect storm that will keep us well on our toes. I don't know, for the next couple of decades, it feels like.
Carolyn: So when you say that we're constantly moving forward, changing, at the same time, I mean, are we still dealing with like SolarWinds? So as we're having to look to the future, we're still dealing with all the shit that's happened even a year, two years ago. Is that true, or like, are we good? We took care of it?
Richard: No, it's definitely correct right, so all vulnerabilities never really go away. So you have all those things sort of trailing behind you like the comet has a tail, and new stuff coming at you.
I think to be a successful CISO or to operate the business successfully, what you need to be really good at is prioritization. So it's about dealing with what is the biggest risk for you right now.
Richard: And I think that leads us to a very important point that we talk about cyber threat landscape. But it's different depending on who you are and what you do. So the biggest risk, for example, for government might be very different than critical infrastructure, might be very different for sort of mom and pop SME that's sort of operating the corner store. Each one of these has a different threat landscape that they live in, different risks and different risks to the business.
Not only that, but yes, this is all additive. So we still see scams for all vulnerabilities as we look at our threat intel. I remember going back a few years, there were viruses that used to trigger on certain days of the month or certain months of the year. For years afterwards, you would see these viruses fire up and start scanning things. Which means that there were still people out there who were still infected, which is just stunning to me.
Carolyn: Ah, the good old days when we knew the day that it was going to happen, the day of the month it was going to happen.
Richard: Yes exactly. I still remember the old Michelangelo virus, right? When it was like a trigger day was coming and everyone was counting down to what would happen on Michelangelo day. But I guess that just shows my age or perhaps the more positive spin is my longevity in the industry.
Carolyn: Your experience.
Mark: So speaking of experience, Richard, you have an interesting background. Because you have experience in both the offensive cybersecurity landscape and the defensive cybersecurity landscape. So can you talk a little bit about how your experience working on the offensive side has impacted or affected your approach to the defensive cybersecurity landscape?
Richard: Yes, so I think the offensive and defensive sides that are so intimately related, it's like thinking about two sides of a piece of paper. They're really one, you can't peel one side off a piece of paper, at least not very effectively.
So I think that to play a good defense, you have to have mastered offense.
I think we were chatting earlier, as we thought this through and we were talking about chess. It would be like me saying I was a chess master, but I can only play the white side of the board. I'm not very good at playing black or I'm a master at black. I'm not really very good with my white opening systems.
You have to be good at both to really be rounded out. I use chess as an analogy because it's an adversarial game and that's exactly the sort of wrestling around we do in the attacker space. So I don't think you can truly be good at defense without understanding the ways of the attacker.
I don't think you can be a great attacker without having a good understanding of the pain that your attacks cause to defenders. Because there are things I can do as the attacker that make certain defenses untenable, even if they're effective. In the sense that they stop me from getting in, but I can make it so it's really hard to use. Maybe I make it noisy for you.
Mark: Well, is it easier to play offense or is it easier to play defense?
Richard: Oh, that's definitely an easy question. Yes. So I'll say that I've never really lost playing offense. I'm sad to say that playing defender is much harder and we can talk about why, but it's definitely easier to be on the offensive side.
Carolyn: Let's talk about why.
Richard: Well, I mean, step one, it's more fun, right? Who doesn't like going on the offense. It's that adrenaline rush when you sort of manage to get your exploit past some of these defenses. But I think the other thing is that if you're a business, you have this very large attack surface, right? And all of it has to be secure and it has to be secure all the time.
So if you think about a pen test, a pen test might tell you that your attack surface at 7:55 PM on a Tuesday in April is perfect right? Can't get it. But an administrator spins up a box for testing or you miss patching something because a new vulnerability came out at 8:00 PM and suddenly you're vulnerable again.
So as an attacker, I'm pretty good at finding vulnerabilities today. But if I don't find a vulnerability today and it gets me into your system. I'll wait till tomorrow and I'll nail your system tomorrow. You have to be good 365 days a year, 24 hours a day. I have to be good once and I can just wait for you to slip up.
Mark: Do you guys do this in your current role? Do you play these games? You know, red team, blue team kind of thing?
Richard: Yes, we absolutely do. Praetorian is a company, it’s a mix of product offering and services offerings. Our services offerings, we absolutely do red and blue teaming with some pretty large customers. One of the things that people don't take advantage of enough is a purple team, right? Which makes it less adversarial. So the thing with the red team is we're coming in, we're going to root your network. That's fun and there is value for the customer. But it's very adversarial. You're trying to catch me, I'm trying to wear.
What's really fun is a purple team where we're working on both sides of the line. We're working with the blue team to see if we can see it. And we're working as a red team to see if we can get it and that's a little bit more of a collaborative game.
So there's a lot of opportunity for knowledge transfer and learning to our customers. It's not just about, can we get in? Because we pretty much always do, it's about did you see it? And how can you improve your defenses so that when you're breached that way next time, you do better?
I think purple teams are actually underutilized in the industry. They do move away from this adversarial game to more of a collaborative game. I think they're more fun in some ways, too, and they have better business value.
Carolyn: Would you say that the purple team is where your own employees would fall? Like you've got your unintentional insider. You've got your admin that spins up some server that you didn't even know was coming and creates this vulnerability. So is that like, just as you're describing, I haven't heard the term purple team.
Carolyn: But as you were talking about it, it made me think that's where we live as employees. Is that a fair statement?
Richard: Kind of. I mean, I think there's a lot of unintentional harm that we do as employees. A lot of well-intentioned moves lead to security risks. But a purple team is sort of when you blend, obviously, from the name. A red team where you've got a group of people who's trying to get in. Blue team, a group of people who's trying to stop you from getting in where you blend those. So it's more about, did you see the attack? It's about improving the defenses and the resilience of the system. As much as it is about breaching the system.
Mark: So, Richard, you've seen this kind of play out across government agencies and commercial industry. Who's better at it? Commercial or government?
Richard: So I think it's really hard to lump any large group of people into buckets, right?
Mark: He just went right down the middle. He went purple.
Richard: Yes. I mean, I think they have very different challenges for a start, right? But I think businesses range from really very, very good to really very, very bad . There are some targets that come across our radar when we're on the offensive side of the world where we're like, oh, that's a really hard target. These folks really know their onions, they really know what they're doing. We're going to have to pull out our A-game to find a win. There are other companies where it's like shooting fish in a barrel where the barrel is big and only contains fish.
Richard: Now the government is different. The government, especially when we're talking about the federal government, it's shocking to say this, it's a little bit more organized. Because there are certain standards that they're required to adhere to. So there's more sort of governance.
Now, there are still different levels within the government and especially when you get into state government and sort of governmental agencies that have complicated missions, NASA would be a good one if we want to chat about that because they have some very interesting mission requirements.
But I'd say, in some ways, the government is a little bit more homogenous than the top end. Some of our intelligence agencies, they have pretty solid security. The fact that you can legislate and you can enforce does make some of that a little bit easier. The flip side is that it's very difficult for the government to compete on salary with a top salary in an industry. So there's a sort of constant sucking sound from the business side of the house pulling top talent away from the government. So they definitely have challenges around staffing.
Mark: Well, you talked about staffing, this is the, like the second time you brought up people. As a challenge, can you talk a little bit about that? What you've seen, how maybe it can be addressed or how you've done that in the past?
Richard: Let's define the problem. Cybersecurity people are really expensive and they're hard to come by and they're hard to retain. If I was a mercenary, I could flip my job every 12 months and probably have a very nice raise sort of built into my paycheck and that's a problem.
Richard: There are only two ways to solve for that. You either need to get more people or you need to use technology to get better productivity out of the people that you have. The right thing to do of course, is both. You need to take that sort of left-hand and that right-hand approach. I think there's some interesting things that we can do in both that will dramatically improve the outcomes that we have as an industry.
Carolyn: Going back to being a defender. You know me, Richard, I like you to just tell me like how we fix this. So give me the McDonald's version, like top three things that government, industry can do for some quick wins as defenders.
Richard: So I think that it all starts the really honest assessment of where you are in your maturity. So there's no one size fits all. Especially in the business world, there are small companies who don't have endpoint protection. Or they're not following anything that's remotely like best practice with understanding even where they are. They haven't even asked the question of what is my cyber maturity?
So I think all these discussions start with a good measure of where are you on that curve because where you are defines what you should do. With that said, I think that most businesses get breached because of software rot. That's something that's hanging out there and it's unpatched and you don't even know you have it.
So managing your attack surface is incredibly important. I think moving to things like single sign-on and multifactor is incredibly important. And I think having a robust set of defenses around phishing, which is the sort of easiest, common way here.
Carolyn: Still number one way, right?
Carolyn: Like still today. It is the number one way.
Richard: Yes. I mean, because people are people and computers can be quite difficult to break. But getting somebody to send me 500 Steam gift cards because I texted them can be quite easy, right? Especially if you take your time in target selection. From a mathematical standpoint, if you think about it like a game, there's no cost of predation. If I text every one of your employees say, "Hey, this is Nathan, the CEO, can you call me back? I want you to buy some gift cards for surprise for accounting" and boy will accounting be surprised. You know, all it takes is one person to go, "Oh, it's the CEO. I'm so excited about that."
Carolyn: Yes, no, I just had this conversation with my mom this morning. I said, "Mom, there are people praying on our need to help with Ukraine right now. You're going to get asked for money from people who are bad people and who are stealing it and are not. But we're in this state of emergency right now where we all feel like we need to help. So we forget this good hygiene of don't respond to that."
Richard: Yes, exactly. So that's why I would say things like single sign-on a multifactor go hand in hand with phishing because they can reduce some of the risks of being successful.
Carolyn: Okay, but help me with single sign-on. Again, like I know it's good but if all my passwords are in one place, if they hack the single sign-on, then I'm really screwed. So tell me why it's more secure?
Richard: So, as I like to remind customers, one ring to rule them all did not work out very well for Sauron in Lord of the Rings, right? So yes, you have a single point, that's scary. And if we wind back to the news cycle, we just had a little bit of an Okta scare. Which was a really interesting story. I mean, it was a third-party issue, it wasn't core Okta, but it was still pretty scary. It made people think a lot about the value of single sign-on. But what you're doing is you're trading one set of risks for another set of risks, right?
So the question is, if you don't have single sign-on, you probably have either password reuse run rampant. Or you have people getting breached because they gave up their username and passwords, they're not using multifactor. So in the sign-on, yes, you're putting your eggs in one basket, but then you need to watch that basket really carefully.
Carolyn: Oh, the multi-factor thing. That's key, right?
Richard: Yes. Multifactor is really important nowadays. I mean, we've all been sort of speculating about the death of the password for years. One day that prediction in a threat report's going to come true. Or we're finally going to get rid of usernames and passwords and do something that's a little bit more sophisticated. But the reality is, I think, we're stuck with it for a while, but yes, multifactor is a way to buy down risk around account breach.