Establishing cyber policy requires understanding how cyberattacks can take shape in multiple layers of an organization. A data breach can be more than a data breach if the data is used to create social profiles of targeted individuals—with that information then further enhanced by deep penetration of networks and devices. Robert Huber, who has spent more than 20 years in cybersecurity, offers insights into how such multi-layered cyberattacks occur and what can be done to prevent them.
Hugh Taylor: Tell us a little bit about yourself and your background for the work you do.
Robert Huber: I’ve been with Eastwind for almost two years. I’m the chief security and strategy officer. I essentially develop go-to market strategy, product direction, sales support and ensure the security of the organization. Prior to that, I have about 20 years of what I like to call operational cyber security experience. Primarily on the security operations side of the equation, everything from intrusion detection to penetration testing to building out security operations centers and leading large teams. I also worked for a National Laboratory, focusing on industrial control, SCADA and critical infrastructure and am an active member of a Cyber Operations Squadron supporting the DoD.
Eastwind provides a solution that monitors an organization’s digital footprint for breaches. Our solution provides coverage of the Cloud, traditional networks, hybrid networks and a mobile workforce. This is essential as organizations adopt a cloud first strategy. Most users now have direct access to SaaS Applications such as Office 365, Google’s G-Suite, Dropbox, etc. With the ability to access that your anyplace (home, coffee shop), you’re not going through your traditional networks and the monitoring systems that would normally provide detection and protection. That creates an attack surface that you have no visibility into.
To close that gap, we provide visibility into your entire digital footprint, regardless of where the user or data resides. We collect telemetry from all of those environments, looking for things such as cyberthreats, data leakage, attempted breaches or actual breaches. We present that to the security team as an alert for analysis to determine whether they actually were compromised or if there’s any type of data leakage or cyberthreat.
Hugh Taylor: Are you also monitoring for exfiltration of data?
Robert Huber: We do. That’s a little bit more difficult because of encrypted communication channels. We look for events like unusual file uploads, unusual file downloads, cleartext communications and anomalous access. Let’s say you only work 9-5 Monday through Friday. That, in effect, is your normal behavior. If you start to access the system outside of your normal behavior, we will identify that anomalous activity. That includes your location. If you start accessing the system from locations you’re not normally in, let’s say you connect in from someplace overseas, and we’ve never seen that before, we’d alert, noting ‘unusual access by this user from this location’. We also look for events such as massive file uploads. So let’s say you post a ton of data out to Dropbox or some sharing site, we will identify those events as well. Or even massive file downloads, which may indicate somebody’s trying to get information outside the organization or an unrestricted open share.
Hugh Taylor: Sounds like a very useful service. So let me just change channels a little bit here. How familiar are you with the idea of firmware-based threats?
Robert Huber: I am. As somebody that used to actually look at critical infrastructure components, that was one of the targets that we would actually go after as a part of attacks. Even in general computing, it is also a valid target—much more difficult to defend against and much more difficult to detect.
Hugh Taylor: Why are firmware threats difficult to detect?
Robert Huber: They don’t occur very frequently. And usually for those types of attacks, it sometimes it requires physical access to conduct those attacks. When the firmware updates come across the network it’s very difficult for any type of security technology to peer into the update and determine whether that’s good firmware or bad firmware. A lot of security software runs on top of the firmware layer. If you have an issue there, or some type of malicious code inserted, it’s very difficult to detect because your security software runs on top of that.
Hugh Taylor: Do you feel that mobile devices made in foreign countries are potential vectors of attack?
Robert Huber: Absolutely. We’re talking like supply chain right?
Hugh Taylor: Right.
Robert Huber: So, whether it’s the actual device itself, or whether it’s components inside the device, all are valid means of attack. That could be something in the chip, or some type of other component in the device, it’s an absolutely valid means of attack. Most organizations will try to enforce cyber security along the supply chain, requesting that the vendor meets minimal security standards. That may require code reviews or code audits as we call them, to look at the actual code itself. This could include everything from penetration and vulnerability tests to insuring that the codes not been modified between the ship point and when you receive it (integrity).
Hugh Taylor: Did you hear about this Strava fitness tracking device that accidentally exposed location of US military personal?
Robert Huber: There are plenty of avenues to gather useful information like that which people just haven’t thought about. Whether it’s fitness watches, or applications that people use to track their locations and information, that becomes more and more of a target, especially when you consider most organizations do have a bring your own device policy in place that allows user to use their cell phones or have bleutooth capable watches. The general public has the same risk as the military.
Of course the military environment is much more sensitive. In the military you can carry your cell phone to most locations, obviously in secure locations you can’t. There are all kinds of applications that will ask ‘can we track your location in the background? Can we send data to other users?’ These applications create all kinds of risk exposures, not just for military personnel, but the average user as well.
Hugh Taylor: I’m asking about the military just because it seems like that’s like a National Security issue. I mean obviously it’s a privacy issue for most regular people, but you know, if you have equipment that’s manufactured by a strategic adversary that can track the location of your troops and then maybe even know who’s who and … it seems very alarming to me that that’s possible.
Robert Huber: Yes, absolutely, especially if that adversary is looking to target specific individuals within an organization in the military. It’s fairly trivial to conduct open source research to —whether it’s via Facebook or Strava or some other application—locate that user and then use that to track their location and activity as a part of that application.
Hugh Taylor: There’s a theory that the breach of the Federal Office of Personnel Management was intended to be able to map who was who in the federal government. Then, if they could correlate that to locations, you start to have a lot of intelligence about what the US Government is doing.
Robert Huber: It is certainly useful context for the aadversary. If your organization is concerned about that type of threat, you can start conducting counter-intelligence and open source research and fingerprinting of critical personnel in your organization to try and understand what their public profiles look like across different applications and media. You can usually use that to track down and identify who else they interact with, what locations they go to. That’s a very common avenue of attack, not only the US Military, but adversaries as well.
It’s opened up the world of cyber targeting. Traditionally, we refer to human intelligence as “eyes on target.” Now we can track them through the Internet with little risk or resources required.