Customer Spotlight: Identity Under Attack



Speaker 1: Without further ado, I'd like to introduce Jeff Klaben and Surbhi Tugnawat from SRI International. Welcome.

Jeff Klaben: Thank you. Well, good morning. Regarding forward-looking statements, you bet that's right, we're going to be talking about the future. We'll also going to talk a little bit about where we work. SRI International is the genesis of a lot of a tech that we're working with today, dating back to things like ARPANET. So, you may not see the SRI brand very often, but it's certainly behind the scenes on the technology that influences our lives. Here's just one quick example, a video of something interesting we're working on in partnership with Yamaha.

Video: Today, we're at Alameda, just outside San Francisco. We've been making a robot ride a motorbike. Moving forward, we're going to be racing Valentino Rossi.

Jeff Klaben: I'll be showing the next video at the Gartner Security Summit in case you wonder how that turns out. So, just some quick background, SRI International has been around since 1946. Surbhi and I are part of the information security team and also work with clients on innovating in a number of different areas. So, the Yamaha partnership is symbolic of some of the things we do with client partnerships. Building that robot was not about creating an army of autonomous motorcycle racers, but it is a way to advance Yamaha's agenda of helping make riders safer, right. Having a robot like that can help them push the limits on some of their testing. And so, it's part of why SRI exists as well and we're a nonprofit dedicated to making the people, the world, healthier, safer, and more productive repeatedly. So, we cover a lot of different technology areas in cybersecurity, a great deal of groundbreaking work from the origins of the internet itself to intrusion detection artificial intelligence. We work with educational institutions to create more effective training curriculum. We got the contract with DARPA now for the internet of battlefield things. So, more than I can talk about in several days conference, but feel free to check out our website about some of the amazing research we do. ARPANET was the origin of the internet. We were the recipient of the first transmission from Southern California.

Surbhi Tugnawat: Jeff, last night, I was telling somebody the story and I think it's worth sharing with the group here. I joined SRI two years ago and the week I joined, we were celebrating our 70th birthday. There was a lot of excitement in the institutes. There was old hands and our president, our CEO, actually, Bill Jeffrey, he asked the crowd, "If you have been with SRI for 55 years or more, please stand up." I was like, "What?" I turn back and see two people stood up. That was something. Then he said 50 years or more. Five more people stood up. Then kept going on, and on, and on to 20 years. I was wondering, this is an institute with that deep expertise in it. It's one of my favorite stories. When people ask me how was work, I usually tell them this. It's a great place to work because there are people with expertise.

Jeff Klaben: The majority of our staff have advanced degrees. It does make an interesting task for security practitioners. We have the pretty intelligent explanations of all of our strategy. We also have a amazing pipeline of spin-out companies. So you saw Siri, but three to four companies a year we're pushing out which a much higher success rate. These spin-outs are symbolic of a process. Has anyone read Clayton Christensen's, The Innovator's Dilemma? Right, great book on how do you create sustainable innovation. It's really, really hard, but you can do basic research, but then how to translate into products that we use every day. And so, that's part of the discipline we have. That eventually ends up in some of the products that we touch, right? So the work on DARPA many years ago is now something that keeps us connected all the time and that continues. So, we get through this valley of death of a systematic approach to innovation. Next one. Right. So, I get to plug the theme here. If anyone's going to talk about going beyond or seeing beyond, this is how it really happens, right. If you want to envision the future, there's a systematic approach to innovation. And so, we do that by partnering with client organizations. We protect their data. We protect their systems and that includes things like the Department of Homeland Security's advanced R&D Cybersecurity program. More. So, what's the talk about today? I teach graduate courses at Santa Clara University. I try to take these complex ideas and boil them down to something accessible to your very bright students who just don't have the background yet. And so, what we do is use different models, and influence, and shape how people think. And so, here, we're combining a couple of different models. So the green side, that's the philosophy. We know blue, right? That's the defender's position. So blue here is from the architectural perspective but also the project management discipline, right? How do we influence the way that we build systems as they roll out. And then in contrast to the adversary, the red team, right, the cyber kill chain concept, so we thought it'd be interesting to try to mesh all of these together in a new way and really the secret agenda is this is about an intervention. Just like I teach these students and I try to teach the students how to speak between the engineering program, and the business school, and the law school, we need to intervene and how we roll out security solutions.

So, well, preparing for this conversation, we talked to Rod Morimoto. He's been at SRI for more than 30 years. He's the ultimate engineer and system administrator. It started with his feedback on how would this be a great presentation for you. We do care about that. We'll touch again on Rod's philosophy but also we have a another philosophy here. Surbhi, who's the guy in the sunglasses?

Surbhi Tugnawat: That's you. I'm just kidding. This is Sun Tzu. He's a military strategist from 500 BC. He wrotes The Art of War. We saw that his ideas, his philosophy is very relevant in the cyber warfare as well. So you would see Sun Tzu's quote throughout our presentation. We'll continue to quote him here. For example, this one, "Victory usually goes to the army who has better trained officers and women." So, in contest of cyber warfare, I think in addition to trained staff, knowledgeable staff, it's really important to have planning preparedness and the right toolset. We'll focus on planning and preparedness in the later part of our presentation, but let's first talk about right toolset. Here is an architectural framework that Bill put up. This is how we think of identity and access management.

So heart of this framework is a centralized repository. I think I'm preaching to the choir here but really, central repository, what will it give us? Maybe single sign-on, stricter password controls, and self-service password management. Based on my experience, giving the ability to users to change their password from anywhere and not needing to go on VPN at the time of an incident is instrumental. But, of course, the technology like this needs to be protected with strong authentication, MFA, so you can prevent brute force, denial-of-service attacks. In addition to authentication is authorization so that you can put tighter access controls, automate your access controls and get visibility into who has access to apps. And to top it up is privileged access management, something that can rotate the password for your elevated users, something that can give you a strong authentication for your elevated access, also visibility so that you can feed in the data to your SIM system, other logging monitoring system.

We think that controls offered by this basic, I am stack, can significantly reduce your attack surface by maybe reducing the human error component and also by emphasizing on the lease privilege principle. So speaking of attack surface, oh yes.

Jeff Klaben: Great. Next line. Surbhi and I together have more decades than we care to share of experience working with many dozens of organizations, high tech and biotech financial, et cetera. So, we'll talk about our collective experience. I don't want to talk about one particular incident or attack, but we recognize that we're all under attack all the time. I think we can agree on that premise. It's easy enough if you just pull your log data and study it for a moment. So, if we take the cyber kill chain which is an excellent framework provided by Lockheed Martin, we can understand the adversary's behavior. I believe now more than ever understanding their behavior so we can better predict it is become important. It's not just about knowing the vulnerabilities and patching them. It's first about understanding their reconnaissance motivations.

So when I teach my students, this is the first assignment. I have them do recon on a university, on an organization they work with, collect the low-down. I've probably helped to make Santa Clara's CISO Rian Aldridge a bit famous because he keeps coming up on over and over again, but you're not just enumerating technical vulnerabilities but the organizational structure. You figure out what vulnerabilities exists and what could be exploited and you weaponize it. And then you've got some type of attack model to work from. And then we figure out how to deliver that, how to insert it in the organization and that could be through a watering hole type of attack. It could be through leaving USB drives sitting around as in the Stuxnet attack, for example, but we're actually delivering some type of weaponized payload.

And then we move on to actually start burning the environment. We exploit things, but we might be very systematic as an attacker in exploiting and taking advantage of these weapons we built. It might not even be a zero-day, just something that is under the radar screen. And then we want to get a foothold, we want to have some ability to dwell, that dwell time like with the Equifax attack where the install is there for more than two months before they started actively exfil trading data. And then we have a command and control mechanism. This is a very systematic regimented approach where you have persistent access to the environment. And then, finally, go in for the kill. You may actually not do it in one big, bold move, you might just suck date out for 10 years or more as organizations have experienced. But understanding this basic attack methodology is critical to us planning more effectively and trying to avoid the fight or the exfil before it happens.

So, the characteristics of the attacker and, frankly, now as practitioners, we're all on the front line, right? There's war going on, and we're in it, and we're in the middle of it. And so, these characteristics are interesting because they help us understand our adversary a little bit better. So, we've got attacks like Dragonfly and now which was circa 2015, Dragonfly 2.0 which Symantec has written about extensively. That is really the Eastern Europeans infiltrating US critical infrastructure and the power grid. I thought for dramatic effect about just shredding all the lights off in here but maybe my European friends can do that for us, but that literally could happen at any time, right? We've also got the Deep Panda group and this graphic in the center was courtesy of Brian Krebs, who was an excellent speaker at Oktane in the past.

And so, they've stood up this Terracotta VPN army of thousands of endpoints that are ready to attack you. It's worth understanding more what's out there because that's how we can intervene and build our defenses more effectively, hopefully, earlier on. This evasive technology, this evasive approach is example in Deep Panda, who was also the culprit behind the Office of Personnel Management breach. And so, hiding that traffic flow through normal VPN streams make it very difficult to detect. Sometimes we're going to need better intelligence, better machines, learning, for example, to be able to detect these mechanisms.

Surbhi Tugnawat: Actually if I could chime in here. So, it says a low-tech phishing attempts. There's an organization, if you would remember, that we are aware of that implemented MFA and incidentally, they did Okta MFA. If I remember it right, they did Okta Push, Okta Verify, YubiKey. It was a great campaign from where I can see. Users were trained, communications were sent out, registration period was fine. I think it went smoothly, but then what went wrong? A user receives a corporate email saying, "You have to re-register your factor. Click on the link here."

Of course, the user clicked on the link, provided all the information along with the network credentials. They click submit. They receive a phone call with the second factor and the user thankfully realized, "Wait a minute, nobody talked about phone-based second factor." Thank God that he escalated the phishing attempt. Imagine if 50 more users would have clicked on that same link. So, yes, it's multi-vector, very targeted, high-tech attacks, but there are other low-tech phishing attempts as well that we have to be careful about.

Jeff Klaben: The attacker is real and they will go to the extent of registering domain names that look so similar to yours that the user even with diligent training may see Okta dot whatever and still fall for it. There's some point where they let their guard down. And so, that's getting more sophisticated. The attacker, your adversary is going to target your security systems, every system as it's deployed, as your unboxing it and plugging it in. I don't think we've been thinking that way until now and being a little bit more resilient up front and how we plan these things, I think, can provide for better defense. So, if we study game theory, there's this concept of adaptive versus predictive expectations. I imagine it's tough in Las Vegas to be ready for the rain because our adaptive expectations are it was sunny today, it'll be sunny tomorrow.

The expectations are, it was sunny today, it'll be sunny tomorrow. Right? Fortunately, there's weather forecasters who can predict the future, and they can use different sources of information, but this foundation of game theory, and the idea that adaptive expectations are not good enough. We want to predict what's going to happen, and how the attack methodologies are going to evolve, has become a bigger burden, and I think become more critical to our effective defenses.

There's other elements here, of critical thinking that are important. So if you want to understand game theory, Bertrand Russell is a great place to start. We talk about critical thinking and understanding at a deeper level, how to make these decisions and trade-offs. At the RSA conference last month, I led a two hour learning lab. For the first time ever, we talked about cyber security ethical decision making. Ethics is more than just, is it right or wrong? There's systematic framework, so we can apply critical thinking skills, and take into account different stakeholders' considerations, these ethical trade-offs all becoming relevant to how we design systems. 

For example, Facebook. Right? Understanding these frameworks, and how we can apply critical thinking skills, but a lot of it starts with adaptive versus predictive, and figuring out how we can anticipate and take the intelligence we have, and part of it is being part of a community. Congratulations on being here, but make sure that you're meeting your colleagues that you can trade note with. How have you been attacked and what are you most concerned about?

Surbhi Tugnawat: All right. Speaking of predictive attacks, I think it's helpful to understand who our adversaries are, and who we are. What are our strengths and weaknesses? It's very consistent with Sun Tzu's philosophy. He said, "If you know your enemies, and you know yourself, you will not be imperiled in a hundred battles."

To understand our adversary, we looked at Verizon's data breach report that came out few weeks ago. According to that report, 73% of attackers are outsiders. That number is not very surprising, you know. Since 2015, this number has been consistently increasing. What is interesting is, 50% of the breaches were carried out by organized crime groups.

I have a tale from the trenches here. In March, FBI issued a flash. They mentioned that there is a Iran based organized crime group called Mabna Institute, which is broadly targeting US universities with password spray attacks. FBI indicted nine people for those attacks, and they mentioned that these universities did not have NFA, had wavy perimeter control, had very big password controls. The Verizon report also said that 40% of the breaches featured hacking. When I say hacking, I mean unauthorized intrusion to your computer or network. 20% of those hacking were for stolen credentials. 12% involved privilege misuse. Yes, identity is under attack.

We also looked at a survey conducted at Ponemon Institute. They tried to identify breach pattern, attack pattern by industry and also tried to understand the common weaknesses by industry. As we were preparing for this presentation, we asked Okta about their participation, and they mentioned that healthcare and education are a few of the top participants this year in Oktane. We got those examples from Ponemon's survey.

According to the survey, education industry has constantly been hit with hacking attempts. That's primarily because lack of security awareness and lack of response plan. Similarly, healthcare is the first privilege misuse, errors, theft, and no prize for guessing, that's because of FICA access controls.

The same survey identified common issues across all industries, okay? Again, no prize for guessing. Human error tops the list. Human error could be anything, that user clicking on the phishing email, or somebody just giving out their password after one too many drinks over their poker table, yes? It could be just a misconfiguration. Remember Verizon last year, 40 million customer data got exposed due to server misconfiguration by a vendor.

The second on the list, drumrolls? Okay, thank you. Lack of planning. No, it's not lack of trained resources. It's not lack of right tool set. It's lack of planning. Take a deep breath, and focus on planning. Let's plan for our projects and deliverables, and let's plan for that incident that is inevitable.

Speaking of planning, here is this methodology created by PMI ... PMI is Project Management Institute, that institute that gives out PMP certifications. They have this methodology. Your organization might have their own. They might use the same and call the phases something different. The idea is, you start a project with the initiation phase, where you create the project scope, project charter, put that in front of your executive team for blessing, funding. Then you move on to planning. You do your requirement gathering, identify stakeholders and all that jazz. Then you execute a project, deliver on what you promised, you put some quality checks in the controlling phase, and finally, you close the project.

Jeff Klaben: I'm sure everybody follows the waterfall methodology for every project they roll out.

Surbhi Tugnawat: No, there is a contradiction here. You could do that, or you could do agile. You start with initiation, very informal initiation ... By the way, I'm deploying MFA in my organization. Then you have some tiny deliverables, and you iterate through those through your planning, execution, and controlling phase until you have delivered everything, and you close it. It doesn't matter if you follow waterfall or agile, the point is there are certain phases involved, and we would like you to think of security in every single phase of your project.

Jeff Klaben: This cyber kill chain, the question is, how early can we intervene to break that chain? Those seven steps. Can we stop at the recon? Well, probably not. Maybe not even the weaponizstation. Hopefully by the time that the installation is happening, and there's some dwell period, right, then at least we could detect things.

It's hard to emphasize the level of emotion that you will experience when you live through a breach. It's painful. I don't take security seriously. I hate that phrase. I take it personally. I live it. I'm invested. It affects my blood pressure. That's what it takes to be effective in these things. We need better approaches, and so let's mash these two ideas of intervening in the cyber kill chain into the way we deploy technology. Let's use the five steps of this project management phase, and figure out what we can do at each to intervene and use the mindset of the adversary through the framework of the cyber kill chain to protect ourselves more effectively.

These are interventions for the health of the organization. They're interventions not just to preach to the choir. Oh, I'm so tired, like all of us, I think, of just hearing how bad things are. Even Warren Buffett said that cyber security's a bigger threat now than nuclear war. Right, yes, of course we should be worried, but we're here to do something about it. We need to systematically infuse this adversary mindset into the way we roll out projects.

Surbhi Tugnawat: Let's see, as Jeff mentioned, we have five stages that you see on the right hand side. Let's talk about the initiation phase. Like I said, it's a very early start of your project. This is where you have not really created. There is no product, but you're just thinking about it. You have an idea, you have a scope, you have a charter. You are trying to figure out what can be added to it. What we're asking is you think about security from the get go.

This red thing is the cyber kill chain. This is attackers' mentality. They are thinking of attacking you by doing a reconnaissance. Why don't you try to know yourself? Try to understand where your high risk assets are. Then try to understand what is your minimum quality level for security and privacy. If you need 140-2 certified servers to deploy your service, you go after it, put that in the scope. If you want all your privileged user to do NFA, please, put that in your scope.

You can define your countermeasures, you can disrupt the exploit, you can prevent adversaries' foothold just by doing your due diligence. Understand your industry. The Ponemon survey we talked about, how you can understand what are the common theme for your industry, use that, apply that in your planning, in your scoping. Try to understand what are the common vulnerabilities for your industry. Make sure that you have scope doubt, patches, and plan for those.

You can prevent dwelling of malicious content by ensuring that least privilege is deployed in your perimeter and internet facing services. You can disable persistent access by making sure that there is layered security defense for your project. Make sure whatever data your service or product is going to collect feeds in to your SIM, your logging monitoring system.

Nice, thank you. Then you move on to the planning phase. This is the phase where you gather requirements, you identify stakeholders, you create a project plan, you create an architecture, and all that fancy things. In this phase, do your reconnaissance. Try to understand yourself by making sure your requirements also include your security and compliance requirements. Make sure your architecture reflects those requirements. Also, make sure your stakeholders know that they do have a role and responsibility here, so that when it hits the fan, everybody knows.

Now, you can define the countermeasures by doing your attack service analysis and reviewing your architecture over those requirements that you have created, that hopefully includes all your security requirements, too. In this phase, we are just gathering requirements, and our ask is, make sure your requirements contain all security features. For instance, you can disrupt delivery of exploits by making sure you have a requirement included for content inspection for malicious content. You can prevent adversaries' foothold by making sure there is a response plan, it is well known, and there is a point where somebody is doing some tabletop exercise.

Prevent dwelling of malicious content by making sure you have a requirement to feed in this data, again, to your SIM system for some actionable threat intelligence there. You can disable the persistent access by, again, same requirement, put your data so that it can be acted upon.

you can detect and contain malicious activity by making sure things are documented, people's information and their roles and responsibilities are clear.

Jeff Klaben: Incidentally, I'm working a little more SRI tech into the conversation. Xylem is a game that we developed that helps to crowdsource solving formal methods types of problems. The image on the bottom left there is actually commanding control self destroying hardware that we created, sensors that you can remotely destroy in the field.

A practical note on integrating with your SIM your security information and event management system. You can assume the happy path, right? That you're getting alerts, and everything is going to bubble up, and get filtered correctly, and you'll see the most important things. It's a good idea to trigger on any log feed failures, right? If you're not getting intel, you want to know about that right away. That's something you can do pretty quickly. It's a simple where you can build, and alert on anything that's not feeding, because no news is bad news. We want the bad news as soon as we can get it.

Even if we have a period, we say, "Hey, this just looks too good to be true," we lost an opportunity, and that could be dwell time that we're not addressing.

When we move on to the project management execution phase, a number of different things that we can do. We can understand, of course, patch, understand the vulnerabilities. There is a discipline to that. We have to monitor those things. We can more specifically build detectors for weaponization. If we know that we're vulnerable or we're particularly concerned because we've done our homework by industry, and these are the things we're more likely to be targeted with, and these are samples of weaponization methods, we can trigger an alert on those things, right? We just have to have a little intel, and we can monitor things much more precisely.

The cloud security approach that we take, we start thinking about here, because a lot of this is talking about how we secure our networks and systems. As soon as we put something into this abstract cloud environment, we think someone else is taking care of it. That's not always true. Again, first we're relying on the alerts. Secondly, there's methodology to make sure that we've configured those environments, whether it's infrastructure layer or application layer, correctly. Surprisingly, folks tend not to go through any of that discipline.

I'm not going to talk through the whole method for how you lock down AWS or Office 365, because the vendors have already created a methodology and tools, and walk through that. The trick is, if we're not doing it, the breakdown is in planning. We actually have to have a project plan where we say, "We're going to fill out this darn questionnaire, and we're actually going to figure out what configuration changes would I make, and we're going to do it before it's live." By the time it's live, it's exposed, and they're there. The adversaries are ready now, and they will exploit things. You should feel a little nervous.

The collaboration component, the stakeholder component, again, is vital. The whole point of this is these are interventions that you can take to your project managers. Whatever tech is rolling out, if it's a web facing application, if it's a backend database tiered application model, these are things that we can systematically plan and say, "In this phase of the project, we should establish phase gates that we don't move forward until we address these things." You don't flip the switch on the cloud service until you've made your configuration decisions.

It seems obvious, but for some reason, we're not doing it today. Incidentally-

Surbhi Tugnawat: Oh, yeah. Sorry.

Jeff Klaben: This is Phil Porras, P-O-R-R-A-S. Look him up. I get to work with him. I got to coinvent some really intriguing things around Siri for the Seeso.

Really intriguing things around Siri for the CSO artificial intelligence augmentation of the security operations function. Something I'd love to come back and talk about another time. But this set of tools that we're building are dynamic. And they're dynamic because the landscape keeps changing. The adversaries keep evolving. 

So there's no constant conditions in warfare, as Sun Tzu would say. So again, we step back and we think about reconnaissance and understanding ourself and our exposure. You know, with a little effort, our adversaries understand us better than we understand ourselves. So here's another thing you can do. Look at any cash content anywhere it might be stored. What's sitting around on your test systems, on your test cloud instance. Oh, yeah, well we're gonna clean that up. When? Is it in a project plan? If it's not written down, I don't believe your commitment to do it. All I believe is that you're gonna leave data lingering out there that exposes us, that exposes the organization maybe forever. 

Incidentally, on Recon ... We did Recon right? We talked to Okta and said which industries are gonna be most prominent in this session, right? So I would personally appreciate it if you actually gave us feedback. So if you can fill out your feedback form. Did we hand those out? Because we want this thing to have an impact. 

We're not here to just do a sort of a marketing spiel. We want to prevent the adversary's foothold by thinking about correlation in more detail. Because I mentioned we want to track whether our logs are coming in effectively, whether there's any interruptions to that. Think about geolocation. Right, so I showed you the Deep Panda stuff, that Terra Cotta army, that's coming from a location. We've got eastern European attackers. So think about our business model and where we'd have normal types of communications. Right? And we may want to disable certain things. 

Under what conditions would you shut off the system that you're building or disable all internet access to it? Think about criticality. Not just of keeping it up but under what pressure would you actually have to shut it off. Sony had to figure that out after the fact. And they were back to pen and paper operations for an extended period when it came under attack. 

So, we can build a beautiful weapon, we can build a beautiful approach, and then we can let it stagnate and our sword with rust. So that comes from Sun Tzu again. Figure out where you can intervene on behalf of the health of your organization. Figure out where you can break the chain as early as possible and in multiple places. Just like layer defense, layer protection. 

Here's your take away. Here's your little golden gem. What is it 90 something, 95 percent of folks using cloud services do not have MFA enabled for administrative access to those. One little thing that has an immediate impact. Go back to your organizations, go back to the organizations you depend on in your supply chain, or even your clients, right, who are also vital to your ongoing organization's health. And get the MFA turned on. Come on. This admin access. This is the keys to the kingdom. All kinds of data is out there. 

So we make these improvements and then we have to make them sustainable. So part of that is change management discipline, asking questions about the implications of identity access management. As we make changes, understanding the architecture, writing it down if it's important, and figuring out how we keep our run books, our operational documentation up to date. 

I've given up on fancy Vizios when it takes more time than it's worth. But, a whiteboard and a camera, and inserting an image into a document so at least I remember what we agreed on or how things work. Super valuable. Be agile. The adversary's agile. They're not creating a Vizio of their attack methodology. They're gaining just the right intel to make their intrusion. And then keep building these critical skills and capabilities obviously. And part of that, I find, is teaching. So if you want to master a topic, and if any of you are interested in opportunities to teach or to give a guest lecture somewhere, feel free to chat with me afterwards because I think that's one of the best ways to keep evolving. 

Surbhi Tugnawat: And I think I'll just add to that. There was a Gartner report. Don't remember when it came out. But it said that through 2021, 95 percent or somewhere ... I'm sorry. I'm not quoting exact numbers. It just came to me that they mentioned ... And you must have ... You must all know this already. Majority of the vulnerabilities exploited will be known to us for at least a year. So attacks are not much of a concern. They are concern, but not that much. Known vulnerabilities are patches which are available, should be deployed. And if you're not doing that, then you're opening yourself for that.

Jeff Klaben: Great. So that's the nuts and bolts. But again, back to this theme of beyond. What is beyond? Because folks love to come to these events we have at SRI and Department of Homeland Security sponsors how do we transition this government research into something that's gonna affect the commercial world. And so these are some of the things we do with our clients. So anything around building a security program, we're not a traditional security consultancy. But you need to have a strategic plan to actually unlock the opportunity of more advanced planning, strategy, RND. And then so seeing that, we can start to invest in building trustworthy systems. Everyone's talking about Block Chain. I'm more interested in Block Chain forensics and verification. 

Right, so if people are going to use risky technology, how do we govern it effectively. We've got amazing IOT and security privacy lab. Great research going on there. And even the foundations of computing itself. We're doing a extended research project with DARPA on rebuilding the foundations of computing. So this is a project in partnership with Cambridge University in the UK looking at why are all these memory vulnerabilities resonant in our current system architecture and design. What if we can re-engineer, compute from the ground up. Re-engineer internet and network from the ground. And work is actually happening right now. And I think it's just on the cusp of being ready to transition. So if you're building products that depend on computer architecture and you're not aware of Cherry, you're already obsolete. 

Also interesting is the AI understandability problem. If you're touching relying on building artificial intelligence, which really means machine learning. And if we say machine learning, we really mean deep learning. Right? If we're building systems that are black box where we say is this picture a picture of a puppy or a hotdog or whatever, and the answer is yes or no, and we cannot explain why, we've just introduced a very, very significant risk. This is, I think, the basis of what Elon Musk and others were freaking out about. And it's reason to be concerned. But there's a solution and that's creating understandable systems. And that builds on natural language technology. 

So that using AI to augment security operations, these are the more advanced things that are on our bleeding edge right now. And things that I'll be talking about in the future. 

So if we bring it back to the big picture, right, we juxtaposed our attacker, red side. Our blue defender, from the architecture in combination with planning things, making a commitment to make sure they happen. And a little philosophy. Because, again, if I hadn't said it before, we are under attack right now. You are under attack right now. You may be blissfully ignorant of it at the moment, but it's a current reality. You may be infiltrated at the moment and so the warfare is a game that we're playing immediately. 

So I think taking these mind sets and working with your stakeholders to whichever combination makes the most sense to them. And to infusing the cyber kill chain concepts into the way that project managers plan projects is going to help you break the chain earlier. And that's our goal. 

Okay. Hey, we hit our time. 

Surbhi Tugnawat: Thank you. 

Jeff Klaben: I think we've just got a few minutes for questions. Who's got the first one? Yes sir. 

Speaker 1: Do you have more background on that exploit that MFA is part of it? 

Jeff Klaben: There's a few different exploits that we're aware of. But there's a couple of components. I'll speak to ... Maybe you can fill in the blanks.

Surbhi Tugnawat: Yes, absolutely. 

Jeff Klaben: So when you're rolling out MFA, adversary will attempt potentially to enroll before even your users do. When they're sending out enrollment ... Especially a time that there's change, you have to have communication so the users understand what's legitimate or not. So seeing a phishing attack that points a user to an enrollment page or even a regular log in page, that takes them to a different site. So whatever acme organization, dot OCTA, dot, not com. I can go reserve on OCTA.web or domain, right, and then point the users to that. So now we have to be worried about every possible ... And so you can use CASB, you can use application filtering if the user's on the network. To protect them from going to those dangerous sites. Is that the type of question you had?

Speaker 1: It was the one where apparently they somehow managed get people to unenroll their MFA.

Surbhi Tugnawat: Right. So this was a phishing attempt and that organization ... We have a theory that it was already breached. The communication was already seen. The phishing attempt that was sent looked exactly like the corporate email. So the adversaries were watching you. They were already, I think, in the weaponize phase of the cyber kill chain. That was just one example. The other thing we notice is another example, another organization, as Joe said, you're constantly being watched and maybe you are being breached right now. Who knows. This organization rules out MFA, again, OCTA MFA. I don't know why I keep bringing OCTA MFA. But incidentally this was another example of OCTA MFA users started receiving registration email and they can't register. Why? Because adversaries where their credentials have already done so. So they can't get ... They are not able to get on their apps for OCTA push, but they don't have OCTA verify enrolled yet because somebody overnight did that. So now they have full control. MFA or no MFA. They got your password. They got your second factor. They're good. Adversaries are good. 

Jeff Klaben: By the way, it seems so obvious, but when you educate your users on multi factor, you should tell them if you ever get a second factor, if you use OCTA verify app for example, if you ever get a prompt to log in and it's not at a time that you're logging in, it wasn't you so do not approve it. I know it seems obvious, but you actually have to say these things. 

Also, we're aware of robo calls. Right, so if there is phone based authentication or different types of phishing, voice based phishing attacks, that adversaries will use these robo calls and ask folks to perform certain actions. Reset their password, whatever else. It's automated. 

Speaker 1: Is there any literature that we can access about this?

Jeff Klaben: Oh, it's a good question. 

Surbhi Tugnawat: I wonder if they publicized?

Jeff Klaben: Actually the ... I recommend the FBI flash reports. 

Surbhi Tugnawat: That should do it, yes. 

Jeff Klaben: Yeah, so they have different levels of shareability. When it says TLP Level White that means it's for public dissemination. So you can search for FBI Flash TLP White and as Servy mentioned, there's a few different cases that we discussed today. So the dragon fly, I think they wrote up on. The ... Which is the Eastern European targeting the MODNA Institute. 

Surbhi Tugnawat: MODNA Institute. 

Jeff Klaben: Based out of Iran. And there's a few other good examples. But, yeah, if you don't have a relationship with law enforcement, the FBI has a very diligent experienced team there. And one of the best ways to form that relationship is through the InfraGard Program which is spelled I-N-F-R-A-G-A-R-D. All it's missing is U. And that's a good way to sort of get more of this type of information. 

Speaker 1: Thanks.

Jeff Klaben: Sure thing. Any other questions? You guys are all busy filling out your feedback forms right now. Okay. I think we're in good shape. Thank you so much for your attention.

Alright folks, its time to change your infosec project planning assumptions. Now that the hypothetical cyberattack has evolved into a daily reality, we also need to rethink how we roll-out new security capabilities. Your peers at SRI International are keen to share recommended practices to consider during and post deployment to keep attackers at bay. This session will highlight evolving attack techniques and corresponding risk management strategies. Examples will include efficient methods to reduce attack surface during deployment, build critical skills, validate your cloud service implementation, and leverage identity intelligence for threat detection and response.