Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Threat Intelligence

05:50 PM
Connect Directly

Former CISA Director Chris Krebs Discusses Risk Management & Threat Intel

Also on Krebs' radar: the cyber-response to COVID-19 and intelligence-sharing between private and public sectors.

The Department of Homeland Security's Cybersecurity and Infrastructure Security Agency (CISA), which has held a historical role giving its critical infrastructure partners and federal civilian agencies the data and capabilities they need to defend themselves, is now "the nation's risk adviser," said former director Chris Krebs, in a keynote talk today at Check Point's CPX 360 conference

Related Content:

Augmenting SMB Defense Strategies With MITRE ATT&CK: A Primer

Special Report: 2020 State of Cybersecurity Operations and Incident Response

New From The Edge: Security + Fraud Protection: Your One-Two Punch Against Cyberattacks

As director, Krebs was tasked with ensuring CISA understood the risk landscape as much as possible, and provided the right information, resources, and tools to partners so they could make risk management decisions. In the world of federal civilian agencies, 101 are responsible for their own risk management decisions, just as in the private sector or infrastructure space. 

At the virtual conference, Krebs explained how CISA approached the world through the lens of the risk formula: risk equals threat times vulnerability times consequence – "with a little bit of likelihood dashed on top," he noted. 

"The importance of this risk formula, as we saw it, was that it did not just focus on threat actors but included vulnerabilities in the software, services, and systems that we used on a daily basis, as well as the potential consequences of a successful attack on any of these key systems or our nation's infrastructure," Krebs continued.

Over time, it became clear that attackers were focused on civilian agencies and military and intelligence-related agencies, as well as critical infrastructure. Their capabilities spanned opportunistic scanning, seeking unpatched systems and VPNs to advanced, patient, and strategic intrusions, such as what we've seen in the supply chain attack tied to SolarWinds.

That said, it's important to realize the average user, and the average organization, may not notice these sophisticated and capable nation-state actors when they arrive because they're "probably not waving their nations' flags," as Krebs put it. However, some cybercriminals and ransomware gangs make their presence known "in a very visible and damaging way." 

Given this, from 2018 into 2020, CISA and its partners "dramatically reshaped" the way they engage with their stakeholders to diversify the range of threats they're concerned about.

"It's not just about the state actors, but also about the more disruptive and destructive attacks that could undermine the functions that support our economy," he explained.

This mentality manifested in CISA's approach to election security, which was based on threat modeling. Leading up to the 2020 election, Krebs said, CISA spent three-and-a-half years thinking through scenarios in which a capable and determined attacker could disrupt the election. They engaged with stakeholders early so they could secure their systems and ensure nobody could spark disruption using ransomware or other forms of malware.

"We had a wealth of understanding, a wealth of planning behind us, that we then flipped around and deconstructed to help inform our defensive strategies," Krebs explained. The threat-modeling approach helped inform the investment practices of state election officials, and helped Congress understand which resources to share with state and local election communities.

Officials began to consider other applications for the threat-modeling approach. Nearly a year ago, they used it again as the COVID-19 pandemic began to take hold. 

"As COVID spread across the country and across the globe, the vulnerabilities and consequence space … in that risk formula dramatically shifted," Krebs said. They had to sort through which threats were targeting hospitals and healthcare facilities, and it didn't take long to determine that healthcare had been a prime ransomware target for at least three years prior to COVID.

Once again, it was time to engage with partners across the healthcare industry, the healthcare ISAC, and share best practices on how to secure against ransomware. As COVID-19 changed the role and operations of healthcare facilities, they had to rapidly shift in response. The key, he said, was flexibility, agility, and being constantly aware of the shifting dynamics in the space.

"It's just another example of how threat modeling, of how constantly evaluating both your internal and your external conditions, can put you in a position to be more effective in your response to any sort of threat actor," Krebs noted.

Public-Private Cooperation Is a Must-Have
Going forward, Krebs emphasized the importance of CISA's collaboration with the private sector and other aspects of government to create a more unified and coordinated response, especially as cyberthreats grow more advanced. 

"If the recent supply chain compromise teaches us anything, it's that there [is] a set of very critical, systemically important enterprise software and services that we don't fully understand how they fit into the economy, how they fit into enterprises writ large," he said.

The public and private sectors must understand where these systemically important companies are, how they fit into the systems we use daily, and bring all parties together. This goes beyond sharing indicators of compromise, he noted. This is much more advanced, and more about where adversaries are going. In the run-up to the 2020 election, the Department of Defense and Cyber Command deployed teams to allies in Europe to learn where cyberattackers frequent.

"Not only did they pick up IOCs, but they also picked up intelligence on how and where cyber actors were going – what sorts of networks, what sorts of targets they were looking at," he added. This informed the country's ability to partner with election officials. 

By making decisions based on imperfect information, no one organization will be successful. Operational partnerships in which organizations can come together and share risk information, and coordinate on joint collaborative defense operations – "that's going to be the key to success going forward," Krebs said.

Kelly Sheridan is the Staff Editor at Dark Reading, where she focuses on cybersecurity news and analysis. She is a business technology journalist who previously reported for InformationWeek, where she covered Microsoft, and Insurance & Technology, where she covered financial ... View Full Bio

Recommended Reading:

Comment  | 
Print  | 
More Insights
Threaded  |  Newest First  |  Oldest First
Ransomware Is Not the Problem
Adam Shostack, Consultant, Entrepreneur, Technologist, Game Designer,  6/9/2021
How Can I Test the Security of My Home-Office Employees' Routers?
John Bock, Senior Research Scientist,  6/7/2021
New Ransomware Group Claiming Connection to REvil Gang Surfaces
Jai Vijayan, Contributing Writer,  6/10/2021
Register for Dark Reading Newsletters
White Papers
Cartoon Contest
Current Issue
The State of Cybersecurity Incident Response
In this report learn how enterprises are building their incident response teams and processes, how they research potential compromises, how they respond to new breaches, and what tools and processes they use to remediate problems and improve their cyber defenses for the future.
Flash Poll
How Enterprises are Developing Secure Applications
How Enterprises are Developing Secure Applications
Recent breaches of third-party apps are driving many organizations to think harder about the security of their off-the-shelf software as they continue to move left in secure software development practices.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
PUBLISHED: 2021-06-14
A buffer overflow vulnerability in SonicOS allows a remote attacker to cause a Denial of Service (DoS) by sending a specially crafted request. This vulnerability affects SonicOS Gen5, Gen6, Gen7 platforms, and SonicOSv virtual firewalls.
PUBLISHED: 2021-06-14
magento-scripts contains scripts and configuration used by Create Magento App, a zero-configuration tool-chain which allows one to deploy Magento 2. In versions 1.5.1 and 1.5.2, after changing the function from synchronous to asynchronous there wasn't implemented handler in the start, stop, exec, an...
PUBLISHED: 2021-06-14
net/can/bcm.c in the Linux kernel through 5.12.10 allows local users to obtain sensitive information from kernel stack memory because parts of a data structure are uninitialized.
PUBLISHED: 2021-06-14
Cross-site Scripting (XSS) vulnerability in the main dashboard of Ellipse APM versions allows an authenticated user or integrated application to inject malicious data into the application that can then be executed in a victim’s browser. This issue affects: Hitachi ABB Power Grids ...
PUBLISHED: 2021-06-14
Improper Input Validation vulnerability in Hitachi ABB Power Grids Relion 670 Series, Relion 670/650 Series, Relion 670/650/SAM600-IO, Relion 650, REB500, RTU500 Series, FOX615 (TEGO1), MSM, GMS600, PWC600 allows an attacker with access to the IEC 61850 network with knowledge of how to reproduce the...