Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Threat Intelligence

2/23/2021
05:50 PM
Connect Directly
Twitter
LinkedIn
RSS
E-Mail
50%
50%

Former CISA Director Chris Krebs Discusses Risk Management & Threat Intel

Also on Krebs' radar: the cyber-response to COVID-19 and intelligence-sharing between private and public sectors.

The Department of Homeland Security's Cybersecurity and Infrastructure Security Agency (CISA), which has held a historical role giving its critical infrastructure partners and federal civilian agencies the data and capabilities they need to defend themselves, is now "the nation's risk adviser," said former director Chris Krebs, in a keynote talk today at Check Point's CPX 360 conference

Related Content:

Augmenting SMB Defense Strategies With MITRE ATT&CK: A Primer

Special Report: 2020 State of Cybersecurity Operations and Incident Response

New From The Edge: Security + Fraud Protection: Your One-Two Punch Against Cyberattacks

As director, Krebs was tasked with ensuring CISA understood the risk landscape as much as possible, and provided the right information, resources, and tools to partners so they could make risk management decisions. In the world of federal civilian agencies, 101 are responsible for their own risk management decisions, just as in the private sector or infrastructure space. 

At the virtual conference, Krebs explained how CISA approached the world through the lens of the risk formula: risk equals threat times vulnerability times consequence – "with a little bit of likelihood dashed on top," he noted. 

"The importance of this risk formula, as we saw it, was that it did not just focus on threat actors but included vulnerabilities in the software, services, and systems that we used on a daily basis, as well as the potential consequences of a successful attack on any of these key systems or our nation's infrastructure," Krebs continued.

Over time, it became clear that attackers were focused on civilian agencies and military and intelligence-related agencies, as well as critical infrastructure. Their capabilities spanned opportunistic scanning, seeking unpatched systems and VPNs to advanced, patient, and strategic intrusions, such as what we've seen in the supply chain attack tied to SolarWinds.

That said, it's important to realize the average user, and the average organization, may not notice these sophisticated and capable nation-state actors when they arrive because they're "probably not waving their nations' flags," as Krebs put it. However, some cybercriminals and ransomware gangs make their presence known "in a very visible and damaging way." 

Given this, from 2018 into 2020, CISA and its partners "dramatically reshaped" the way they engage with their stakeholders to diversify the range of threats they're concerned about.

"It's not just about the state actors, but also about the more disruptive and destructive attacks that could undermine the functions that support our economy," he explained.

This mentality manifested in CISA's approach to election security, which was based on threat modeling. Leading up to the 2020 election, Krebs said, CISA spent three-and-a-half years thinking through scenarios in which a capable and determined attacker could disrupt the election. They engaged with stakeholders early so they could secure their systems and ensure nobody could spark disruption using ransomware or other forms of malware.

"We had a wealth of understanding, a wealth of planning behind us, that we then flipped around and deconstructed to help inform our defensive strategies," Krebs explained. The threat-modeling approach helped inform the investment practices of state election officials, and helped Congress understand which resources to share with state and local election communities.

Officials began to consider other applications for the threat-modeling approach. Nearly a year ago, they used it again as the COVID-19 pandemic began to take hold. 

"As COVID spread across the country and across the globe, the vulnerabilities and consequence space … in that risk formula dramatically shifted," Krebs said. They had to sort through which threats were targeting hospitals and healthcare facilities, and it didn't take long to determine that healthcare had been a prime ransomware target for at least three years prior to COVID.

Once again, it was time to engage with partners across the healthcare industry, the healthcare ISAC, and share best practices on how to secure against ransomware. As COVID-19 changed the role and operations of healthcare facilities, they had to rapidly shift in response. The key, he said, was flexibility, agility, and being constantly aware of the shifting dynamics in the space.

"It's just another example of how threat modeling, of how constantly evaluating both your internal and your external conditions, can put you in a position to be more effective in your response to any sort of threat actor," Krebs noted.

Public-Private Cooperation Is a Must-Have
Going forward, Krebs emphasized the importance of CISA's collaboration with the private sector and other aspects of government to create a more unified and coordinated response, especially as cyberthreats grow more advanced. 

"If the recent supply chain compromise teaches us anything, it's that there [is] a set of very critical, systemically important enterprise software and services that we don't fully understand how they fit into the economy, how they fit into enterprises writ large," he said.

The public and private sectors must understand where these systemically important companies are, how they fit into the systems we use daily, and bring all parties together. This goes beyond sharing indicators of compromise, he noted. This is much more advanced, and more about where adversaries are going. In the run-up to the 2020 election, the Department of Defense and Cyber Command deployed teams to allies in Europe to learn where cyberattackers frequent.

"Not only did they pick up IOCs, but they also picked up intelligence on how and where cyber actors were going – what sorts of networks, what sorts of targets they were looking at," he added. This informed the country's ability to partner with election officials. 

By making decisions based on imperfect information, no one organization will be successful. Operational partnerships in which organizations can come together and share risk information, and coordinate on joint collaborative defense operations – "that's going to be the key to success going forward," Krebs said.

Kelly Sheridan is the Staff Editor at Dark Reading, where she focuses on cybersecurity news and analysis. She is a business technology journalist who previously reported for InformationWeek, where she covered Microsoft, and Insurance & Technology, where she covered financial ... View Full Bio
 

Recommended Reading:

Comment  | 
Print  | 
More Insights
Comments
Oldest First  |  Newest First  |  Threaded View
Commentary
Cyberattacks Are Tailored to Employees ... Why Isn't Security Training?
Tim Sadler, CEO and co-founder of Tessian,  6/17/2021
Edge-DRsplash-10-edge-articles
7 Powerful Cybersecurity Skills the Energy Sector Needs Most
Pam Baker, Contributing Writer,  6/22/2021
News
Microsoft Disrupts Large-Scale BEC Campaign Across Web Services
Kelly Sheridan, Staff Editor, Dark Reading,  6/15/2021
Register for Dark Reading Newsletters
White Papers
Video
Cartoon
Current Issue
The State of Cybersecurity Incident Response
In this report learn how enterprises are building their incident response teams and processes, how they research potential compromises, how they respond to new breaches, and what tools and processes they use to remediate problems and improve their cyber defenses for the future.
Flash Poll
How Enterprises are Developing Secure Applications
How Enterprises are Developing Secure Applications
Recent breaches of third-party apps are driving many organizations to think harder about the security of their off-the-shelf software as they continue to move left in secure software development practices.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2021-35475
PUBLISHED: 2021-06-25
SAS Environment Manager 2.5 allows XSS through the Name field when creating/editing a server. The XSS will prompt when editing the Configuration Properties.
CVE-2021-32716
PUBLISHED: 2021-06-24
Shopware is an open source eCommerce platform. In versions prior to 6.4.1.1 the admin api has exposed some internal hidden fields when an association has been loaded with a to many reference. Users are recommend to update to version 6.4.1.1. You can get the update to 6.4.1.1 regularly via the Auto-U...
CVE-2021-32717
PUBLISHED: 2021-06-24
Shopware is an open source eCommerce platform. In versions prior to 6.4.1.1 private files publicly accessible with Cloud Storage providers when the hashed URL is known. Users are recommend to first change their configuration to set the correct visibility according to the documentation. The visibilit...
CVE-2021-32712
PUBLISHED: 2021-06-24
Shopware is an open source eCommerce platform. Versions prior to 5.6.10 are vulnerable to system information leakage in error handling. Users are recommend to update to version 5.6.10. You can get the update to 5.6.10 regularly via the Auto-Updater or directly via the download overview.
CVE-2021-32713
PUBLISHED: 2021-06-24
Shopware is an open source eCommerce platform. Versions prior to 5.6.10 suffer from an authenticated stored XSS in administration vulnerability. Users are recommend to update to the version 5.6.10. You can get the update to 5.6.10 regularly via the Auto-Updater or directly via the download overview.