Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Threat Intelligence

2/23/2021
05:50 PM
Connect Directly
Twitter
LinkedIn
RSS
E-Mail
50%
50%

Former CISA Director Chris Krebs Discusses Risk Management & Threat Intel

Also on Krebs' radar: the cyber-response to COVID-19 and intelligence-sharing between private and public sectors.

The Department of Homeland Security's Cybersecurity and Infrastructure Security Agency (CISA), which has held a historical role giving its critical infrastructure partners and federal civilian agencies the data and capabilities they need to defend themselves, is now "the nation's risk adviser," said former director Chris Krebs, in a keynote talk today at Check Point's CPX 360 conference

Related Content:

Augmenting SMB Defense Strategies With MITRE ATT&CK: A Primer

Special Report: 2020 State of Cybersecurity Operations and Incident Response

New From The Edge: Security + Fraud Protection: Your One-Two Punch Against Cyberattacks

As director, Krebs was tasked with ensuring CISA understood the risk landscape as much as possible, and provided the right information, resources, and tools to partners so they could make risk management decisions. In the world of federal civilian agencies, 101 are responsible for their own risk management decisions, just as in the private sector or infrastructure space. 

At the virtual conference, Krebs explained how CISA approached the world through the lens of the risk formula: risk equals threat times vulnerability times consequence – "with a little bit of likelihood dashed on top," he noted. 

"The importance of this risk formula, as we saw it, was that it did not just focus on threat actors but included vulnerabilities in the software, services, and systems that we used on a daily basis, as well as the potential consequences of a successful attack on any of these key systems or our nation's infrastructure," Krebs continued.

Over time, it became clear that attackers were focused on civilian agencies and military and intelligence-related agencies, as well as critical infrastructure. Their capabilities spanned opportunistic scanning, seeking unpatched systems and VPNs to advanced, patient, and strategic intrusions, such as what we've seen in the supply chain attack tied to SolarWinds.

That said, it's important to realize the average user, and the average organization, may not notice these sophisticated and capable nation-state actors when they arrive because they're "probably not waving their nations' flags," as Krebs put it. However, some cybercriminals and ransomware gangs make their presence known "in a very visible and damaging way." 

Given this, from 2018 into 2020, CISA and its partners "dramatically reshaped" the way they engage with their stakeholders to diversify the range of threats they're concerned about.

"It's not just about the state actors, but also about the more disruptive and destructive attacks that could undermine the functions that support our economy," he explained.

This mentality manifested in CISA's approach to election security, which was based on threat modeling. Leading up to the 2020 election, Krebs said, CISA spent three-and-a-half years thinking through scenarios in which a capable and determined attacker could disrupt the election. They engaged with stakeholders early so they could secure their systems and ensure nobody could spark disruption using ransomware or other forms of malware.

"We had a wealth of understanding, a wealth of planning behind us, that we then flipped around and deconstructed to help inform our defensive strategies," Krebs explained. The threat-modeling approach helped inform the investment practices of state election officials, and helped Congress understand which resources to share with state and local election communities.

Officials began to consider other applications for the threat-modeling approach. Nearly a year ago, they used it again as the COVID-19 pandemic began to take hold. 

"As COVID spread across the country and across the globe, the vulnerabilities and consequence space … in that risk formula dramatically shifted," Krebs said. They had to sort through which threats were targeting hospitals and healthcare facilities, and it didn't take long to determine that healthcare had been a prime ransomware target for at least three years prior to COVID.

Once again, it was time to engage with partners across the healthcare industry, the healthcare ISAC, and share best practices on how to secure against ransomware. As COVID-19 changed the role and operations of healthcare facilities, they had to rapidly shift in response. The key, he said, was flexibility, agility, and being constantly aware of the shifting dynamics in the space.

"It's just another example of how threat modeling, of how constantly evaluating both your internal and your external conditions, can put you in a position to be more effective in your response to any sort of threat actor," Krebs noted.

Public-Private Cooperation Is a Must-Have
Going forward, Krebs emphasized the importance of CISA's collaboration with the private sector and other aspects of government to create a more unified and coordinated response, especially as cyberthreats grow more advanced. 

"If the recent supply chain compromise teaches us anything, it's that there [is] a set of very critical, systemically important enterprise software and services that we don't fully understand how they fit into the economy, how they fit into enterprises writ large," he said.

The public and private sectors must understand where these systemically important companies are, how they fit into the systems we use daily, and bring all parties together. This goes beyond sharing indicators of compromise, he noted. This is much more advanced, and more about where adversaries are going. In the run-up to the 2020 election, the Department of Defense and Cyber Command deployed teams to allies in Europe to learn where cyberattackers frequent.

"Not only did they pick up IOCs, but they also picked up intelligence on how and where cyber actors were going – what sorts of networks, what sorts of targets they were looking at," he added. This informed the country's ability to partner with election officials. 

By making decisions based on imperfect information, no one organization will be successful. Operational partnerships in which organizations can come together and share risk information, and coordinate on joint collaborative defense operations – "that's going to be the key to success going forward," Krebs said.

Kelly Sheridan is the Staff Editor at Dark Reading, where she focuses on cybersecurity news and analysis. She is a business technology journalist who previously reported for InformationWeek, where she covered Microsoft, and Insurance & Technology, where she covered financial ... View Full Bio
 

Recommended Reading:

Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
News
Inside the Ransomware Campaigns Targeting Exchange Servers
Kelly Sheridan, Staff Editor, Dark Reading,  4/2/2021
Commentary
Beyond MITRE ATT&CK: The Case for a New Cyber Kill Chain
Rik Turner, Principal Analyst, Infrastructure Solutions, Omdia,  3/30/2021
Register for Dark Reading Newsletters
White Papers
Video
Cartoon
Current Issue
2021 Top Enterprise IT Trends
We've identified the key trends that are poised to impact the IT landscape in 2021. Find out why they're important and how they will affect you today!
Flash Poll
How Enterprises are Developing Secure Applications
How Enterprises are Developing Secure Applications
Recent breaches of third-party apps are driving many organizations to think harder about the security of their off-the-shelf software as they continue to move left in secure software development practices.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2021-30481
PUBLISHED: 2021-04-10
Valve Steam through 2021-04-10, when a Source engine game is installed, allows remote authenticated users to execute arbitrary code because of a buffer overflow that occurs for a Steam invite after one click.
CVE-2021-20020
PUBLISHED: 2021-04-10
A command execution vulnerability in SonicWall GMS 9.3 allows a remote unauthenticated attacker to locally escalate privilege to root.
CVE-2021-30480
PUBLISHED: 2021-04-09
Zoom Chat through 2021-04-09 on Windows and macOS allows certain remote authenticated attackers to execute arbitrary code without user interaction. An attacker must be within the same organization, or an external party who has been accepted as a contact. NOTE: this is specific to the Zoom Chat softw...
CVE-2021-21194
PUBLISHED: 2021-04-09
Use after free in screen sharing in Google Chrome prior to 89.0.4389.114 allowed a remote attacker to potentially exploit heap corruption via a crafted HTML page.
CVE-2021-21195
PUBLISHED: 2021-04-09
Use after free in V8 in Google Chrome prior to 89.0.4389.114 allowed a remote attacker to potentially exploit heap corruption via a crafted HTML page.